Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hesaphareketi_1.scr.exe

Overview

General Information

Sample name:hesaphareketi_1.scr.exe
Analysis ID:1430777
MD5:39c348d66f448c5dfd2ce92756a2af10
SHA1:0e236d48df2f56db7c292c402c48e098c5526639
SHA256:3a9444944c737900563b16dab76e19bcd2c52f1d3b35e258d581b523586ae828
Tags:AgentTeslaexegeoscrTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hesaphareketi_1.scr.exe (PID: 4276 cmdline: "C:\Users\user\Desktop\hesaphareketi_1.scr.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • powershell.exe (PID: 3956 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hesaphareketi_1.scr.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\hesaphareketi_1.scr.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
  • svchost.exe (PID: 1152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cbsBVT.exe (PID: 4152 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • powershell.exe (PID: 4276 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cbsBVT.exe (PID: 4640 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • cbsBVT.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
  • cbsBVT.exe (PID: 5704 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • powershell.exe (PID: 2684 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cbsBVT.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • cbsBVT.exe (PID: 1372 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
    • cbsBVT.exe (PID: 3040 cmdline: "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe" MD5: 39C348D66F448C5DFD2CE92756A2AF10)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "business29.web-hosting.com", "Username": "admin@purchase.boats", "Password": "Esupofo234@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.cbsBVT.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.cbsBVT.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.cbsBVT.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33e3f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33eb1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33f3b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33fcd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x34037:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x340a9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3413f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x341cf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.hesaphareketi_1.scr.exe.4661450.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.hesaphareketi_1.scr.exe.4661450.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hesaphareketi_1.scr.exe, ProcessId: 1988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbsBVT
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.54.114.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\hesaphareketi_1.scr.exe, Initiated: true, ProcessId: 1988, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi_1.scr.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi_1.scr.exe, ParentProcessId: 4276, ParentProcessName: hesaphareketi_1.scr.exe, ProcessCommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 3956, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1152, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hesaphareketi_1.scr.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeAvira: detection malicious, Label: HEUR/AGEN.1309721
                    Found malware configuration
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "business29.web-hosting.com", "Username": "admin@purchase.boats", "Password": "Esupofo234@"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeVirustotal: Detection: 38%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: hesaphareketi_1.scr.exeReversingLabs: Detection: 52%
                    Source: hesaphareketi_1.scr.exeVirustotal: Detection: 38%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: hesaphareketi_1.scr.exeJoe Sandbox ML: detected
                    Source: hesaphareketi_1.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49717 version: TLS 1.2
                    Source: hesaphareketi_1.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000006.00000002.1576509993.0000000003031000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000E.00000002.1661164916.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{+Ll0 source: powershell.exe, 0000000F.00000002.1710961806.000000000867F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdbst.resources.dll source: powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb/: source: powershell.exe, 0000000F.00000002.1703052636.0000000007789000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1409770708.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1603996918.000000000762C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1422525987.000000000807F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1608334741.000000000861A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1607940683.00000000085D3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1703052636.00000000077EA000.00000004.00000020.00020000.00000000.sdmp
                    Source: global trafficTCP traffic: 192.168.2.8:49709 -> 198.54.114.199:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49709 -> 198.54.114.199:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://business29.web-hosting.com
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2669457268.0000000006A9B000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680523743.0000000006700000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2639002089.0000026D5AA00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2666704343.000000000683F000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: powershell.exe, 00000002.00000002.1419457757.0000000007054000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi?
                    Source: cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microj
                    Source: svchost.exe, 00000005.00000002.2639002089.0000026D5AA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000002.00000002.1411676726.0000000004BAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000056B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2669457268.0000000006A9B000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680523743.0000000006700000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0-
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000005.00000003.1397280494.0000026D5AC20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
                    Source: powershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://vksdr.com/goesrecv-monitor
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1395292629.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wdcp.mi
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49717 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, cPKWk.cs.Net Code: f0r

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_01A2CD3C0_2_01A2CD3C
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_01A2F5B60_2_01A2F5B6
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_01A2F5B80_2_01A2F5B8
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_059D77180_2_059D7718
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_059DCF500_2_059DCF50
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_059DCF3F0_2_059DCF3F
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030A4B104_2_030A4B10
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030A3EF84_2_030A3EF8
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030A42404_2_030A4240
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030ACC984_2_030ACC98
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030ACCA84_2_030ACCA8
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_070840784_2_07084078
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_07094E204_2_07094E20
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0709CE584_2_0709CE58
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0709A6804_2_0709A680
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0709B6C84_2_0709B6C8
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0709ADD04_2_0709ADD0
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_070974404_2_07097440
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_070919E84_2_070919E8
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0709C7784_2_0709C778
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_07091A994_2_07091A99
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 6_2_0121CD3C6_2_0121CD3C
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 6_2_0121F5A86_2_0121F5A8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 6_2_0121F5B86_2_0121F5B8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013CA58811_2_013CA588
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013C4B1011_2_013C4B10
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013CEB9011_2_013CEB90
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013CAE1011_2_013CAE10
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013C3EF811_2_013C3EF8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013C424011_2_013C4240
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C5A8D411_2_06C5A8D4
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C5A5B411_2_06C5A5B4
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C5C05811_2_06C5C058
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C5DC1011_2_06C5DC10
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7276011_2_06C72760
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C765E011_2_06C765E0
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7C58011_2_06C7C580
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7559811_2_06C75598
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7B23011_2_06C7B230
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C77D7011_2_06C77D70
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7769011_2_06C77690
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7E79811_2_06C7E798
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7004011_2_06C70040
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C75CE811_2_06C75CE8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_071E350011_2_071E3500
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_06C7000711_2_06C70007
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 14_2_00FB456014_2_00FB4560
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 14_2_00FBCD3C14_2_00FBCD3C
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 14_2_00FBF5B814_2_00FBF5B8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 14_2_00FBF5A814_2_00FBF5A8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D6EAA919_2_02D6EAA9
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D64B1019_2_02D64B10
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D63EF819_2_02D63EF8
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D6424019_2_02D64240
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D6AD5019_2_02D6AD50
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D5A8D419_2_06D5A8D4
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D5A5B419_2_06D5A5B4
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D5DC1019_2_06D5DC10
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7346019_2_06D73460
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7B21F19_2_06D7B21F
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7769019_2_06D77690
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7E79819_2_06D7E798
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7004019_2_06D70040
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7000619_2_06D70006
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_0712350019_2_07123500
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7003B19_2_06D7003B
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1395292629.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2379f9fe-9543-4c0b-b671-f5490ed118f9.exe4 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000000.1378076626.000000000102C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStorages.exe2 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2633683375.0000000001359000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exeBinary or memory string: OriginalFilenameStorages.exe2 vs hesaphareketi_1.scr.exe
                    Source: hesaphareketi_1.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: hesaphareketi_1.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: cbsBVT.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.hesaphareketi_1.scr.exe.5db0000.6.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hesaphareketi_1.scr.exe.5db0000.6.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/20@2/3
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile created: C:\Users\user\AppData\Roaming\cbsBVTJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2768:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fllulnlq.3yr.ps1Jump to behavior
                    Source: hesaphareketi_1.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hesaphareketi_1.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hesaphareketi_1.scr.exeReversingLabs: Detection: 52%
                    Source: hesaphareketi_1.scr.exeVirustotal: Detection: 38%
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile read: C:\Users\user\Desktop\hesaphareketi_1.scr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dwrite.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hesaphareketi_1.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hesaphareketi_1.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: hesaphareketi_1.scr.exe, 00000000.00000002.1400527379.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1396824751.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000006.00000002.1576509993.0000000003031000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000E.00000002.1661164916.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb{+Ll0 source: powershell.exe, 0000000F.00000002.1710961806.000000000867F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdbst.resources.dll source: powershell.exe, 00000007.00000002.1584908607.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb/: source: powershell.exe, 0000000F.00000002.1703052636.0000000007789000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1409770708.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1603996918.000000000762C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1422525987.000000000807F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1608334741.000000000861A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1607940683.00000000085D3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1703052636.00000000077EA000.00000004.00000020.00020000.00000000.sdmp
                    Source: hesaphareketi_1.scr.exeStatic PE information: 0xDE088ED3 [Fri Jan 16 14:46:43 2088 UTC]
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 0_2_059DE6AF push 5D01A556h; ret 0_2_059DE660
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_030A0CB5 push edi; ret 4_2_030A0CC2
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeCode function: 4_2_0708244F push es; ret 4_2_07082460
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04A442B8 push ebx; ret 7_2_04A442DA
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 11_2_013C0CB5 push edi; ret 11_2_013C0CC2
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D60C93 push edi; retf 19_2_02D60C3A
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_02D60CB5 push edi; ret 19_2_02D60CC2
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D55178 push es; ret 19_2_06D55170
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D55162 push es; ret 19_2_06D55170
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D7805B push ebp; iretd 19_2_06D7805E
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D741F7 push ss; iretd 19_2_06D741FA
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D741FB push ss; iretd 19_2_06D74202
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D79131 push 65A806CFh; iretd 19_2_06D79136
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D72EDF push cs; iretd 19_2_06D73452
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D77D70 push esi; iretd 19_2_06D7805A
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D77D67 push edx; iretd 19_2_06D77D6A
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D77D60 push edx; iretd 19_2_06D77D66
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D78A08 pushad ; iretd 19_2_06D78A0E
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_06D748E1 push ds; iretd 19_2_06D748E2
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeCode function: 19_2_071211B0 push es; ret 19_2_071211C0
                    Source: hesaphareketi_1.scr.exeStatic PE information: section name: .text entropy: 7.933213587645533
                    Source: cbsBVT.exe.4.drStatic PE information: section name: .text entropy: 7.933213587645533
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVTJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cbsBVTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile opened: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 19E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 34F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 3410000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: 5140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 13C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 3120000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 16A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: FB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2920000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 4920000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2D60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 2F10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeMemory allocated: 4F10000 memory reserve | memory write watch
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6398Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3132Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWindow / User API: threadDelayed 3906Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWindow / User API: threadDelayed 995Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7316Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2099Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWindow / User API: threadDelayed 1241
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWindow / User API: threadDelayed 3231
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7488
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2056
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWindow / User API: threadDelayed 1958
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWindow / User API: threadDelayed 2520
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 6398 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5084Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep count: 3132 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99217s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99104s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98447s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -98095s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -97421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exe TID: 1840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 3228Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 4824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep count: 7316 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764Thread sleep count: 2099 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -11068046444225724s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 1440Thread sleep count: 1241 > 30
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 1440Thread sleep count: 3231 > 30
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99764s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99652s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99434s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98779s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98670s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -98015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -97797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 2328Thread sleep time: -97687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 5176Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep count: 7488 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432Thread sleep count: 2056 > 30
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 3828Thread sleep count: 1958 > 30
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99778s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 3828Thread sleep count: 2520 > 30
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99669s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -99095s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98745s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98617s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98507s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -98059s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -97952s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -97843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -97734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -97625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe TID: 736Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99217Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99104Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98447Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98218Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 98095Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97968Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97859Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97749Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97640Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97531Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 97421Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99874
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99764
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99652
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99547
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99434
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99218
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98890
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98779
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98670
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98562
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98453
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98344
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98234
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98125
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98015
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97906
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97797
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97687
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99890
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99778
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99669
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99562
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99453
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99343
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99234
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 99095
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98968
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98859
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98745
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98617
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98507
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98390
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98281
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98172
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 98059
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97952
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97843
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97734
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 97625
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeThread delayed: delay time: 922337203685477
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000005.00000002.2639144289.0000026D5AA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2637323659.0000026D5562B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.hesaphareketi_1.scr.exe.35f3aec.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: MyGetProcAddress(hProcess, Name)
                    Source: 0.2.hesaphareketi_1.scr.exe.35f3aec.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: LoadLibraryA(ref name)
                    Source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeMemory written: C:\Users\user\Desktop\hesaphareketi_1.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Users\user\Desktop\hesaphareketi_1.scr.exe "C:\Users\user\Desktop\hesaphareketi_1.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe "C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi_1.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\hesaphareketi_1.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\appdata\roaming\cbsbvt\cbsbvt.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\.exe'
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi_1.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi_1.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\hesaphareketi_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.cbsBVT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4661450.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.459a1b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hesaphareketi_1.scr.exe.4549b80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 4276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hesaphareketi_1.scr.exe PID: 1988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cbsBVT.exe PID: 3040, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS221
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430777 Sample: hesaphareketi_1.scr.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 49 business29.web-hosting.com 2->49 51 api.ipify.org 2->51 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 6 other signatures 2->65 8 hesaphareketi_1.scr.exe 2 2->8         started        11 cbsBVT.exe 3 2->11         started        13 cbsBVT.exe 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->79 81 Injects a PE file into a foreign processes 8->81 18 hesaphareketi_1.scr.exe 16 5 8->18         started        23 powershell.exe 21 8->23         started        83 Antivirus detection for dropped file 11->83 85 Multi AV Scanner detection for dropped file 11->85 87 Machine Learning detection for dropped file 11->87 25 cbsBVT.exe 11->25         started        27 powershell.exe 21 11->27         started        29 cbsBVT.exe 11->29         started        31 cbsBVT.exe 13->31         started        33 powershell.exe 13->33         started        35 cbsBVT.exe 13->35         started        37 cbsBVT.exe 13->37         started        57 127.0.0.1 unknown unknown 15->57 signatures6 process7 dnsIp8 53 business29.web-hosting.com 198.54.114.199, 49709, 49715, 49718 NAMECHEAP-NETUS United States 18->53 55 api.ipify.org 104.26.13.205, 443, 49707, 49713 CLOUDFLARENETUS United States 18->55 45 C:\Users\user\AppData\Roaming\...\cbsBVT.exe, PE32 18->45 dropped 47 C:\Users\user\...\cbsBVT.exe:Zone.Identifier, ASCII 18->47 dropped 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->67 69 Tries to steal Mail credentials (via file / registry access) 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 39 conhost.exe 23->39         started        73 Loading BitLocker PowerShell Module 27->73 41 conhost.exe 27->41         started        75 Tries to harvest and steal ftp login credentials 31->75 77 Tries to harvest and steal browser information (history, passwords, etc) 31->77 43 conhost.exe 33->43         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hesaphareketi_1.scr.exe53%ReversingLabsWin32.Spyware.Negasteal
                    hesaphareketi_1.scr.exe39%VirustotalBrowse
                    hesaphareketi_1.scr.exe100%AviraHEUR/AGEN.1309721
                    hesaphareketi_1.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe100%AviraHEUR/AGEN.1309721
                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe53%ReversingLabsWin32.Spyware.Negasteal
                    C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe39%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://crl.mi?0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0-0%Avira URL Cloudsafe
                    http://crl.ver)0%Avira URL Cloudsafe
                    https://vksdr.com/goesrecv-monitor0%Avira URL Cloudsafe
                    http://crl.microj0%Avira URL Cloudsafe
                    https://wdcp.mi0%Avira URL Cloudsafe
                    https://vksdr.com/goesrecv-monitor0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      business29.web-hosting.com
                      		198.54.114.199
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://sectigo.com/CPS0hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.sectigo.com0-hesaphareketi_1.scr.exe, 00000004.00000002.2636111594.000000000164E000.00000004.00000020.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1657051554.0000000001490000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2633915220.0000000001234000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://account.dyn.com/hesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmptrue
                                • URL Reputation: malware
                                		unknown
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 00000005.00000002.2639002089.0000026D5AA00000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000005.00000003.1397280494.0000026D5AC20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                      		high
                                      https://api.ipify.org/thesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/sam210723/goesrecv-monitor/releases/latesthesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://go.microspowershell.exe, 00000002.00000002.1411676726.0000000004BAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000056B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672956754.000000000324F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://g.live.com/odclientsettings/Prod/C:edb.log.5.drfalse
                                              		high
                                              https://api.ipify.orghesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.microjcbsBVT.exe, 0000000B.00000002.1680830301.0000000006756000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.mi?powershell.exe, 00000002.00000002.1419457757.0000000007054000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://business29.web-hosting.comhesaphareketi_1.scr.exe, 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://vksdr.com/goesrecv-monitorhesaphareketi_1.scr.exe, 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000000.00000002.1400665428.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1411676726.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004C22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.00000000050C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1416322622.00000000054D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1599751140.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1697267398.0000000005FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://wdcp.mihesaphareketi_1.scr.exe, 00000000.00000002.1395292629.0000000001623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1411676726.0000000004471000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi_1.scr.exe, 00000004.00000002.2641024996.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1588730202.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 0000000B.00000002.1662306646.000000000312C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1679690872.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, cbsBVT.exe, 00000013.00000002.2639565652.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          198.54.114.199
                                                          		business29.web-hosting.comUnited States
                                                          		22612NAMECHEAP-NETUSfalse
                                                          104.26.13.205
                                                          		api.ipify.orgUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1430777
                                                          Start date and time:2024-04-24 07:10:20 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 3s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:23
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:hesaphareketi_1.scr.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@25/20@2/3
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 270
                                                          • Number of non-executed functions: 6
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.202.57.177
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 3956 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 4276 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          07:11:11API Interceptor61x Sleep call for process: powershell.exe modified
                                                          07:11:12API Interceptor2x Sleep call for process: svchost.exe modified
                                                          07:11:17API Interceptor24x Sleep call for process: hesaphareketi_1.scr.exe modified
                                                          07:11:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cbsBVT C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          07:11:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cbsBVT C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          07:11:32API Interceptor44x Sleep call for process: cbsBVT.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          198.54.114.199http://duckyblogs.com/2022/08/30/keith-cederholm-barnGet hashmaliciousUnknownBrowse
                                                          • duckyblogs.com/2022/08/30/keith-cederholm-barn
                                                          104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                          • api.ipify.org/
                                                          Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          business29.web-hosting.comhesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 198.54.114.199
                                                          hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 198.54.114.199
                                                          api.ipify.orgDHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                                          • 172.67.74.152
                                                          https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.13.205
                                                          CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 172.67.74.152
                                                          BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          copy#10476235.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 172.67.74.152
                                                          Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSPayment MT103.xlsGet hashmaliciousUnknownBrowse
                                                          • 104.21.15.201
                                                          e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.27.85
                                                          New Order .docGet hashmaliciousUnknownBrowse
                                                          • 172.67.134.136
                                                          orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.84.67
                                                          DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.215.45
                                                          Remittance-Advice.docGet hashmaliciousUnknownBrowse
                                                          • 172.67.175.222
                                                          shipping docs.docGet hashmaliciousUnknownBrowse
                                                          • 104.21.74.191
                                                          Invoice.docGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.134.136
                                                          Pedido02304024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 172.67.152.117
                                                          NAMECHEAP-NETUS181_960.msiGet hashmaliciousUnknownBrowse
                                                          • 199.192.27.64
                                                          232_786.msiGet hashmaliciousUnknownBrowse
                                                          • 199.192.27.64
                                                          m2 Cotizaci#U00f3n-1634.pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 198.54.117.242
                                                          Job Application.pdf.lnkGet hashmaliciousUnknownBrowse
                                                          • 162.0.236.151
                                                          PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                          • 37.61.232.138
                                                          eInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                          • 185.61.152.60
                                                          hesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 198.54.114.199
                                                          Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                          • 185.61.152.60
                                                          hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 198.54.114.199
                                                          Payment Advice for Invoice 2024 0904.vbsGet hashmaliciousFormBookBrowse
                                                          • 185.61.152.60

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ee-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.26.13.205
                                                          DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          1000901 LIQUIDACION.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.8021744339108811
                                                          Encrypted:false
                                                          SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAS:RJE+Lfki1GjHwU/+vVhWqpn
                                                          MD5:0D4F863CB6FE3D8A0F99234DB8DE1734
                                                          SHA1:08F6883194DA6E71B370E59A1190B9184B480BB8
                                                          SHA-256:3A5434E28C86ABA21B564ACDF4C0D32FA6ADDC09CD0566AC6C1C5473A5B0CA26
                                                          SHA-512:412E703BB6AC0E268E07BAD2F023AC3082025FE4FE20C2C537BA1772455606F4DB97057BE2AB1543103723D4C7CA60B439B400E2A0E5A10C30DDBE5EA3D2134E
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5240ef93, page size 16384, DirtyShutdown, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):1048576
                                                          Entropy (8bit):0.9432590994172936
                                                          Encrypted:false
                                                          SSDEEP:1536:jSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:jazaHvxXy2V2UR
                                                          MD5:846162F0E4E8625E30F091316D90E696
                                                          SHA1:E72C572ADC2F9D95E64DDB9910D13DBE97FD61F3
                                                          SHA-256:38BDD97DD63EB06592A814596CEF1C3F18323CA61BCF1FC6533DF5124599B33B
                                                          SHA-512:95971204C048028A0C99406CC458B511856F344B70438FEBF9A68C80ED0006E6F363A215F0592A621E3366EAF4146677FD98206DB699FA7E2056840A8785CE0B
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:R@.... ...............X\...;...{......................0.x...... ...{s......|_.h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................-........|...................i,,.....|_..........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):0.07995755026283656
                                                          Encrypted:false
                                                          SSDEEP:3:pXKYeflhFl/nqlFcl1ZUllllozsEillGBnX/l/Tj/k7/t:pXKzflhFl/qlFclQ/lfh254
                                                          MD5:2C8DEA6038B1AF7086073C0DC2D76D5D
                                                          SHA1:7ED1CEC7D102EABE8B2E02B6BBB47A7C6DF85374
                                                          SHA-256:E16DDB6C0B83BC7FBD24CFF4333261C0F75D73B607981D69DA8D82E395BB1DB7
                                                          SHA-512:5BDACB09529D373F265F559E333311B1C761BB09A6726DD93B934897F4754C2F4C3EC4D0526F42A2330AAEE3A9644802BCBE12ACD37A3C473DB96AF952867498
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:h:N......................................;...{.......|_.. ...{s.......... ...{s.. ...{s.P.... ...{s..................i,,.....|_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cbsBVT.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ch0lgdmz.2ec.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cle1hxl3.tk0.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eckwbzzv.zhy.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fllulnlq.3yr.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fowbeh4v.1ik.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvaj1xj5.uha.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdbheqwd.wwo.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg4hvtwm.cu1.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfpezawh.b3z.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nucdcpkm.i3z.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa4ndqpe.fl1.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3wjugj.kkm.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hesaphareketi_1.scr.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):375296
                                                          Entropy (8bit):7.922698401047371
                                                          Encrypted:false
                                                          SSDEEP:6144:JAHFQafd9O1S/jS4BwnvTB1QJgFmsDnv/snE2GUu6d7kxzjE2:+zd9OwGu+FmsDvQ9GHj
                                                          MD5:39C348D66F448C5DFD2CE92756A2AF10
                                                          SHA1:0E236D48DF2F56DB7C292C402C48E098C5526639
                                                          SHA-256:3A9444944C737900563B16DAB76E19BCD2C52F1D3B35E258D581B523586AE828
                                                          SHA-512:B01F7E6B47860F7687508F6FBD443923B5E782FB0D006EFF78898B30610811442B41495183B2B8A48FC235175FC50B588F19F3E4176B8C9D91C1CC85D69DC68C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 53%
                                                          • Antivirus: Virustotal, Detection: 39%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0......,......^.... ........@.. ....................... ............@.....................................S.......4)........................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...4).......*..................@..@.reloc..............................@..B................@.......H........b...G..........$[.............................................................?.......?.......?.......?.....^..9...U..............?...?...?...?2.{....o....*2.{....o....*:.{.....o$...&*J.{.....o%...{....*N.s)...}.....(*....*.s.........*".(+....*:.{.....{....Y*^.(+.......}......}....*&...}....*~.(+......s~...}.....s~...}....*n..{.....o......{....o.....*j..{....o......{....o.....*...j}".... ....j}#....s....}$....(........jo.....*...j}".... ....j}#....s....}$....(.......

                                                          C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hesaphareketi_1.scr.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):55
                                                          Entropy (8bit):4.306461250274409
                                                          Encrypted:false
                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                          Malicious:false
                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.922698401047371
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                          File name:hesaphareketi_1.scr.exe
                                                          File size:375'296 bytes
                                                          MD5:39c348d66f448c5dfd2ce92756a2af10
                                                          SHA1:0e236d48df2f56db7c292c402c48e098c5526639
                                                          SHA256:3a9444944c737900563b16dab76e19bcd2c52f1d3b35e258d581b523586ae828
                                                          SHA512:b01f7e6b47860f7687508f6fbd443923b5e782fb0d006eff78898b30610811442b41495183b2b8a48fc235175fc50b588f19f3e4176b8c9d91c1cc85d69dc68c
                                                          SSDEEP:6144:JAHFQafd9O1S/jS4BwnvTB1QJgFmsDnv/snE2GUu6d7kxzjE2:+zd9OwGu+FmsDvQ9GHj
                                                          TLSH:5684E0736F849659DE9C2D39FC9E396EC2E91AE752D3FB24C67080819871320644FE4A
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......,......^.... ........@.. ....................... ............@................................

                                                          File Icon

                                                          Icon Hash:8f414a4c4c42c14f

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x45aa5e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xDE088ED3 [Fri Jan 16 14:46:43 2088 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5aa080x53.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x2934.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x58a640x58c00eb863bcf2c6cdc9463561948c51bd090False0.8962037852112676data7.933213587645533IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x5c0000x29340x2a0024f47933c162da946a3b948bf515ace2False0.8600260416666666data7.706116452501856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x600000xc0x2004d668a27bd82553824793373eb6e80f9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x5c1300x22e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9471622075450576
                                                          RT_GROUP_ICON0x5e4180x14data0.95
                                                          RT_VERSION0x5e42c0x31cdata0.4258793969849246
                                                          RT_MANIFEST0x5e7480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 24, 2024 07:11:14.688350916 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:14.688409090 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:14.688517094 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:14.697738886 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:14.697757959 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.032953978 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.033092976 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:15.038858891 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:15.038866997 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.039170980 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.084393024 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:15.127413034 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:15.168116093 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.465729952 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.465797901 CEST44349707104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:15.466263056 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:15.472546101 CEST49707443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:18.600857973 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:18.767726898 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:18.769077063 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.129461050 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.129673958 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.295943975 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.296149969 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.465219975 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.465641975 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.650780916 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.650816917 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.650866985 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.650896072 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.650909901 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.650947094 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.654012918 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.679406881 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:19.845840931 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:19.849483967 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.015453100 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.016767979 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.183032990 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.184181929 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.369147062 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.369406939 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.535065889 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.535325050 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.741591930 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.742620945 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.742815018 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.908637047 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.908655882 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:20.909312010 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.909392118 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.909404039 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:20.909435987 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:21.074914932 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:21.075067043 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:21.075820923 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:21.095396042 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:21.146773100 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:32.025676966 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.025732040 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.025814056 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.029042959 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.029078007 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.364981890 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.365077019 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.370682001 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.370698929 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.371032000 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.443900108 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.488121033 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.820672035 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.820758104 CEST44349713104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:32.821021080 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:32.823256016 CEST49713443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:33.381782055 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:33.547837019 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:33.549175024 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:33.791553974 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:33.791987896 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:33.958271980 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:33.958501101 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.125446081 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.129651070 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.311959982 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.311981916 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.311995029 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.312015057 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.312094927 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.314519882 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.315927029 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.481990099 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.486468077 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.652343988 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.652757883 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:34.825877905 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:34.826299906 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.006762981 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.007055044 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.177738905 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.179270029 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.379748106 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.379954100 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.546979904 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.547617912 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.547722101 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.547722101 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.547722101 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:35.713555098 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.713573933 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.713701010 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.713826895 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.738240957 CEST58749715198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:35.787431002 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:40.084805965 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.084882021 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.084969997 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.089024067 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.089082956 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.418911934 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.418993950 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.421153069 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.421168089 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.421473026 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.474994898 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.485888958 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.532114983 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.891135931 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.891210079 CEST44349717104.26.13.205192.168.2.8
                                                          Apr 24, 2024 07:11:40.891380072 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:40.893866062 CEST49717443192.168.2.8104.26.13.205
                                                          Apr 24, 2024 07:11:41.434509039 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:41.600569010 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:41.600821972 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:41.925139904 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:41.925328016 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.091413975 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.091598988 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.258861065 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.259398937 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.437243938 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.437267065 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.437283993 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.437304020 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.437319994 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.437422991 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.439768076 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.445679903 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.611695051 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.616499901 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.782506943 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.782994032 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:42.959914923 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:42.960370064 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.105247974 CEST49715587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.146295071 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.146539927 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.312306881 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.312613010 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.492047071 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.492377043 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.658749104 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.659390926 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.659497976 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.659497976 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.659497976 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:11:43.824948072 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.825042009 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.825261116 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.826299906 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.832256079 CEST58749718198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:11:43.881222010 CEST49718587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:12:58.444061995 CEST49709587192.168.2.8198.54.114.199
                                                          Apr 24, 2024 07:12:58.611929893 CEST58749709198.54.114.199192.168.2.8
                                                          Apr 24, 2024 07:12:58.612668991 CEST49709587192.168.2.8198.54.114.199

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 24, 2024 07:11:14.517535925 CEST5708553192.168.2.81.1.1.1
                                                          Apr 24, 2024 07:11:14.672370911 CEST53570851.1.1.1192.168.2.8
                                                          Apr 24, 2024 07:11:18.423459053 CEST5243553192.168.2.81.1.1.1
                                                          Apr 24, 2024 07:11:18.597352982 CEST53524351.1.1.1192.168.2.8

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Apr 24, 2024 07:11:14.517535925 CEST192.168.2.81.1.1.10x8f94Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Apr 24, 2024 07:11:18.423459053 CEST192.168.2.81.1.1.10xb884Standard query (0)business29.web-hosting.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Apr 24, 2024 07:11:14.672370911 CEST1.1.1.1192.168.2.80x8f94No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Apr 24, 2024 07:11:14.672370911 CEST1.1.1.1192.168.2.80x8f94No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Apr 24, 2024 07:11:14.672370911 CEST1.1.1.1192.168.2.80x8f94No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Apr 24, 2024 07:11:18.597352982 CEST1.1.1.1192.168.2.80xb884No error (0)business29.web-hosting.com198.54.114.199A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.849707104.26.13.2054431988C:\Users\user\Desktop\hesaphareketi_1.scr.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-04-24 05:11:15 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-04-24 05:11:15 UTC211INHTTP/1.1 200 OK
                                                          Date: Wed, 24 Apr 2024 05:11:15 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 13
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 87939770ab160fcc-LAX
                                                          2024-04-24 05:11:15 UTC13INData Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36
                                                          Data Ascii: 154.16.105.36


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.849713104.26.13.2054435296C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-04-24 05:11:32 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-04-24 05:11:32 UTC211INHTTP/1.1 200 OK
                                                          Date: Wed, 24 Apr 2024 05:11:32 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 13
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 879397dcfc057c2f-LAX
                                                          2024-04-24 05:11:32 UTC13INData Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36
                                                          Data Ascii: 154.16.105.36


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.849717104.26.13.2054433040C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-04-24 05:11:40 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-04-24 05:11:40 UTC211INHTTP/1.1 200 OK
                                                          Date: Wed, 24 Apr 2024 05:11:40 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 13
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8793980f5d7b102c-LAX
                                                          2024-04-24 05:11:40 UTC13INData Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36
                                                          Data Ascii: 154.16.105.36


                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Apr 24, 2024 07:11:19.129461050 CEST58749709198.54.114.199192.168.2.8220-business29.web-hosting.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 01:11:19 -0400
                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                          220 and/or bulk e-mail.
                                                          Apr 24, 2024 07:11:19.129673958 CEST49709587192.168.2.8198.54.114.199EHLO 724471
                                                          Apr 24, 2024 07:11:19.295943975 CEST58749709198.54.114.199192.168.2.8250-business29.web-hosting.com Hello 724471 [154.16.105.36]
                                                          250-SIZE 52428800
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-PIPECONNECT
                                                          250-STARTTLS
                                                          250 HELP
                                                          Apr 24, 2024 07:11:19.296149969 CEST49709587192.168.2.8198.54.114.199STARTTLS
                                                          Apr 24, 2024 07:11:19.465219975 CEST58749709198.54.114.199192.168.2.8220 TLS go ahead
                                                          Apr 24, 2024 07:11:33.791553974 CEST58749715198.54.114.199192.168.2.8220-business29.web-hosting.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 01:11:33 -0400
                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                          220 and/or bulk e-mail.
                                                          Apr 24, 2024 07:11:33.791987896 CEST49715587192.168.2.8198.54.114.199EHLO 724471
                                                          Apr 24, 2024 07:11:33.958271980 CEST58749715198.54.114.199192.168.2.8250-business29.web-hosting.com Hello 724471 [154.16.105.36]
                                                          250-SIZE 52428800
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-PIPECONNECT
                                                          250-STARTTLS
                                                          250 HELP
                                                          Apr 24, 2024 07:11:33.958501101 CEST49715587192.168.2.8198.54.114.199STARTTLS
                                                          Apr 24, 2024 07:11:34.125446081 CEST58749715198.54.114.199192.168.2.8220 TLS go ahead
                                                          Apr 24, 2024 07:11:41.925139904 CEST58749718198.54.114.199192.168.2.8220-business29.web-hosting.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 01:11:41 -0400
                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                          220 and/or bulk e-mail.
                                                          Apr 24, 2024 07:11:41.925328016 CEST49718587192.168.2.8198.54.114.199EHLO 724471
                                                          Apr 24, 2024 07:11:42.091413975 CEST58749718198.54.114.199192.168.2.8250-business29.web-hosting.com Hello 724471 [154.16.105.36]
                                                          250-SIZE 52428800
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-PIPECONNECT
                                                          250-STARTTLS
                                                          250 HELP
                                                          Apr 24, 2024 07:11:42.091598988 CEST49718587192.168.2.8198.54.114.199STARTTLS
                                                          Apr 24, 2024 07:11:42.258861065 CEST58749718198.54.114.199192.168.2.8220 TLS go ahead

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:07:11:11
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\Desktop\hesaphareketi_1.scr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
                                                          Imagebase:0xfd0000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1396974953.00000000044F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:07:11:11
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\hesaphareketi_1.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                                                          Imagebase:0x1f0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:07:11:11
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:07:11:12
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\Desktop\hesaphareketi_1.scr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\hesaphareketi_1.scr.exe"
                                                          Imagebase:0xf60000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2641024996.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2641024996.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2641024996.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:07:11:12
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ff67e6d0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:6
                                                          Start time:07:11:26
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0xc80000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 53%, ReversingLabs
                                                          • Detection: 39%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:07:11:28
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                                                          Imagebase:0x1f0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:07:11:28
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:07:11:29
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0x80000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:07:11:29
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0xd60000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1662306646.000000000319C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1662306646.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1662306646.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1650972746.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:07:11:36
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0x600000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:07:11:37
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
                                                          Imagebase:0x1f0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:07:11:37
                                                          Start date:24/04/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:07:11:38
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0x1b0000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:07:11:38
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0xb0000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:07:11:38
                                                          Start date:24/04/2024
                                                          Path:C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\cbsBVT\cbsBVT.exe"
                                                          Imagebase:0xd20000
                                                          File size:375'296 bytes
                                                          MD5 hash:39C348D66F448C5DFD2CE92756A2AF10
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2639565652.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2639565652.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2639565652.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:10.6%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:112
                                                            Total number of Limit Nodes:9
                                                            execution_graph 26637 1a2c7c0 26638 1a2c806 GetCurrentProcess 26637->26638 26640 1a2c851 26638->26640 26641 1a2c858 GetCurrentThread 26638->26641 26640->26641 26642 1a2c895 GetCurrentProcess 26641->26642 26643 1a2c88e 26641->26643 26644 1a2c8cb 26642->26644 26643->26642 26645 1a2c8f3 GetCurrentThreadId 26644->26645 26646 1a2c924 26645->26646 26711 1a2a430 26712 1a2a43f 26711->26712 26714 1a2a528 26711->26714 26715 1a2a539 26714->26715 26716 1a2a55c 26714->26716 26715->26716 26722 1a2a7b2 26715->26722 26726 1a2a7c0 26715->26726 26716->26712 26717 1a2a554 26717->26716 26718 1a2a760 GetModuleHandleW 26717->26718 26719 1a2a78d 26718->26719 26719->26712 26723 1a2a7d4 26722->26723 26725 1a2a7f9 26723->26725 26730 1a298b0 26723->26730 26725->26717 26727 1a2a7d4 26726->26727 26728 1a298b0 LoadLibraryExW 26727->26728 26729 1a2a7f9 26727->26729 26728->26729 26729->26717 26731 1a2a9a0 LoadLibraryExW 26730->26731 26733 1a2aa19 26731->26733 26733->26725 26734 1a2ce10 DuplicateHandle 26735 1a2cea6 26734->26735 26647 1a24528 26648 1a2453a 26647->26648 26651 1a23cf4 26648->26651 26652 1a23cff 26651->26652 26655 1a240e8 26652->26655 26654 1a245d9 26656 1a240f3 26655->26656 26659 1a24204 26656->26659 26658 1a247fd 26658->26654 26660 1a2420f 26659->26660 26663 1a24234 26660->26663 26662 1a248da 26662->26658 26664 1a2423f 26663->26664 26667 1a24264 26664->26667 26666 1a249dc 26666->26662 26669 1a2426f 26667->26669 26668 1a27a19 26668->26666 26669->26668 26671 1a2c4ea 26669->26671 26672 1a2c519 26671->26672 26673 1a2c53d 26672->26673 26676 1a2c6a8 26672->26676 26680 1a2c699 26672->26680 26673->26668 26677 1a2c6b5 26676->26677 26679 1a2c6ef 26677->26679 26684 1a2b260 26677->26684 26679->26673 26682 1a2c6b5 26680->26682 26681 1a2c6ef 26681->26673 26682->26681 26683 1a2b260 2 API calls 26682->26683 26683->26681 26685 1a2b26b 26684->26685 26687 1a2d408 26685->26687 26688 1a2ca5c 26685->26688 26689 1a2ca67 26688->26689 26690 1a24264 2 API calls 26689->26690 26691 1a2d477 26690->26691 26695 1a2f208 26691->26695 26701 1a2f1f0 26691->26701 26692 1a2d4b1 26692->26687 26697 1a2f239 26695->26697 26698 1a2f33a 26695->26698 26696 1a2f245 26696->26692 26697->26696 26699 59d0006 CreateWindowExW CreateWindowExW 26697->26699 26700 59d0040 CreateWindowExW CreateWindowExW 26697->26700 26698->26692 26699->26698 26700->26698 26702 1a2f1ca 26701->26702 26703 1a2f1fa 26701->26703 26702->26692 26704 1a2f245 26703->26704 26705 59d0006 CreateWindowExW CreateWindowExW 26703->26705 26706 59d0040 CreateWindowExW CreateWindowExW 26703->26706 26704->26692 26705->26704 26706->26704 26736 59dd906 26738 59dd064 26736->26738 26737 59dd9af 26738->26737 26739 59dc7a8 Wow64SetThreadContext 26738->26739 26740 59dc7a0 Wow64SetThreadContext 26738->26740 26745 59dc938 WriteProcessMemory 26738->26745 26746 59dc940 WriteProcessMemory 26738->26746 26751 59dcbbc 26738->26751 26755 59dcbc8 26738->26755 26759 59dca28 26738->26759 26763 59dca30 26738->26763 26767 59dc880 26738->26767 26771 59dc878 26738->26771 26775 59dc6f8 26738->26775 26779 59dc6f0 26738->26779 26739->26738 26740->26738 26745->26738 26746->26738 26752 59dcc51 CreateProcessA 26751->26752 26754 59dce13 26752->26754 26756 59dcc51 CreateProcessA 26755->26756 26758 59dce13 26756->26758 26760 59dca17 26759->26760 26760->26759 26761 59dca8e ReadProcessMemory 26760->26761 26762 59dcabf 26761->26762 26762->26738 26764 59dca7b ReadProcessMemory 26763->26764 26766 59dcabf 26764->26766 26766->26738 26768 59dc8c0 VirtualAllocEx 26767->26768 26770 59dc8fd 26768->26770 26770->26738 26772 59dc8c0 VirtualAllocEx 26771->26772 26774 59dc8fd 26772->26774 26774->26738 26776 59dc738 ResumeThread 26775->26776 26778 59dc769 26776->26778 26778->26738 26780 59dc738 ResumeThread 26779->26780 26782 59dc769 26780->26782 26782->26738 26707 59d36d0 26708 59d3712 26707->26708 26710 59d3719 26707->26710 26709 59d376a CallWindowProcW 26708->26709 26708->26710 26709->26710

                                                            Executed Functions

                                                            Function 059DCF50 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 59dcf50-59dcf81 45 59dcf88-59dd05f 44->45 46 59dcf83 44->46 47 59dd992-59dd9a9 45->47 46->45 48 59dd9af-59dd9b6 47->48 49 59dd064-59dd0d5 47->49 53 59dd0e0-59dd122 49->53 157 59dd125 call 59dcbbc 53->157 158 59dd125 call 59dcbc8 53->158 54 59dd127-59dd14e 55 59dd177-59dd1e3 54->55 56 59dd150-59dd16c 54->56 62 59dd1ea-59dd216 55->62 63 59dd1e5 55->63 56->55 65 59dd27f-59dd2ba 62->65 66 59dd218-59dd22e 62->66 63->62 71 59dd2bc-59dd2d7 65->71 72 59dd2e2 65->72 153 59dd231 call 59dc7a8 66->153 154 59dd231 call 59dc7a0 66->154 67 59dd233-59dd253 69 59dd27b-59dd27d 67->69 70 59dd255-59dd270 67->70 73 59dd2e3-59dd2ed 69->73 70->69 71->72 72->73 75 59dd2ef 73->75 76 59dd2f4-59dd31f 73->76 75->76 167 59dd322 call 59dca28 76->167 168 59dd322 call 59dca30 76->168 80 59dd324-59dd344 81 59dd36c-59dd385 80->81 82 59dd346-59dd361 80->82 83 59dd387-59dd3bb 81->83 84 59dd3e3-59dd40a 81->84 82->81 83->84 88 59dd3bd-59dd3d8 83->88 90 59dd416-59dd443 84->90 88->84 159 59dd446 call 59dc878 90->159 160 59dd446 call 59dc880 90->160 92 59dd448-59dd46e 93 59dd496-59dd4b2 92->93 94 59dd470-59dd48b 92->94 165 59dd4b5 call 59dc938 93->165 166 59dd4b5 call 59dc940 93->166 94->93 97 59dd4b7-59dd4d7 98 59dd4ff-59dd538 97->98 99 59dd4d9-59dd4f4 97->99 103 59dd6a9-59dd6c8 98->103 99->98 104 59dd53d-59dd56d 103->104 105 59dd6ce 103->105 109 59dd69e-59dd6a3 104->109 110 59dd573-59dd57a 104->110 108 59dd6d7-59dd708 105->108 161 59dd70b call 59dc938 108->161 162 59dd70b call 59dc940 108->162 109->103 114 59dd583-59dd58f 110->114 111 59dd70d-59dd72d 112 59dd72f-59dd74a 111->112 113 59dd755-59dd789 111->113 112->113 118 59dd78b-59dd78e 113->118 119 59dd791-59dd7a4 113->119 117 59dd599-59dd612 114->117 128 59dd61b-59dd650 117->128 118->119 121 59dd7ab-59dd7d6 119->121 122 59dd7a6 119->122 126 59dd83f-59dd87a 121->126 127 59dd7d8-59dd7ee 121->127 122->121 134 59dd87c-59dd897 126->134 135 59dd8a2 126->135 155 59dd7f1 call 59dc7a8 127->155 156 59dd7f1 call 59dc7a0 127->156 163 59dd653 call 59dc938 128->163 164 59dd653 call 59dc940 128->164 129 59dd7f3-59dd813 132 59dd83b-59dd83d 129->132 133 59dd815-59dd830 129->133 131 59dd655-59dd675 136 59dd69d 131->136 137 59dd677-59dd692 131->137 138 59dd8a3-59dd8b2 132->138 133->132 134->135 135->138 136->109 137->136 151 59dd8b5 call 59dc6f8 138->151 152 59dd8b5 call 59dc6f0 138->152 142 59dd8b7-59dd8d7 145 59dd8ff-59dd98d 142->145 146 59dd8d9-59dd8f4 142->146 145->47 145->48 146->145 151->142 152->142 153->67 154->67 155->129 156->129 157->54 158->54 159->92 160->92 161->111 162->111 163->131 164->131 165->97 166->97 167->80 168->80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (
                                                            • API String ID: 0-3887548279
                                                            • Opcode ID: 342cbe5c5214b0261ac7120ade7b85711ffcd6fcee85c652f4627d8ac13b2bcd
                                                            • Instruction ID: c784e8bb64db61c380d41a69b7b2e822541c99a7b4083231121d5ecf6a372e65
                                                            • Opcode Fuzzy Hash: 342cbe5c5214b0261ac7120ade7b85711ffcd6fcee85c652f4627d8ac13b2bcd
                                                            • Instruction Fuzzy Hash: 5652BE75E012298FDB68DF65C894BDDBBB6BB89300F1081E9D40DA7290DB356E85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059D7718 Relevance: .8, Instructions: 829COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e081609c220e5a787c2a3297efd9f0b673c85039299d7b145e1fd46ca9453f4f
                                                            • Instruction ID: 8e6fb5c69d39fce0cb07669d6226c62bf78cd45be5d01fa45f68a057ea4b6015
                                                            • Opcode Fuzzy Hash: e081609c220e5a787c2a3297efd9f0b673c85039299d7b145e1fd46ca9453f4f
                                                            • Instruction Fuzzy Hash: DB626035A042159FDB18DFA8C984AADB7B6FF88710F15C169E806DB361DB35EC41CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2C7B0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 01A2C83E
                                                            • GetCurrentThread.KERNEL32 ref: 01A2C87B
                                                            • GetCurrentProcess.KERNEL32 ref: 01A2C8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 01A2C911
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 58616ec05ab4978d329b197977ed995775a77656c864300af188af8236c3f6d1
                                                            • Instruction ID: 4f37ebe8253744380861c539ce96197e805d3df838ce1f67e1e6d0e3e5fa97ab
                                                            • Opcode Fuzzy Hash: 58616ec05ab4978d329b197977ed995775a77656c864300af188af8236c3f6d1
                                                            • Instruction Fuzzy Hash: 4D5165B090134A8FDB54DFA9D948BAEBBF1FF88324F208059D409AB3A0DB745944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2C7C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 01A2C83E
                                                            • GetCurrentThread.KERNEL32 ref: 01A2C87B
                                                            • GetCurrentProcess.KERNEL32 ref: 01A2C8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 01A2C911
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: ef49ec2b715b2adcb4a85e8272eb4d7de597707ed737f8c26ec094950498b523
                                                            • Instruction ID: e633f6bb811fdeddccc41f45a7ed0b078a11f917251ec9f9d4f9400e875eb8f5
                                                            • Opcode Fuzzy Hash: ef49ec2b715b2adcb4a85e8272eb4d7de597707ed737f8c26ec094950498b523
                                                            • Instruction Fuzzy Hash: DB5156B090034A8FEB14DFAAD548BAEBBF1FF88324F208459D419A73A4DB745944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DCBBC Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 169 59dcbbc-59dcc5d 171 59dcc5f-59dcc69 169->171 172 59dcc96-59dccb6 169->172 171->172 173 59dcc6b-59dcc6d 171->173 179 59dccef-59dcd1e 172->179 180 59dccb8-59dccc2 172->180 174 59dcc6f-59dcc79 173->174 175 59dcc90-59dcc93 173->175 177 59dcc7d-59dcc8c 174->177 178 59dcc7b 174->178 175->172 177->177 181 59dcc8e 177->181 178->177 186 59dcd57-59dce11 CreateProcessA 179->186 187 59dcd20-59dcd2a 179->187 180->179 182 59dccc4-59dccc6 180->182 181->175 184 59dcce9-59dccec 182->184 185 59dccc8-59dccd2 182->185 184->179 188 59dccd4 185->188 189 59dccd6-59dcce5 185->189 200 59dce1a-59dcea0 186->200 201 59dce13-59dce19 186->201 187->186 190 59dcd2c-59dcd2e 187->190 188->189 189->189 191 59dcce7 189->191 192 59dcd51-59dcd54 190->192 193 59dcd30-59dcd3a 190->193 191->184 192->186 195 59dcd3c 193->195 196 59dcd3e-59dcd4d 193->196 195->196 196->196 197 59dcd4f 196->197 197->192 211 59dceb0-59dceb4 200->211 212 59dcea2-59dcea6 200->212 201->200 213 59dcec4-59dcec8 211->213 214 59dceb6-59dceba 211->214 212->211 215 59dcea8 212->215 217 59dced8-59dcedc 213->217 218 59dceca-59dcece 213->218 214->213 216 59dcebc 214->216 215->211 216->213 220 59dceee-59dcef5 217->220 221 59dcede-59dcee4 217->221 218->217 219 59dced0 218->219 219->217 222 59dcf0c 220->222 223 59dcef7-59dcf06 220->223 221->220 224 59dcf0d 222->224 223->222 224->224
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059DCDFE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: c188ab16a493b7440ce1ef8ac671395be47ebf1e653344cd424d8d0125e95685
                                                            • Instruction ID: a04955a9227a639117080099378501e4a8be82b71be1f5004f396ece633491eb
                                                            • Opcode Fuzzy Hash: c188ab16a493b7440ce1ef8ac671395be47ebf1e653344cd424d8d0125e95685
                                                            • Instruction Fuzzy Hash: EA913971D0061A9FEB10DFA8C845BEDFBB6BF48310F148569E809A7280DB759D85CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DCBC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 226 59dcbc8-59dcc5d 228 59dcc5f-59dcc69 226->228 229 59dcc96-59dccb6 226->229 228->229 230 59dcc6b-59dcc6d 228->230 236 59dccef-59dcd1e 229->236 237 59dccb8-59dccc2 229->237 231 59dcc6f-59dcc79 230->231 232 59dcc90-59dcc93 230->232 234 59dcc7d-59dcc8c 231->234 235 59dcc7b 231->235 232->229 234->234 238 59dcc8e 234->238 235->234 243 59dcd57-59dce11 CreateProcessA 236->243 244 59dcd20-59dcd2a 236->244 237->236 239 59dccc4-59dccc6 237->239 238->232 241 59dcce9-59dccec 239->241 242 59dccc8-59dccd2 239->242 241->236 245 59dccd4 242->245 246 59dccd6-59dcce5 242->246 257 59dce1a-59dcea0 243->257 258 59dce13-59dce19 243->258 244->243 247 59dcd2c-59dcd2e 244->247 245->246 246->246 248 59dcce7 246->248 249 59dcd51-59dcd54 247->249 250 59dcd30-59dcd3a 247->250 248->241 249->243 252 59dcd3c 250->252 253 59dcd3e-59dcd4d 250->253 252->253 253->253 254 59dcd4f 253->254 254->249 268 59dceb0-59dceb4 257->268 269 59dcea2-59dcea6 257->269 258->257 270 59dcec4-59dcec8 268->270 271 59dceb6-59dceba 268->271 269->268 272 59dcea8 269->272 274 59dced8-59dcedc 270->274 275 59dceca-59dcece 270->275 271->270 273 59dcebc 271->273 272->268 273->270 277 59dceee-59dcef5 274->277 278 59dcede-59dcee4 274->278 275->274 276 59dced0 275->276 276->274 279 59dcf0c 277->279 280 59dcef7-59dcf06 277->280 278->277 281 59dcf0d 279->281 280->279 281->281
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059DCDFE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 69e5e7afc71005dee0127c9804e3acc85189a59ac2be519f10c4ad62e9bca2fe
                                                            • Instruction ID: 54ff800e00b96909e951b35140d5334f23f6274767f7c36149843bbd501bb8e0
                                                            • Opcode Fuzzy Hash: 69e5e7afc71005dee0127c9804e3acc85189a59ac2be519f10c4ad62e9bca2fe
                                                            • Instruction Fuzzy Hash: DA914A71D0061A9FEB10DF68C841BEEFBB6BF48310F148569E809A7280DB759D85CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2A528 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 283 1a2a528-1a2a537 284 1a2a563-1a2a567 283->284 285 1a2a539-1a2a546 call 1a287e4 283->285 286 1a2a57b-1a2a5bc 284->286 287 1a2a569-1a2a573 284->287 292 1a2a548 285->292 293 1a2a55c 285->293 294 1a2a5c9-1a2a5d7 286->294 295 1a2a5be-1a2a5c6 286->295 287->286 338 1a2a54e call 1a2a7b2 292->338 339 1a2a54e call 1a2a7c0 292->339 293->284 296 1a2a5fb-1a2a5fd 294->296 297 1a2a5d9-1a2a5de 294->297 295->294 300 1a2a600-1a2a607 296->300 301 1a2a5e0-1a2a5e7 call 1a29854 297->301 302 1a2a5e9 297->302 298 1a2a554-1a2a556 298->293 299 1a2a698-1a2a758 298->299 333 1a2a760-1a2a78b GetModuleHandleW 299->333 334 1a2a75a-1a2a75d 299->334 304 1a2a614-1a2a61b 300->304 305 1a2a609-1a2a611 300->305 303 1a2a5eb-1a2a5f9 301->303 302->303 303->300 307 1a2a628-1a2a631 call 1a29864 304->307 308 1a2a61d-1a2a625 304->308 305->304 314 1a2a633-1a2a63b 307->314 315 1a2a63e-1a2a643 307->315 308->307 314->315 316 1a2a661-1a2a66e 315->316 317 1a2a645-1a2a64c 315->317 323 1a2a670-1a2a68e 316->323 324 1a2a691-1a2a697 316->324 317->316 319 1a2a64e-1a2a65e call 1a29874 call 1a29884 317->319 319->316 323->324 335 1a2a794-1a2a7a8 333->335 336 1a2a78d-1a2a793 333->336 334->333 336->335 338->298 339->298
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01A2A77E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 9b37139bc945e01568299359c05791f5b12406eb20eccc50a63d282d39bb8dcb
                                                            • Instruction ID: bf160f4ae7d84aa5c5c73b23aa16f436de72023241d008d06e2eb8a6bbd64087
                                                            • Opcode Fuzzy Hash: 9b37139bc945e01568299359c05791f5b12406eb20eccc50a63d282d39bb8dcb
                                                            • Instruction Fuzzy Hash: 37712370A00B158FEB25DF2ED54475ABBF1BF88604F008A2DD48ADBA50DB75E849CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059D0F64 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 340 59d0f64-59d0fd6 341 59d0fd8-59d0fde 340->341 342 59d0fe1-59d0fe8 340->342 341->342 343 59d0fea-59d0ff0 342->343 344 59d0ff3-59d1092 CreateWindowExW 342->344 343->344 346 59d109b-59d10d3 344->346 347 59d1094-59d109a 344->347 351 59d10d5-59d10d8 346->351 352 59d10e0 346->352 347->346 351->352 353 59d10e1 352->353 353->353
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059D1082
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 4dd72cdfbff53d3883dcfc19b71d2bddef4c75091d71278e7a28933fd0421963
                                                            • Instruction ID: 9c04341710d2605f40fc60ee7ebdc10f02cb4cf6df15659affc75aff33189ed3
                                                            • Opcode Fuzzy Hash: 4dd72cdfbff53d3883dcfc19b71d2bddef4c75091d71278e7a28933fd0421963
                                                            • Instruction Fuzzy Hash: C251BEB1D10349DFDB14CF9AC884ADEFBB6BF88310F24812AE819AB250D7719945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059D0F70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 354 59d0f70-59d0fd6 355 59d0fd8-59d0fde 354->355 356 59d0fe1-59d0fe8 354->356 355->356 357 59d0fea-59d0ff0 356->357 358 59d0ff3-59d1092 CreateWindowExW 356->358 357->358 360 59d109b-59d10d3 358->360 361 59d1094-59d109a 358->361 365 59d10d5-59d10d8 360->365 366 59d10e0 360->366 361->360 365->366 367 59d10e1 366->367 367->367
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059D1082
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: f468ab46c8ec5866a11b4f8d9f761bb625aad334d01c9c10da179c2287aae657
                                                            • Instruction ID: 414a30398d9eb043f11222d8d89ea83ee324cd998ce5444a9482538873718792
                                                            • Opcode Fuzzy Hash: f468ab46c8ec5866a11b4f8d9f761bb625aad334d01c9c10da179c2287aae657
                                                            • Instruction Fuzzy Hash: 17419FB1D00349DFDB14DF9AC884ADEFBB5BF88310F64812AE819AB250D7759945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DCA28 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 368 59dca28-59dca2c 369 59dca2e-59dca41 368->369 370 59dca4b-59dca4e 368->370 371 59dca45-59dca48 369->371 372 59dca4f-59dca52 370->372 373 59dca17-59dca27 370->373 371->370 372->371 374 59dca54-59dca87 372->374 373->368 378 59dca8e-59dcabd ReadProcessMemory 374->378 379 59dcabf-59dcac5 378->379 380 59dcac6-59dcaf6 378->380 379->380
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059DCAB0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: fa0ca36fc38ef4d31672037cc933746744cf88c9c93869e96f62d6b3fe8dd831
                                                            • Instruction ID: 83494c0bd815b489ff7dbe2e3ba2299484ec8d153650a1c408e0defedce52180
                                                            • Opcode Fuzzy Hash: fa0ca36fc38ef4d31672037cc933746744cf88c9c93869e96f62d6b3fe8dd831
                                                            • Instruction Fuzzy Hash: 3031BC75C013899FCB11DFA9C884BEEBFB5FF49310F14845AE5A5A7251C7388905CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059D36D0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 384 59d36d0-59d370c 385 59d37bc-59d37dc 384->385 386 59d3712-59d3717 384->386 392 59d37df-59d37ec 385->392 387 59d3719-59d3750 386->387 388 59d376a-59d37a2 CallWindowProcW 386->388 394 59d3759-59d3768 387->394 395 59d3752-59d3758 387->395 390 59d37ab-59d37ba 388->390 391 59d37a4-59d37aa 388->391 390->392 391->390 394->392 395->394
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 059D3791
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 895e6a563751e289424812d07ce23c6469ba6495eff8be649339977a739683a3
                                                            • Instruction ID: 1015d4ae906447da6c133fab4678cff86a6ccc2891b4d4bfae7c25b3d174855c
                                                            • Opcode Fuzzy Hash: 895e6a563751e289424812d07ce23c6469ba6495eff8be649339977a739683a3
                                                            • Instruction Fuzzy Hash: AC411AB9900709CFCB54CF99C448AAAFBF5FB88314F24C859D519AB321D774A841CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC938 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 398 59dc938-59dc98e 400 59dc99e-59dc9dd WriteProcessMemory 398->400 401 59dc990-59dc99c 398->401 403 59dc9df-59dc9e5 400->403 404 59dc9e6-59dca16 400->404 401->400 403->404
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059DC9D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 65a95991c02eebc7e813ed85f84d95904966923c945710a3bb750e8668227412
                                                            • Instruction ID: b3191651757758bf1600ad1d2de6feb30a4247f76dd684019bcd708cb0fed9d3
                                                            • Opcode Fuzzy Hash: 65a95991c02eebc7e813ed85f84d95904966923c945710a3bb750e8668227412
                                                            • Instruction Fuzzy Hash: 302124B59003499FDB10DFAAC885BDEBBF5FF88310F10842AE959A7240C7799954CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC940 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 408 59dc940-59dc98e 410 59dc99e-59dc9dd WriteProcessMemory 408->410 411 59dc990-59dc99c 408->411 413 59dc9df-59dc9e5 410->413 414 59dc9e6-59dca16 410->414 411->410 413->414
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059DC9D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 20d1ad80c14b9dd4d64819374286a9c4c60718354db0821f9b18a01a7addba82
                                                            • Instruction ID: 7631acc6082bf71f5e87fafc0d34f74c65820866689a138f0b8f3747a29c2d9b
                                                            • Opcode Fuzzy Hash: 20d1ad80c14b9dd4d64819374286a9c4c60718354db0821f9b18a01a7addba82
                                                            • Instruction Fuzzy Hash: 8321257190034D9FDB10DFAAC881BDEBBF5FF88310F10842AE959A7240C7789954CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC7A0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 418 59dc7a0-59dc7f3 420 59dc7f5-59dc801 418->420 421 59dc803-59dc833 Wow64SetThreadContext 418->421 420->421 423 59dc83c-59dc86c 421->423 424 59dc835-59dc83b 421->424 424->423
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059DC826
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: de95ea02cfa1da501a5841584bdb8045e72f5e04e3a43bc90383eab4c9debae3
                                                            • Instruction ID: be5a2ecb5eb79750e43854a48b57c6b4e9f2fa4bfdc14284e059add39497859c
                                                            • Opcode Fuzzy Hash: de95ea02cfa1da501a5841584bdb8045e72f5e04e3a43bc90383eab4c9debae3
                                                            • Instruction Fuzzy Hash: 88213775D003098FDB14DFAAC485BEEBBF4AF88220F15842AD559A7241DB789945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC7A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 428 59dc7a8-59dc7f3 430 59dc7f5-59dc801 428->430 431 59dc803-59dc833 Wow64SetThreadContext 428->431 430->431 433 59dc83c-59dc86c 431->433 434 59dc835-59dc83b 431->434 434->433
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059DC826
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: b39c279a538f617ec849149e14cd4845e827212e6542e787427eb458b9a5b9cd
                                                            • Instruction ID: cdc3372158d2ac93e77462420641529b672d11420dfedf8e5117a1002b897e7a
                                                            • Opcode Fuzzy Hash: b39c279a538f617ec849149e14cd4845e827212e6542e787427eb458b9a5b9cd
                                                            • Instruction Fuzzy Hash: E0211571D003098FDB10DFAAC885BAEFBF4EF88320F54842AD559A7241CB789944CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DCA30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 438 59dca30-59dcabd ReadProcessMemory 441 59dcabf-59dcac5 438->441 442 59dcac6-59dcaf6 438->442 441->442
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059DCAB0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 456a01ff3c93ff9355874aed8b79881d4810d20c4160b8ae453bf97df1b06d29
                                                            • Instruction ID: 7534dec3a73583eb8ae22459e776d84f5c2835c4a440d39ed8dafec2aacc478e
                                                            • Opcode Fuzzy Hash: 456a01ff3c93ff9355874aed8b79881d4810d20c4160b8ae453bf97df1b06d29
                                                            • Instruction Fuzzy Hash: 4121F5718003499FDB10DFAAC881BEEFBF5FF88310F54842AE959A7240D7799944DBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2CE09 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A2CE97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: be6216920fbe2330e61484e7aafdc8c05be8a18bc7a2ff0402323003d999d4ac
                                                            • Instruction ID: 28c18495f327b91c1f08d9d6e8b1565f7e08836a71eeedb0d633d0088b98c6d9
                                                            • Opcode Fuzzy Hash: be6216920fbe2330e61484e7aafdc8c05be8a18bc7a2ff0402323003d999d4ac
                                                            • Instruction Fuzzy Hash: 6321E3B5D002099FDB10CFAAD984ADEBBF5FB48320F14841AE918A3350D379A954CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2CE10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A2CE97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: b07daf36bcb69a0f5c9833278bab5bd11ac62f6c204de81e6f6f143a4b40ed4c
                                                            • Instruction ID: 3846eda89471166996009929bae58be8a08f2fd90963678e781c652a6f86e439
                                                            • Opcode Fuzzy Hash: b07daf36bcb69a0f5c9833278bab5bd11ac62f6c204de81e6f6f143a4b40ed4c
                                                            • Instruction Fuzzy Hash: 8B21E6B59002099FDB10CF9AD884ADEBBF4FB48320F14841AE914A3350C374A940CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A298B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A2A7F9,00000800,00000000,00000000), ref: 01A2AA0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: a2780bb2db538058937d0be1d058e63073c0fe40dc4c615d1f878aff5f900c6b
                                                            • Instruction ID: d87d6694cf3f62314c91a74477d39e9b3f4ecc6a5007316b63e08ef71dbc0345
                                                            • Opcode Fuzzy Hash: a2780bb2db538058937d0be1d058e63073c0fe40dc4c615d1f878aff5f900c6b
                                                            • Instruction Fuzzy Hash: 9E1112B69003098FDB24CF9AC844BDEFBF4EB88310F14842EE519A7600C375A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2A998 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A2A7F9,00000800,00000000,00000000), ref: 01A2AA0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: b9236f41b150c42a3294e5b809055bd48dfddf8defa2ee469f801325c63c2bd7
                                                            • Instruction ID: f585be7c76370c95300c454e6d85afc86fc6bfef532ed7bb41e2a88865bc4aa3
                                                            • Opcode Fuzzy Hash: b9236f41b150c42a3294e5b809055bd48dfddf8defa2ee469f801325c63c2bd7
                                                            • Instruction Fuzzy Hash: 1611E2B69003098FDB14CFAAD985BDEFBF4EF88310F14841AD519A7610C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC878 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059DC8EE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: e114fc7417b778ac1686420512e7bae6d6c7b0ec4330666982cc41b98d8a2f54
                                                            • Instruction ID: 0b46ed9cc54c19a559453489e6e2433c2a2c39bab0ad45cecc68a39183f680a6
                                                            • Opcode Fuzzy Hash: e114fc7417b778ac1686420512e7bae6d6c7b0ec4330666982cc41b98d8a2f54
                                                            • Instruction Fuzzy Hash: B81167768003498FDF10DFA9C844BEEBBF5AF88320F148819E915A7250C7359914CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC880 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059DC8EE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 00c8adde5a9fefab4c92890fe62eb8245a9122966af62438d34081712c8411f0
                                                            • Instruction ID: e21e7318b90a2a68a214fe84d9e2f19a7bf1b1406c031a4b8e33ab21f8cca7e0
                                                            • Opcode Fuzzy Hash: 00c8adde5a9fefab4c92890fe62eb8245a9122966af62438d34081712c8411f0
                                                            • Instruction Fuzzy Hash: 741126719003499FDB10DFAAC844BDEBBF5EF88320F148419E515A7250C7759950CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC6F0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: b1884201a5e42a43c4669d35fa44f94495b1611a19ddafbf710a87f9a118e805
                                                            • Instruction ID: 9ccffdf23ae92958afdef64867b9d75327b485a990f1448c3530d3b52d5ec135
                                                            • Opcode Fuzzy Hash: b1884201a5e42a43c4669d35fa44f94495b1611a19ddafbf710a87f9a118e805
                                                            • Instruction Fuzzy Hash: 2B116AB5C003098FDB10DFAAC8457DEFBF5AF88614F24881DD529A7640C739A944CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DC6F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: b76224f4349e303899ea02dab60ee8f5a6c0f23df7e99808adad8a796f4509b8
                                                            • Instruction ID: cb84629643bce54dea2ac51732136a6f0c24eaf76b8ed85a3909633ab2b1d07d
                                                            • Opcode Fuzzy Hash: b76224f4349e303899ea02dab60ee8f5a6c0f23df7e99808adad8a796f4509b8
                                                            • Instruction Fuzzy Hash: D41136759003498FDB20DFAAC84579EFBF9EF88620F248419D519A7240CB79A944CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2A718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01A2A77E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 74541f1f10ad5476ca8bf4ac96296879be84284ac9d0112e2796c0b82cf0e807
                                                            • Instruction ID: b24dabd138b3c99e1778a03289630f4f1cef6ba81a5e03cb3b71719f1d1410c4
                                                            • Opcode Fuzzy Hash: 74541f1f10ad5476ca8bf4ac96296879be84284ac9d0112e2796c0b82cf0e807
                                                            • Instruction Fuzzy Hash: EB1110B5C0034A8FDB10CF9AC844BDEFBF5EB88620F10842AD429A7600C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D4A0 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395235247.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_156d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bbe244e91e76bc09abc7c865ec5ae42585845c5df42d158cb667a5b0f3e26189
                                                            • Instruction ID: 7170932855f8ecdeb2af1491ad275e3934ac45bd9ddfc2fd056b55833ff14c74
                                                            • Opcode Fuzzy Hash: bbe244e91e76bc09abc7c865ec5ae42585845c5df42d158cb667a5b0f3e26189
                                                            • Instruction Fuzzy Hash: E0210271604300DFDB11DF44D8C0B2ABFB9FB94324F208969D9490F656C376D806CAE2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0184D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395601753.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_184d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 873e6d6fdce0c1c5f79d7fe44eca39d70cf4c7c7a4547f7a41bcc114e33c282f
                                                            • Instruction ID: 48cc27218131b1fbc873b33fe0d1c7a26f990ea23bd8d2e64d0c27a61c919ae2
                                                            • Opcode Fuzzy Hash: 873e6d6fdce0c1c5f79d7fe44eca39d70cf4c7c7a4547f7a41bcc114e33c282f
                                                            • Instruction Fuzzy Hash: 15212275604308DFDB15DF94D8C4B16BB61FB94318F20C66DD80A8B386CB3AD507CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D49B Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395235247.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_156d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 2065bffe3f01105329462a39fd8c9a98e7591082b01c1347a22487f777687911
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 3211DF76604240CFCB12CF48D5C0B1ABF72FB94324F2486A9D9490B657C33AD456CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0184D017 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395601753.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_184d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: ff000c3e47e005b27c2f1437bda002f8abe7032edcad93c2b757d8367f135e44
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: D911BE75504284CFCB16CF54D5C4B15BB62FB44314F24C6ADD8498B656C33AD50ACB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 01A2F5B8 Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3800d15e07396b712342bd0a47ac6ef67a0634c7725dfd174517ded8c786e43
                                                            • Instruction ID: bf2e7c09eaf338812c394df278facc0358f3021c3d9702b5cb5733ad5093696f
                                                            • Opcode Fuzzy Hash: a3800d15e07396b712342bd0a47ac6ef67a0634c7725dfd174517ded8c786e43
                                                            • Instruction Fuzzy Hash: B31281BBC197468BE730CF65E94C1993BB1BB81328B904309D2612F2E9DBB8155BCF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2CD3C Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eade0eef8d1caa6221c2f65419ec14337a44a26409ffa743016a27af0c4e114c
                                                            • Instruction ID: c2c512d683f5cd217e9dcad492ae75eb43b311af133780c106ce9c6908623f44
                                                            • Opcode Fuzzy Hash: eade0eef8d1caa6221c2f65419ec14337a44a26409ffa743016a27af0c4e114c
                                                            • Instruction Fuzzy Hash: B9A18136F002258FCF15DFB8C94099EBBB2FF85300B15856AE905AB265DB31E946CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01A2F5B6 Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1395972591.0000000001A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a20000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a222ae145d9b360b596fd673165def0eb2a1a4fea95629e5913db2a34882466
                                                            • Instruction ID: 7cd8db8813340c6cedbf1dd289f80b9f0384fcb86442b484a7745bbb78d25975
                                                            • Opcode Fuzzy Hash: 2a222ae145d9b360b596fd673165def0eb2a1a4fea95629e5913db2a34882466
                                                            • Instruction Fuzzy Hash: 81C1E7BAC19746CFE720CF65E84C1997BB1BB85324F514309D2612B2E9DBB8245BCF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 059DCF3F Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1400258017.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_59d0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c48968e9deac68b22034f238b13f90613e8b1f815271a8d636ea69cfe2849959
                                                            • Instruction ID: 8eafd0edbfc0ae7ed94e60dc1b6a8d7560bd12e03aaade42168e3df6bc459b46
                                                            • Opcode Fuzzy Hash: c48968e9deac68b22034f238b13f90613e8b1f815271a8d636ea69cfe2849959
                                                            • Instruction Fuzzy Hash: 223197B1D016288BEB28CF56C9157DAFAF6BFC5304F04C1EAC54C6A254DB750A89CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 06854C20 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1418081007.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6850000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: |l^
                                                            • API String ID: 0-3878752382
                                                            • Opcode ID: 325a2594db4228d52cc42e7f1d90373d96aa5ad5970b7360efe210de1a130bf6
                                                            • Instruction ID: d6fdefb70d92974f4f891ee6edad686d46a850fc5ef09216ccbe5799bfd939f2
                                                            • Opcode Fuzzy Hash: 325a2594db4228d52cc42e7f1d90373d96aa5ad5970b7360efe210de1a130bf6
                                                            • Instruction Fuzzy Hash: 6141827590E3D59FDB03DB28D8A459ABFB0AF8721070A40C7D495DF2A3C7249C49CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07371C10 Relevance: .6, Instructions: 596COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1420920034.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7370000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5645722adceaa7f63f00a13d718c2160cdabbc3ec9223bdfdc45300a92c17d00
                                                            • Instruction ID: d6c38c077010588d42940bc43b106782ed6e84dde159982843347a8b5207f25b
                                                            • Opcode Fuzzy Hash: 5645722adceaa7f63f00a13d718c2160cdabbc3ec9223bdfdc45300a92c17d00
                                                            • Instruction Fuzzy Hash: EB127CB27043198FE7359B78881177BBFB6AFC6211F14C06AD949DB642DB35C841C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 068529F0 Relevance: .2, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1418081007.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6850000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7bb3e819aebd9803ec9dc8b9b11a1ff49f8061a9800e3ae44261fb22a27183f
                                                            • Instruction ID: ec36bdab4d2c238adb1399a60ece4c535f4ceae3504cc5b7161c6726c40f6fcd
                                                            • Opcode Fuzzy Hash: f7bb3e819aebd9803ec9dc8b9b11a1ff49f8061a9800e3ae44261fb22a27183f
                                                            • Instruction Fuzzy Hash: 8C917A74A002058FCB16CF58C4A4AAEFBB1FF88310B258699D915EB365CB35FD51CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07371BF0 Relevance: .1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1420920034.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7370000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d7b8d5bee3583e29175039791ae98acb9a6e709cb9d95407f1e1eb24301aae0
                                                            • Instruction ID: c497cce0a1361d7c801b51a24f5a24e5550b9c4b72e8472922cb3ed2925cd882
                                                            • Opcode Fuzzy Hash: 5d7b8d5bee3583e29175039791ae98acb9a6e709cb9d95407f1e1eb24301aae0
                                                            • Instruction Fuzzy Hash: 6D412AF3A0420ADFEB358F6585416797BB29FC2210B14C1A6D848AF652D739DC44CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06852B00 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1418081007.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6850000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19f85154927eca4b26dc841e579a220e9ff0017d541148a113a6de26a456a59f
                                                            • Instruction ID: 823792db689e4d908752838b908511ef8c798a88f1fc9f8eec4048da06430d6f
                                                            • Opcode Fuzzy Hash: 19f85154927eca4b26dc841e579a220e9ff0017d541148a113a6de26a456a59f
                                                            • Instruction Fuzzy Hash: A3411874A006059FCB05CF58C4E8AAEF7B1FF88310B168299D915AB365C736FD51CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06854C10 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1418081007.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6850000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e099b9915bbe70a2a33560686f6b23ce0eb116e314cc470daf016c33d0bf2e1
                                                            • Instruction ID: 75c4a2d812678db2e5345654f7160701bcd8631667d7e2b0a6d4181a89c90b83
                                                            • Opcode Fuzzy Hash: 8e099b9915bbe70a2a33560686f6b23ce0eb116e314cc470daf016c33d0bf2e1
                                                            • Instruction Fuzzy Hash: B1212E74A042499FDB41CFA8D4909AEFBF1FF8A310B158599D845EB362C331EC45CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06854BF0 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1418081007.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_6850000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11ffada826102a92c266e085e90bd7738263e7a7f4f05399ae2b74c276a4a3ee
                                                            • Instruction ID: c730f04e677335a13186de0c71bf74ce638a6b12989a71b1d48204642ec0e3f1
                                                            • Opcode Fuzzy Hash: 11ffada826102a92c266e085e90bd7738263e7a7f4f05399ae2b74c276a4a3ee
                                                            • Instruction Fuzzy Hash: 43114C34A056498FDB01CFA8C4909ADFBF1FF8A310B19859AD859EB362C735EC45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0435D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1411154436.000000000435D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0435D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_435d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd338343cc810262924bd452c8cc8d410a6edbfa51ac7a512749d9dd6de6bb7f
                                                            • Instruction ID: 05b19d39c871a35dd94435c99b0b9695e6be35fff169105dededb11d2127e784
                                                            • Opcode Fuzzy Hash: dd338343cc810262924bd452c8cc8d410a6edbfa51ac7a512749d9dd6de6bb7f
                                                            • Instruction Fuzzy Hash: 1D01F2715083049BE7204E21ECC0F67BF98EF81725F18C01AED084B692D679A842CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0435D006 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1411154436.000000000435D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0435D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_435d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ae5ca567d4fd7c1092315d6913ef6f194963d5dfbe1ef41c64111c8f3ad96b9
                                                            • Instruction ID: dc75f1a5b04499b9911c312b65847c79429ec12bbde6d3f876855ae17881f464
                                                            • Opcode Fuzzy Hash: 0ae5ca567d4fd7c1092315d6913ef6f194963d5dfbe1ef41c64111c8f3ad96b9
                                                            • Instruction Fuzzy Hash: 2F015E7240E3C49FD7128B219894B52BFA4DF42225F19C0DBDD888F2A3C2699848C772
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 07371270 Relevance: 5.5, Strings: 4, Instructions: 492COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1420920034.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7370000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: l$l$l$l
                                                            • API String ID: 0-2658161240
                                                            • Opcode ID: 2aa76c73819f816d57efaad5f2b9ea28435bf98171c23856f9c21d877ef9e0fc
                                                            • Instruction ID: acabf733be7304610916a6717334266c52a49209e4a3e16ba9ac4def2cc66103
                                                            • Opcode Fuzzy Hash: 2aa76c73819f816d57efaad5f2b9ea28435bf98171c23856f9c21d877ef9e0fc
                                                            • Instruction Fuzzy Hash: B8F13AB37042198FEB349B68D4017AABBF6AFC5221F14C07AD84ACB651DB35CD45C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:11.8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:130
                                                            Total number of Limit Nodes:10
                                                            execution_graph 28662 7084078 28665 70840dd 28662->28665 28663 7084540 WaitMessage 28663->28665 28665->28663 28666 708412a 28665->28666 28667 708353c 28665->28667 28668 7084de0 DispatchMessageW 28667->28668 28669 7084e4c 28668->28669 28669->28665 28524 30a0848 28525 30a0849 28524->28525 28526 30a091b 28525->28526 28528 30a13db 28525->28528 28530 30a13e3 28528->28530 28529 30a14fc 28529->28525 28530->28529 28538 30a7e00 28530->28538 28543 30a7e10 28530->28543 28548 30ae8d1 28530->28548 28553 30ae872 28530->28553 28558 30ae6f9 28530->28558 28563 30ae708 28530->28563 28568 30ae834 28530->28568 28539 30a7e04 28538->28539 28540 30a7edf 28539->28540 28573 30aac48 28539->28573 28579 30aac42 28539->28579 28540->28530 28544 30a7e11 28543->28544 28545 30a7edf 28544->28545 28546 30aac48 2 API calls 28544->28546 28547 30aac42 2 API calls 28544->28547 28545->28530 28546->28544 28547->28544 28550 30ae8d6 28548->28550 28549 30ae963 28549->28530 28589 30ae970 28550->28589 28593 30ae980 28550->28593 28555 30ae877 28553->28555 28554 30ae963 28554->28530 28556 30ae970 DeleteFileW 28555->28556 28557 30ae980 DeleteFileW 28555->28557 28556->28554 28557->28554 28560 30ae721 28558->28560 28559 30ae963 28559->28530 28560->28559 28561 30ae970 DeleteFileW 28560->28561 28562 30ae980 DeleteFileW 28560->28562 28561->28559 28562->28559 28565 30ae721 28563->28565 28564 30ae963 28564->28530 28565->28564 28566 30ae970 DeleteFileW 28565->28566 28567 30ae980 DeleteFileW 28565->28567 28566->28564 28567->28564 28570 30ae839 28568->28570 28569 30ae963 28569->28530 28571 30ae970 DeleteFileW 28570->28571 28572 30ae980 DeleteFileW 28570->28572 28571->28569 28572->28569 28574 30aacab 28573->28574 28575 30aadbf GetActiveWindow 28574->28575 28576 30aaded 28574->28576 28578 30aae8d 28574->28578 28575->28576 28576->28578 28585 30aa81c 28576->28585 28578->28539 28580 30aacab 28579->28580 28581 30aadbf GetActiveWindow 28580->28581 28582 30aaded 28580->28582 28583 30aae8d 28580->28583 28581->28582 28582->28583 28584 30aa81c MessageBoxW 28582->28584 28583->28539 28584->28583 28586 30ae250 MessageBoxW 28585->28586 28588 30ae2dc 28586->28588 28588->28578 28590 30ae990 28589->28590 28591 30ae9c2 28590->28591 28597 30adb5c 28590->28597 28591->28549 28595 30ae990 28593->28595 28594 30ae9c2 28594->28549 28595->28594 28596 30adb5c DeleteFileW 28595->28596 28596->28594 28598 30adb63 DeleteFileW 28597->28598 28600 30aea5f 28598->28600 28600->28591 28601 30ac788 28602 30ac7ba 28601->28602 28604 30abff0 28601->28604 28606 30abffb 28604->28606 28605 30ac899 28605->28602 28606->28605 28609 30ac0d4 28606->28609 28608 30ac8bc 28610 30ac0df 28609->28610 28612 30acbd3 28610->28612 28613 30ac0f0 28610->28613 28612->28608 28614 30acc08 OleInitialize 28613->28614 28615 30acc6c 28614->28615 28615->28612 28616 30ac1e0 DuplicateHandle 28617 30ac276 28616->28617 28670 30ac7f7 28673 30ac000 28670->28673 28674 30ac00b 28673->28674 28678 30addd0 28674->28678 28682 30adda7 28674->28682 28675 30ac804 28679 30ade1f 28678->28679 28686 30ad9bc 28679->28686 28683 30addc6 28682->28683 28684 30ad9bc EnumThreadWindows 28683->28684 28685 30adea0 28684->28685 28685->28675 28687 30adec0 EnumThreadWindows 28686->28687 28689 30adea0 28687->28689 28689->28675 28618 156d118 28619 156d130 28618->28619 28620 156d18a 28619->28620 28623 70806d8 28619->28623 28628 70806c9 28619->28628 28624 7080705 28623->28624 28625 7080737 28624->28625 28633 7080c68 28624->28633 28638 7080c59 28624->28638 28629 70806d8 28628->28629 28630 7080737 28629->28630 28631 7080c68 2 API calls 28629->28631 28632 7080c59 2 API calls 28629->28632 28631->28630 28632->28630 28634 7080c7c 28633->28634 28643 7080d10 28634->28643 28647 7080d20 28634->28647 28635 7080d08 28635->28625 28640 7080c68 28638->28640 28639 7080d08 28639->28625 28641 7080d10 2 API calls 28640->28641 28642 7080d20 2 API calls 28640->28642 28641->28639 28642->28639 28644 7080d20 28643->28644 28645 7080d31 28644->28645 28650 7081ee0 28644->28650 28645->28635 28648 7080d31 28647->28648 28649 7081ee0 2 API calls 28647->28649 28648->28635 28649->28648 28654 7081f00 28650->28654 28658 7081f10 28650->28658 28651 7081efa 28651->28645 28655 7081f10 28654->28655 28656 7081faa CallWindowProcW 28655->28656 28657 7081f59 28655->28657 28656->28657 28657->28651 28659 7081f52 28658->28659 28661 7081f59 28658->28661 28660 7081faa CallWindowProcW 28659->28660 28659->28661 28660->28661 28661->28651

                                                            Executed Functions

                                                            Function 070919E8 Relevance: 2.8, Instructions: 2847COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d3909401ef2a5fabd982bcc12d719c47545ccefbcfc6e6d6528b74e1ddaaf6a0
                                                            • Instruction ID: b5a2121a266d8b12c5691fb705e27e58020f7e06d5a79fcd8b2cbad9f9890416
                                                            • Opcode Fuzzy Hash: d3909401ef2a5fabd982bcc12d719c47545ccefbcfc6e6d6528b74e1ddaaf6a0
                                                            • Instruction Fuzzy Hash: B563F671D10B5A8ADB51EF68C880699F7B1FF99300F11C79AE45877221EB70AAC5CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07094E20 Relevance: 2.2, Instructions: 2222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0accbbd57930ae05d057edcc61e18c8735abb5c3a6819b001d51dd3695e3eaa
                                                            • Instruction ID: a40004165c4648271887f957d39acd3725f38b17118f37065ee136ce346165c5
                                                            • Opcode Fuzzy Hash: d0accbbd57930ae05d057edcc61e18c8735abb5c3a6819b001d51dd3695e3eaa
                                                            • Instruction Fuzzy Hash: 12232E71D1071A8EDB11EF68C8806ADF7B1FF89300F55D79AE448A7251EB70AAC5CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07084078 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 868 7084078-70840db 869 708410a-7084128 868->869 870 70840dd-7084107 868->870 875 708412a-708412c 869->875 876 7084131-7084168 869->876 870->869 878 70845ea-70845ff 875->878 880 7084599 876->880 881 708416e-7084182 876->881 884 708459e-70845b4 880->884 882 70841b1-70841d0 881->882 883 7084184-70841ae 881->883 890 70841e8-70841ea 882->890 891 70841d2-70841d8 882->891 883->882 884->878 894 7084209-7084212 890->894 895 70841ec-7084204 890->895 892 70841da 891->892 893 70841dc-70841de 891->893 892->890 893->890 897 708421a-7084221 894->897 895->884 898 708422b-7084232 897->898 899 7084223-7084229 897->899 901 708423c 898->901 902 7084234-708423a 898->902 900 708423f-708425c call 70834f0 899->900 905 70843b1-70843b5 900->905 906 7084262-7084269 900->906 901->900 902->900 908 70843bb-70843bf 905->908 909 7084584-7084597 905->909 906->880 907 708426f-70842ac 906->907 917 708457a-708457e 907->917 918 70842b2-70842b7 907->918 910 70843d9-70843e2 908->910 911 70843c1-70843d4 908->911 909->884 913 7084411-7084418 910->913 914 70843e4-708440e 910->914 911->884 915 708441e-7084425 913->915 916 70844b7-70844cc 913->916 914->913 919 7084454-7084476 915->919 920 7084427-7084451 915->920 916->917 929 70844d2-70844d4 916->929 917->897 917->909 921 70842e9-70842fe call 7083514 918->921 922 70842b9-70842c7 call 70834fc 918->922 919->916 956 7084478-7084482 919->956 920->919 927 7084303-7084307 921->927 922->921 937 70842c9-70842e2 call 7083508 922->937 933 7084378-7084385 927->933 934 7084309-708431b call 7083520 927->934 935 7084521-708453e call 70834f0 929->935 936 70844d6-708450f 929->936 933->917 948 708438b-7084395 call 7083530 933->948 961 708435b-7084373 934->961 962 708431d-708434d 934->962 935->917 954 7084540-708456c WaitMessage 935->954 951 7084518-708451f 936->951 952 7084511-7084517 936->952 946 70842e7 937->946 946->927 964 70843a4-70843ac call 7083548 948->964 965 7084397-708439a call 708353c 948->965 951->917 952->951 958 708456e 954->958 959 7084573 954->959 969 708449a-70844b5 956->969 970 7084484-708448a 956->970 958->959 959->917 961->884 976 708434f 962->976 977 7084354 962->977 964->917 972 708439f 965->972 969->916 969->956 974 708448c 970->974 975 708448e-7084490 970->975 972->917 974->969 975->969 976->977 977->961
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672447077.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7080000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DispatchMessage
                                                            • String ID:
                                                            • API String ID: 2061451462-0
                                                            • Opcode ID: 51083340d1d5a4cf257f1cc1d1344b6ae919abffb5fddff3ea3564021d5c2ab7
                                                            • Instruction ID: d9fae85fddd2022ac9b8099631087706db074286030c52400ff1c0846454b292
                                                            • Opcode Fuzzy Hash: 51083340d1d5a4cf257f1cc1d1344b6ae919abffb5fddff3ea3564021d5c2ab7
                                                            • Instruction Fuzzy Hash: 05F160B0A0035ACFDB94EFA5C844B9DBBF1FF88304F158269E855AF265DB709945CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709A680 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 980 709a680-709a69d 981 709a69f-709a6a2 980->981 982 709a6b8-709a6bb 981->982 983 709a6a4-709a6b3 981->983 984 709a6bd-709a6be 982->984 985 709a6c3-709a6c6 982->985 983->982 984->985 987 709a6c8-709a6ce 985->987 988 709a6fe-709a701 985->988 989 709a860-709a88b 987->989 990 709a6d4-709a6dc 987->990 991 709a71d-709a720 988->991 992 709a703-709a718 988->992 1009 709a895-709a898 989->1009 990->989 995 709a6e2-709a6ef 990->995 993 709a733-709a736 991->993 994 709a722-709a728 991->994 992->991 999 709a738-709a745 993->999 1000 709a74a-709a74d 993->1000 997 709a72e 994->997 998 709a7b4-709a7be 994->998 995->989 1002 709a6f5-709a6f9 995->1002 997->993 1005 709a7c5-709a7c7 998->1005 999->1000 1003 709a74f-709a753 1000->1003 1004 709a75e-709a761 1000->1004 1002->988 1007 709a759 1003->1007 1008 709a852-709a85f 1003->1008 1010 709a76d-709a770 1004->1010 1011 709a763-709a76c 1004->1011 1012 709a7cc-709a7cf 1005->1012 1007->1004 1015 709a8ba-709a8bd 1009->1015 1016 709a89a-709a89e 1009->1016 1013 709a77a-709a77d 1010->1013 1014 709a772-709a775 1010->1014 1019 709a7dd-709a7e0 1012->1019 1020 709a7d1-709a7d8 1012->1020 1021 709a77f-709a785 1013->1021 1022 709a790-709a793 1013->1022 1014->1013 1017 709a8bf-709a8c6 1015->1017 1018 709a8c7-709a8ca 1015->1018 1023 709a982-709a9bc 1016->1023 1024 709a8a4-709a8ac 1016->1024 1025 709a8cc-709a8dd 1018->1025 1026 709a8e2-709a8e5 1018->1026 1027 709a7fd-709a800 1019->1027 1028 709a7e2-709a7f8 1019->1028 1020->1019 1021->987 1029 709a78b 1021->1029 1030 709a79d-709a7a0 1022->1030 1031 709a795-709a798 1022->1031 1048 709a9be-709a9c1 1023->1048 1024->1023 1032 709a8b2-709a8b5 1024->1032 1025->1026 1033 709a907-709a90a 1026->1033 1034 709a8e7-709a8eb 1026->1034 1035 709a802-709a81f 1027->1035 1036 709a824-709a827 1027->1036 1028->1027 1029->1022 1037 709a7af-709a7b2 1030->1037 1038 709a7a2-709a7a8 1030->1038 1031->1030 1032->1015 1045 709a91a-709a91d 1033->1045 1046 709a90c-709a913 1033->1046 1034->1023 1043 709a8f1-709a8f9 1034->1043 1035->1036 1040 709a829-709a82b 1036->1040 1041 709a82e-709a831 1036->1041 1037->998 1037->1012 1038->1014 1047 709a7aa 1038->1047 1040->1041 1041->1021 1051 709a837-709a83a 1041->1051 1043->1023 1052 709a8ff-709a902 1043->1052 1056 709a91f-709a929 1045->1056 1057 709a92e-709a931 1045->1057 1053 709a97a-709a981 1046->1053 1054 709a915 1046->1054 1047->1037 1049 709a9cb-709a9ce 1048->1049 1050 709a9c3-709a9c8 1048->1050 1060 709aa2c-709abc0 1049->1060 1061 709a9d0-709a9d3 1049->1061 1050->1049 1051->994 1062 709a840-709a842 1051->1062 1052->1033 1054->1045 1056->1057 1058 709a94b-709a94e 1057->1058 1059 709a933-709a937 1057->1059 1068 709a968-709a96a 1058->1068 1069 709a950-709a954 1058->1069 1059->1023 1063 709a939-709a941 1059->1063 1129 709acf9-709ad0c 1060->1129 1130 709abc6-709abcd 1060->1130 1064 709a9f1-709a9f4 1061->1064 1065 709a9d5-709a9e6 1061->1065 1066 709a849-709a84c 1062->1066 1067 709a844 1062->1067 1063->1023 1073 709a943-709a946 1063->1073 1075 709aa02-709aa05 1064->1075 1076 709a9f6-709a9fd 1064->1076 1084 709a9ec 1065->1084 1085 709ad85-709ad98 1065->1085 1066->981 1066->1008 1067->1066 1077 709a96c 1068->1077 1078 709a971-709a974 1068->1078 1069->1023 1074 709a956-709a95e 1069->1074 1073->1058 1074->1023 1080 709a960-709a963 1074->1080 1081 709aa23-709aa26 1075->1081 1082 709aa07-709aa18 1075->1082 1076->1075 1077->1078 1078->1009 1078->1053 1080->1068 1081->1060 1086 709ad0f-709ad12 1081->1086 1094 709aa1e 1082->1094 1095 709ad74-709ad7b 1082->1095 1084->1064 1088 709ad2c-709ad2f 1086->1088 1089 709ad14-709ad25 1086->1089 1091 709ad49-709ad4c 1088->1091 1092 709ad31-709ad42 1088->1092 1089->1095 1104 709ad27 1089->1104 1091->1060 1096 709ad52-709ad55 1091->1096 1092->1095 1107 709ad44 1092->1107 1094->1081 1097 709ad80-709ad83 1095->1097 1100 709ad6f-709ad72 1096->1100 1101 709ad57-709ad68 1096->1101 1097->1085 1103 709ad9b-709ad9d 1097->1103 1100->1095 1100->1097 1101->1089 1111 709ad6a 1101->1111 1105 709ad9f 1103->1105 1106 709ada4-709ada7 1103->1106 1104->1088 1105->1106 1106->1048 1108 709adad-709adb6 1106->1108 1107->1091 1111->1100 1131 709ac81-709ac88 1130->1131 1132 709abd3-709ac06 1130->1132 1131->1129 1133 709ac8a-709acbd 1131->1133 1142 709ac08 1132->1142 1143 709ac0b-709ac4c 1132->1143 1145 709acbf 1133->1145 1146 709acc2-709acef 1133->1146 1142->1143 1154 709ac4e-709ac5f 1143->1154 1155 709ac64-709ac6b 1143->1155 1145->1146 1146->1108 1154->1108 1158 709ac6d call 709adbf 1155->1158 1159 709ac6d call 709add0 1155->1159 1157 709ac73-709ac75 1157->1108 1158->1157 1159->1157
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: 0b5070c61937d5756f1da114e7412f1c0887745375365559ee05c8510d4ab219
                                                            • Instruction ID: 512cf2ba76c2858331cee0c3dda4b576e4c67bb24ed4d6ac617c4bce8458fa67
                                                            • Opcode Fuzzy Hash: 0b5070c61937d5756f1da114e7412f1c0887745375365559ee05c8510d4ab219
                                                            • Instruction Fuzzy Hash: 7822A0B1F002168FDF64DA64C8806AEBBF2FF85310F10867AD856AB350DA35ED41DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ACC98 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1260 30acc98-30acca4 1261 30acc4c-30acc4e 1260->1261 1262 30acca6-30ace55 1260->1262 1263 30acc59-30acc6a OleInitialize 1261->1263 1289 30ace5b-30ad203 1262->1289 1290 30ad204-30ad5ac 1262->1290 1265 30acc6c-30acc72 1263->1265 1266 30acc73-30acc90 1263->1266 1265->1266
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 030ACC5D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 6e1d3fff122f430a20151c63882a78eec4ab7f0afd85b8805ea52b0518580f2a
                                                            • Instruction ID: daddd66308426b558c9395a3b4ef656d7d2dd46d566018ade57f39a7e3f09b0e
                                                            • Opcode Fuzzy Hash: 6e1d3fff122f430a20151c63882a78eec4ab7f0afd85b8805ea52b0518580f2a
                                                            • Instruction Fuzzy Hash: 3ED154B1401749AFD728EF64EC8C189BB76BBAA324F504709D1516B2D8E77414FACF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07097440 Relevance: 1.5, Instructions: 1497COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 985b779893e4ddb41dabe1d03fdeacbb418f763cf9ee51f924ba2e58d9bfc915
                                                            • Instruction ID: c31641f3022094e530a3e9ea1d857dc737971f891ddf5fab0bf5ab0691f30b43
                                                            • Opcode Fuzzy Hash: 985b779893e4ddb41dabe1d03fdeacbb418f763cf9ee51f924ba2e58d9bfc915
                                                            • Instruction Fuzzy Hash: 9FD27D71A10209CFDB64DB68C594A9DB7F2FF85310F54C6AAD409AB361EB31ED81DB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07091A99 Relevance: 1.3, Instructions: 1321COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: caf38703505b9941f6b6bb0f5fe45c27add99a3e417564a1d7d301ea5f54cedc
                                                            • Instruction ID: 8d35b760a231a60ea6e75a89f56e5fb4dde444b00266c1a40a4a496088f8b0fa
                                                            • Opcode Fuzzy Hash: caf38703505b9941f6b6bb0f5fe45c27add99a3e417564a1d7d301ea5f54cedc
                                                            • Instruction Fuzzy Hash: A9E2E671D10B1A8ADB50EF68C8406A9F7B1FF99300F11D79AE44877221EB70AAD5CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709B6C8 Relevance: .8, Instructions: 812COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de8a27e0ae9572bcd3bee0c92fc2b2b17c870893b9b804a3b905926827373137
                                                            • Instruction ID: ffbb8e9ba1662c607c5feb39bf6f5c21cd28ac15b9473cad6bf0bed1f1497657
                                                            • Opcode Fuzzy Hash: de8a27e0ae9572bcd3bee0c92fc2b2b17c870893b9b804a3b905926827373137
                                                            • Instruction Fuzzy Hash: 7D627DB4B0020A8FDF54DB68E5946ADB7F2EF89324F148669D806DB390DB35EC42DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709CE58 Relevance: .5, Instructions: 466COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f72b531d13ef60c5576ef4d62a6c56630bf75a65d598dee584aeea6cd6c23d3e
                                                            • Instruction ID: 47293a0025e740616cd32adfeaa43f445cb617911333ce0d464df8d6a3e5e83b
                                                            • Opcode Fuzzy Hash: f72b531d13ef60c5576ef4d62a6c56630bf75a65d598dee584aeea6cd6c23d3e
                                                            • Instruction Fuzzy Hash: FF027A71B00216DFDF54DB79D9946AEB7E2FF84210F148669D806AB390DB35EC82DB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709ADD0 Relevance: .4, Instructions: 413COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e32da7556c605e42f1149d0dd8048bcf0621e49c84a1b67e707cab27986886aa
                                                            • Instruction ID: 69b845df4fd2d455768b819b8fa27a2db83bc8e21d3d0fb9b3f2533aa39f6a32
                                                            • Opcode Fuzzy Hash: e32da7556c605e42f1149d0dd8048bcf0621e49c84a1b67e707cab27986886aa
                                                            • Instruction Fuzzy Hash: 1FD1F5B1B001198FCFA4DB68D494AAEB7F6FB88320F24857AE41ADB351CA31DC41D791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AAC48 Relevance: 1.8, APIs: 1, Instructions: 332COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1160 30aac48-30aacca 1164 30aaf0e-30aaf41 1160->1164 1165 30aacd0-30aacf5 1160->1165 1171 30aaf48-30aaf7d 1164->1171 1170 30aacfb-30aad20 1165->1170 1165->1171 1178 30aad26-30aad36 1170->1178 1179 30aaf84-30aafb9 1170->1179 1171->1179 1184 30aad3c-30aad40 1178->1184 1185 30aafc0-30aafec 1178->1185 1179->1185 1187 30aad4e-30aad53 1184->1187 1188 30aad42-30aad48 1184->1188 1189 30aaff3-30ab031 1185->1189 1190 30aad61-30aad67 1187->1190 1191 30aad55-30aad5b 1187->1191 1188->1187 1188->1189 1194 30ab038-30ab076 1189->1194 1195 30aad78-30aad8c 1190->1195 1196 30aad69-30aad71 1190->1196 1191->1190 1191->1194 1229 30ab07d-30ab11b 1194->1229 1208 30aad8e-30aad90 1195->1208 1209 30aad92 1195->1209 1196->1195 1212 30aad97-30aadaf 1208->1212 1209->1212 1214 30aadb9-30aadbd 1212->1214 1215 30aadb1-30aadb7 1212->1215 1217 30aadbf-30aadeb GetActiveWindow 1214->1217 1218 30aae00-30aae09 1214->1218 1215->1214 1216 30aae0c-30aae19 1215->1216 1227 30aae1b-30aae31 call 30aa810 1216->1227 1228 30aae59 1216->1228 1220 30aaded-30aadf3 1217->1220 1221 30aadf4-30aadfe 1217->1221 1218->1216 1220->1221 1221->1216 1236 30aae33-30aae4a 1227->1236 1237 30aae50-30aae56 1227->1237 1257 30aae59 call 30ab538 1228->1257 1258 30aae59 call 30ab560 1228->1258 1259 30aae59 call 30ab570 1228->1259 1231 30aae5f-30aaeb3 call 30aa81c 1251 30aaebc 1231->1251 1236->1229 1236->1237 1237->1228 1251->1164 1257->1231 1258->1231 1259->1231
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ActiveWindow
                                                            • String ID:
                                                            • API String ID: 2558294473-0
                                                            • Opcode ID: ca7ae45ad0c4a5f4c66557d34e5011a0c60d8185d0d5afa57b54532c8b4d092d
                                                            • Instruction ID: 2db2d9e0d6a57d0c53b32c21db42d315562350ebe4dbac42a89240e62c3b1fa9
                                                            • Opcode Fuzzy Hash: ca7ae45ad0c4a5f4c66557d34e5011a0c60d8185d0d5afa57b54532c8b4d092d
                                                            • Instruction Fuzzy Hash: 09C18130B103199BDB59DFA9941476EBBE6FFC8340F148429E806EB394DF749842CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AAC42 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1291 30aac42-30aacca 1295 30aaf0e-30aaf41 1291->1295 1296 30aacd0-30aacf5 1291->1296 1302 30aaf48-30aaf7d 1295->1302 1301 30aacfb-30aad20 1296->1301 1296->1302 1309 30aad26-30aad36 1301->1309 1310 30aaf84-30aafb9 1301->1310 1302->1310 1315 30aad3c-30aad40 1309->1315 1316 30aafc0-30aafec 1309->1316 1310->1316 1318 30aad4e-30aad53 1315->1318 1319 30aad42-30aad48 1315->1319 1320 30aaff3-30ab031 1316->1320 1321 30aad61-30aad67 1318->1321 1322 30aad55-30aad5b 1318->1322 1319->1318 1319->1320 1325 30ab038-30ab076 1320->1325 1326 30aad78-30aad8c 1321->1326 1327 30aad69-30aad71 1321->1327 1322->1321 1322->1325 1360 30ab07d-30ab11b 1325->1360 1339 30aad8e-30aad90 1326->1339 1340 30aad92 1326->1340 1327->1326 1343 30aad97-30aadaf 1339->1343 1340->1343 1345 30aadb9-30aadbd 1343->1345 1346 30aadb1-30aadb7 1343->1346 1348 30aadbf-30aadeb GetActiveWindow 1345->1348 1349 30aae00-30aae09 1345->1349 1346->1345 1347 30aae0c-30aae19 1346->1347 1358 30aae1b-30aae31 call 30aa810 1347->1358 1359 30aae59 1347->1359 1351 30aaded-30aadf3 1348->1351 1352 30aadf4-30aadfe 1348->1352 1349->1347 1351->1352 1352->1347 1367 30aae33-30aae4a 1358->1367 1368 30aae50-30aae56 1358->1368 1388 30aae59 call 30ab538 1359->1388 1389 30aae59 call 30ab560 1359->1389 1390 30aae59 call 30ab570 1359->1390 1362 30aae5f-30aaeb3 call 30aa81c 1382 30aaebc 1362->1382 1367->1360 1367->1368 1368->1359 1382->1295 1388->1362 1389->1362 1390->1362
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: ActiveWindow
                                                            • String ID:
                                                            • API String ID: 2558294473-0
                                                            • Opcode ID: 6f4e090776d6e59b01e0e604d0274cebdc09c9dbe1f725e358aed916bd0ff0a2
                                                            • Instruction ID: 65d269501432a17b9a0076835323eb48a632973f31649e677f6584495242ca98
                                                            • Opcode Fuzzy Hash: 6f4e090776d6e59b01e0e604d0274cebdc09c9dbe1f725e358aed916bd0ff0a2
                                                            • Instruction Fuzzy Hash: E4617F74E01719DFDB58DFA9E4497ADBBF2FF88301F188429E806AB294DB749841CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07081F10 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1391 7081f10-7081f4c 1392 7081ffc-708201c 1391->1392 1393 7081f52-7081f57 1391->1393 1400 708201f-708202c 1392->1400 1395 7081f59-7081f90 1393->1395 1396 7081faa-7081fe2 CallWindowProcW 1393->1396 1402 7081f99-7081fa8 1395->1402 1403 7081f92-7081f98 1395->1403 1397 7081feb-7081ffa 1396->1397 1398 7081fe4-7081fea 1396->1398 1397->1400 1398->1397 1402->1400 1403->1402
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 07081FD1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672447077.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7080000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 40f0c7a1ae06f51b7d397c5f9d22308f73c0d6a3dab27ccdc065fd497ce7a8d7
                                                            • Instruction ID: b7bd00dc2a3c8dd2525c5edb541b94d1f46ccf412265b90356a799df40414443
                                                            • Opcode Fuzzy Hash: 40f0c7a1ae06f51b7d397c5f9d22308f73c0d6a3dab27ccdc065fd497ce7a8d7
                                                            • Instruction Fuzzy Hash: AE4147B4900309DFCB54DF99C888AAABBF5FF88314F24855DE519AB321D774A841CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ADF7C Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1406 30adf7c-30adf85 1407 30adf07 1406->1407 1408 30adf87-30ae007 1406->1408 1409 30adf0c 1407->1409 1419 30ae008 1408->1419 1411 30adf0e-30adf3e EnumThreadWindows 1409->1411 1413 30adf40-30adf46 1411->1413 1414 30adf47-30adf74 1411->1414 1413->1414 1419->1419
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,030ADEA0,041441C4,03195178), ref: 030ADF31
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: edc47a1ee78854e18b7730949600aedcf55ad88cbb7a715dc0a06850c121d8fa
                                                            • Instruction ID: b8dbd38c72a82461f37004e0191df83a56b61f420f2b236696018dbe10708387
                                                            • Opcode Fuzzy Hash: edc47a1ee78854e18b7730949600aedcf55ad88cbb7a715dc0a06850c121d8fa
                                                            • Instruction Fuzzy Hash: F7318B75A01609CFDB10CF99D854BEEBBF5AF8C320F28815AE414E73A0C7789940CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AC1DB Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1420 30ac1db-30ac274 DuplicateHandle 1421 30ac27d-30ac29a 1420->1421 1422 30ac276-30ac27c 1420->1422 1422->1421
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030AC267
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 020930125727fba42ab2089d8408ef9ee6413399a7d020fd1a4f405ba3ecbb34
                                                            • Instruction ID: 63d1e428737a8c06831b4c27bd05b3369c9f634519d43174c726ac2c558bb987
                                                            • Opcode Fuzzy Hash: 020930125727fba42ab2089d8408ef9ee6413399a7d020fd1a4f405ba3ecbb34
                                                            • Instruction Fuzzy Hash: A321E4B5901249AFDB10CFAAD884ADEFBF5FB48320F14841AE914A7350D378A940CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AC1E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1426 30ac1e0-30ac274 DuplicateHandle 1427 30ac27d-30ac29a 1426->1427 1428 30ac276-30ac27c 1426->1428 1428->1427
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030AC267
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: a52b8ea759f194c9c512a34089c772138bb57b74570810e97bea5dee38b4a2d0
                                                            • Instruction ID: 3abd1364c04dae66b24439c0148eb36c192f270e804fd2abd9f212e4f915be51
                                                            • Opcode Fuzzy Hash: a52b8ea759f194c9c512a34089c772138bb57b74570810e97bea5dee38b4a2d0
                                                            • Instruction Fuzzy Hash: 5C21F5B59013099FDB10CFAAD884ADEFBF9FB48710F14841AE914A7350D378A940CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ADBD8 Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1442 30adbd8-30adbe1 1444 30adb63 1442->1444 1445 30ae9e0-30aea2a 1442->1445 1444->1445 1447 30aea2c-30aea2f 1445->1447 1448 30aea32-30aea5d DeleteFileW 1445->1448 1447->1448 1449 30aea5f-30aea65 1448->1449 1450 30aea66-30aea8e 1448->1450 1449->1450
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 030AEA50
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: 9ad5d45b68333d4f1843042a2bab8ee66ca906872e8c9309fa3b3340bf57e813
                                                            • Instruction ID: 449aeee0fb4f2bae02cc829b7f65ff367b5a6a77ce9e4016b897478a4f715540
                                                            • Opcode Fuzzy Hash: 9ad5d45b68333d4f1843042a2bab8ee66ca906872e8c9309fa3b3340bf57e813
                                                            • Instruction Fuzzy Hash: D22177B1C00B5A9FCB10CF9AD4407DEFBF4BF48620F14852AD818A7240D738A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AD9BC Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1432 30ad9bc-30adf02 1434 30adf0e-30adf3e EnumThreadWindows 1432->1434 1435 30adf04-30adf07 1432->1435 1437 30adf40-30adf46 1434->1437 1438 30adf47-30adf74 1434->1438 1439 30adf0c 1435->1439 1437->1438 1439->1434
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,030ADEA0,041441C4,03195178), ref: 030ADF31
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 35abf93e48347fd0473d57d9b87281ca45ea86bf3f5aa2b1c763c7054c3b3738
                                                            • Instruction ID: bec2ba73ce0071ec63bf4fd3449656d93a72481d49b7ec7e9ba7f2bd6babb2e5
                                                            • Opcode Fuzzy Hash: 35abf93e48347fd0473d57d9b87281ca45ea86bf3f5aa2b1c763c7054c3b3738
                                                            • Instruction Fuzzy Hash: 752127719006098FDB14DF9AD844BEFFBF5EB88320F14842AE814A7650D778A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ADEB8 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1453 30adeb8-30adf02 1454 30adf0e-30adf3e EnumThreadWindows 1453->1454 1455 30adf04-30adf07 1453->1455 1457 30adf40-30adf46 1454->1457 1458 30adf47-30adf74 1454->1458 1459 30adf0c 1455->1459 1457->1458 1459->1454
                                                            APIs
                                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,030ADEA0,041441C4,03195178), ref: 030ADF31
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: EnumThreadWindows
                                                            • String ID:
                                                            • API String ID: 2941952884-0
                                                            • Opcode ID: 4a5cb601f5af0bc160925a23c6c8c6fb1d10ff2bafda2ad16499566f64a4ff2d
                                                            • Instruction ID: 7b9cc91dcf702608657b12b6af6fe8dc63065041c68db5e916f34e4d4a6c12a7
                                                            • Opcode Fuzzy Hash: 4a5cb601f5af0bc160925a23c6c8c6fb1d10ff2bafda2ad16499566f64a4ff2d
                                                            • Instruction Fuzzy Hash: 34212771D006098FDB14DF9AD844BEEFBF5EB88320F14842AE814A7650D778A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AA81C Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1462 30aa81c-30ae293 1464 30ae29b-30ae29f 1462->1464 1465 30ae295-30ae298 1462->1465 1466 30ae2a1-30ae2a4 1464->1466 1467 30ae2a7-30ae2da MessageBoxW 1464->1467 1465->1464 1466->1467 1468 30ae2dc-30ae2e2 1467->1468 1469 30ae2e3-30ae2f7 1467->1469 1468->1469
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,030AAE8D,?,?,?), ref: 030AE2CD
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: c5fc207a8f623defcd2f6829f2ab83a8eb3e3d669007a0faeb8b958ff54cd1b9
                                                            • Instruction ID: 62f8eeaa9e5010113ea5e0aa5f62e3207f3748408982e7566810a0e5ca8402c0
                                                            • Opcode Fuzzy Hash: c5fc207a8f623defcd2f6829f2ab83a8eb3e3d669007a0faeb8b958ff54cd1b9
                                                            • Instruction Fuzzy Hash: 632104B58017099FDB14CF9AD884ADEFBF5FB88314F14892EE919A7200C375A944CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ADB5C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1471 30adb5c-30aea2a 1475 30aea2c-30aea2f 1471->1475 1476 30aea32-30aea5d DeleteFileW 1471->1476 1475->1476 1477 30aea5f-30aea65 1476->1477 1478 30aea66-30aea8e 1476->1478 1477->1478
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 030AEA50
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: ca880a15712dd2c7a42dff7a6ef546c1ec076af2319a300d1ecdd607ab86ec7e
                                                            • Instruction ID: 008ffa8a2240b1a11a8a8fecf5a93d633f1af08d65fd20f602ee4c5b64172769
                                                            • Opcode Fuzzy Hash: ca880a15712dd2c7a42dff7a6ef546c1ec076af2319a300d1ecdd607ab86ec7e
                                                            • Instruction Fuzzy Hash: FC2156B1C00A1A9BCB10CF9AD4457AEFBF4FF48720F14852AD818A7240D738A900CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AE249 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1481 30ae249-30ae293 1482 30ae29b-30ae29f 1481->1482 1483 30ae295-30ae298 1481->1483 1484 30ae2a1-30ae2a4 1482->1484 1485 30ae2a7-30ae2da MessageBoxW 1482->1485 1483->1482 1484->1485 1486 30ae2dc-30ae2e2 1485->1486 1487 30ae2e3-30ae2f7 1485->1487 1486->1487
                                                            APIs
                                                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,030AAE8D,?,?,?), ref: 030AE2CD
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID:
                                                            • API String ID: 2030045667-0
                                                            • Opcode ID: 2b6ee9cda631a47bfbbcfa3c6b0cd3d0c2cc4ad221ffa2919742c9f54dd48521
                                                            • Instruction ID: 55b983b95c24d0d02d111d105bd3c6e119f374c5a557e46bd9ed209216878fd7
                                                            • Opcode Fuzzy Hash: 2b6ee9cda631a47bfbbcfa3c6b0cd3d0c2cc4ad221ffa2919742c9f54dd48521
                                                            • Instruction Fuzzy Hash: B92132B6C017498FDB10CF9AD884ADEFBF1BB48314F14892EE818A7200C374A544CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AE9D9 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 030AEA50
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: 2f0fd92ff529da83814ac14b526dea6b27e4607f6fc882e1b82f54ac12baf0f1
                                                            • Instruction ID: 865e8391cef98d71b859be7ad1496b2717fa0d88bfe924bb7855be391605d999
                                                            • Opcode Fuzzy Hash: 2f0fd92ff529da83814ac14b526dea6b27e4607f6fc882e1b82f54ac12baf0f1
                                                            • Instruction Fuzzy Hash: 3F2147B5C00A5A8FCB14CFAAD5457DEFBF0BF48320F15852AD858A7280D738A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07084DDA Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0708439F), ref: 07084E3D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672447077.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7080000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DispatchMessage
                                                            • String ID:
                                                            • API String ID: 2061451462-0
                                                            • Opcode ID: 88e978dba3c53162cf3a7556ee96e6e2318478bae883eefb27816b3d6c5ad040
                                                            • Instruction ID: f10e2b9aadbb70a33384ae8ba382136ea3c1c2ee09f80df574bdc845543bfe7b
                                                            • Opcode Fuzzy Hash: 88e978dba3c53162cf3a7556ee96e6e2318478bae883eefb27816b3d6c5ad040
                                                            • Instruction Fuzzy Hash: B41103B5C007499FCB10EF9AE845BDEFBF4EB48324F10851AE418A3600D779A544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0708353C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0708439F), ref: 07084E3D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672447077.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7080000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: DispatchMessage
                                                            • String ID:
                                                            • API String ID: 2061451462-0
                                                            • Opcode ID: 83c90e2988fe1ab1974cffc4b39b1afc4d849211cac874172bf8ff11d90867fd
                                                            • Instruction ID: 3aa8056364f4caeec14b4f8fa725571e8be50737f5c572760fc735cf31f45ba0
                                                            • Opcode Fuzzy Hash: 83c90e2988fe1ab1974cffc4b39b1afc4d849211cac874172bf8ff11d90867fd
                                                            • Instruction Fuzzy Hash: 9111F2B5C0475A9FCB10DF9AD444B9EFBF4EB48314F10851AE568A7210D378A544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030AC0F0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 030ACC5D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: d6ebe28f3a271bc6c568129813de5480bf1e673eedc780fe936c29ff0ec52cee
                                                            • Instruction ID: 0b7b01eda79512cc4f69703c6b505fcf93be35facf607fc1a0155e56488a5d75
                                                            • Opcode Fuzzy Hash: d6ebe28f3a271bc6c568129813de5480bf1e673eedc780fe936c29ff0ec52cee
                                                            • Instruction Fuzzy Hash: 881112B58007498FDB20DFAAD548BDEFBF8EB48724F24841AD518A7200D378A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 030ACC00 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 030ACC5D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2640038621.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_30a0000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 79b09572a81aa97db83e87d9bfe9a94bc835be7a0dd363370a486c1349a60b0a
                                                            • Instruction ID: cd064aa783f4739f00529ab26b6744d1f40dd8489783defc6733db017dff89e0
                                                            • Opcode Fuzzy Hash: 79b09572a81aa97db83e87d9bfe9a94bc835be7a0dd363370a486c1349a60b0a
                                                            • Instruction Fuzzy Hash: 881175B5C007488FDB20DFAAD5457CEFBF4EB48324F24881AD518A3240C378A544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07091220 Relevance: .5, Instructions: 453COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c24867a9f4609f7599314c91fd95a2e321b129de687c7e474e9e08f0e2b2f37b
                                                            • Instruction ID: deb77fe74f1d4a177d47cbd0f31429752acd952055b0f09884257080d35b9aca
                                                            • Opcode Fuzzy Hash: c24867a9f4609f7599314c91fd95a2e321b129de687c7e474e9e08f0e2b2f37b
                                                            • Instruction Fuzzy Hash: F1F16EB4B0020A9FDF54DB68D9846ADBBF2FB89350F148669D806DB390DB35DC42CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07099337 Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8466dedabdc20c0efa2a5834f3b29dbc86b41ea600a5f935ccef602084b5bae
                                                            • Instruction ID: 6cb128795c7fd5018f859382058803a3db22e9becb290081fb463b0b1437a682
                                                            • Opcode Fuzzy Hash: b8466dedabdc20c0efa2a5834f3b29dbc86b41ea600a5f935ccef602084b5bae
                                                            • Instruction Fuzzy Hash: 60919F70B1124A8FDF45DFA4D49069EBBF6AFC5300F108679D40ADB291DB34EC868B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709120C Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82220f5f12b2c54d9b5bbf26232a020c25dd0fc2c4e9a46bd9e63fb4aa3fc4f4
                                                            • Instruction ID: 582a32e7286ad1dc61057f99c403af8264c95c342fab14e437581f4826588cbb
                                                            • Opcode Fuzzy Hash: 82220f5f12b2c54d9b5bbf26232a020c25dd0fc2c4e9a46bd9e63fb4aa3fc4f4
                                                            • Instruction Fuzzy Hash: 2F912A74B0020ADFCF54DB68D584AADBBF2FB88351F148669E906D7360DB31AC42DB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709E228 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f0e7f814a80b5f5157d5c6803e98566286b435c22e95096c62b2698be102169
                                                            • Instruction ID: 85b600939b381c917881e0611bfe26b226e91370ecd5bd67a4a3d1df89262110
                                                            • Opcode Fuzzy Hash: 3f0e7f814a80b5f5157d5c6803e98566286b435c22e95096c62b2698be102169
                                                            • Instruction Fuzzy Hash: 9B914F71B1021A8FDF94DB65D8507AEB7F6FFC5200F10856AD80AEB344EB319D819B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709B2C8 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cdab47da58dbbec51b97de4aa904a6279eb03c00439b6b40296494f37b68401a
                                                            • Instruction ID: dc73797002d4513bb59e514252ddb6b607a6546d0a7eb380ea3976b21bab5adf
                                                            • Opcode Fuzzy Hash: cdab47da58dbbec51b97de4aa904a6279eb03c00439b6b40296494f37b68401a
                                                            • Instruction Fuzzy Hash: 3761D7F1F001124BDF50A67ED84055EBADBEFC4620B154536D80ADB3A0DE65EC4287C5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07099390 Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e0a4a957a8ea320941c2061c96d5ca828e32e8ebff068e75152d78c6dcca9a8c
                                                            • Instruction ID: 978b397afdd417a6be71b0ac1a1095d5269bf3a87c0d436400e39c46008f7f8a
                                                            • Opcode Fuzzy Hash: e0a4a957a8ea320941c2061c96d5ca828e32e8ebff068e75152d78c6dcca9a8c
                                                            • Instruction Fuzzy Hash: A9812B70B1020A8FDF54DBA9D55066EBBF6AFC9300F108539D80ADB394DA75ED828B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07091748 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae4090e9d18a32eb11768a0a2b73a39753b7925e27191930d6a40c71c35c8c6b
                                                            • Instruction ID: 2400b683881297f89550627349433974b300f3f8a43d6f562c2b710377ac7003
                                                            • Opcode Fuzzy Hash: ae4090e9d18a32eb11768a0a2b73a39753b7925e27191930d6a40c71c35c8c6b
                                                            • Instruction Fuzzy Hash: DD818EB5B0020A8FDB54CF69D884B9EBBF6FF88310F14C269E9089B395D7719845CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070996A4 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e86428e29be7efcd0277f6678ddcc0c3845e10b47a230ec26f0bbd2991ff0f6e
                                                            • Instruction ID: 811bfc326f3153848e86817b384b54da2323af6f2924d8042407e81c8e9f1d39
                                                            • Opcode Fuzzy Hash: e86428e29be7efcd0277f6678ddcc0c3845e10b47a230ec26f0bbd2991ff0f6e
                                                            • Instruction Fuzzy Hash: 36915E70E1061A8BDF60DF68C840B9DB7B1FF89310F2086A9D449BB395DB71A985CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070996B8 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 81e1097addf221201500d44560b1a993913bd7d15242309c96864c27237d499e
                                                            • Instruction ID: ea03f721649d716131ba08b29ed00c8def960be3a111653b10a0b3fae8641b2a
                                                            • Opcode Fuzzy Hash: 81e1097addf221201500d44560b1a993913bd7d15242309c96864c27237d499e
                                                            • Instruction Fuzzy Hash: 82914E70E1061A8BDF60DF68C880B9DB7B1FF89310F2086A9D549BB354DB71A985CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07099C50 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1219b6d8bb25299dbedc2157c7a9a949b52f672558c15b399c5d0b8be3ec6986
                                                            • Instruction ID: d9f4a5d603b9deba9c537527ce68e6617e87f7ff2a01a527e887c34602d83aa4
                                                            • Opcode Fuzzy Hash: 1219b6d8bb25299dbedc2157c7a9a949b52f672558c15b399c5d0b8be3ec6986
                                                            • Instruction Fuzzy Hash: 7861A1B0B002099FDF549BA5C8147AEBBF6FBC8740F20852AE50AAB390DB755C45DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709E217 Relevance: .2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 825dc5c4810db531af5e5f35d587de90c29b8a3971000e212f0e5b52d38340df
                                                            • Instruction ID: 9e7ec775d5098ab20720e6d8c96142e97d389bd89eb2df0c0177f22f5110cca1
                                                            • Opcode Fuzzy Hash: 825dc5c4810db531af5e5f35d587de90c29b8a3971000e212f0e5b52d38340df
                                                            • Instruction Fuzzy Hash: 79517071B111068FDF94DB65D8507AEB7F6EFC8200F10896AD80ADB384DB35DD829B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07099C40 Relevance: .1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c13a2afe5bdcf87cac0296b8e8b16ece2348ca6edf9f5cee8c5dab9967c74d8c
                                                            • Instruction ID: 625347cc2e0d8447ac8c7ed61a602df6a9c7671d6fc310ca955940171432982a
                                                            • Opcode Fuzzy Hash: c13a2afe5bdcf87cac0296b8e8b16ece2348ca6edf9f5cee8c5dab9967c74d8c
                                                            • Instruction Fuzzy Hash: 0A519071F002099FDB949BA5C8147AEBBF6FFC8740F20852AE506AF394DA715C419B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709A508 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 322c77416c99a81f8d795caa3cddb11271742256c534cf8c1f1043fd929612f5
                                                            • Instruction ID: f1094ffcfed8c42176ad02342688e3731df5fb6757b764668aba175c2dcb4793
                                                            • Opcode Fuzzy Hash: 322c77416c99a81f8d795caa3cddb11271742256c534cf8c1f1043fd929612f5
                                                            • Instruction Fuzzy Hash: A2412DB1B0060A9FDF60CE99D880AAFF7F6FB84210F108A3AE156D7650D734E945DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070972A5 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd371d2dd149e4663a66a2671c007a9d44d0a1b6691dc53bf5aadf60046df3aa
                                                            • Instruction ID: 7ebb5b865122ec1b809681d11e7db23bd9955d5046e8edb1a2557d9f25372adc
                                                            • Opcode Fuzzy Hash: fd371d2dd149e4663a66a2671c007a9d44d0a1b6691dc53bf5aadf60046df3aa
                                                            • Instruction Fuzzy Hash: 32311E71B102068FDF559B34D8546AE7BE2FB89620F209679E806DF381EF34CC469B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070972B8 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14e4438f8f66043a95c91b67a9354c05c96bea0f4a73604362ba7a0b5a23c52b
                                                            • Instruction ID: 942b5e9126d0c09abd0f8f164c194a1099655cac1102306500b7d2925badcc29
                                                            • Opcode Fuzzy Hash: 14e4438f8f66043a95c91b67a9354c05c96bea0f4a73604362ba7a0b5a23c52b
                                                            • Instruction Fuzzy Hash: 26311CB1B1020A8FDF599B34C4146AE7AE2FBC9610F209678D806DF380EF30CC429B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07097168 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d47ecbfb563bf1bdb6a0bc27dbba9038d37366ee3adc71a0af58f50bb4f27ea3
                                                            • Instruction ID: 611068e06de72e35bac4810e8c02051d0de578b09cdefc4391acede9ebb3fc2a
                                                            • Opcode Fuzzy Hash: d47ecbfb563bf1bdb6a0bc27dbba9038d37366ee3adc71a0af58f50bb4f27ea3
                                                            • Instruction Fuzzy Hash: 4E317275A2020A9FDB55CFA4D85469EB7F2FF89300F108629E806EB350DB34AC42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07097178 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6f94197b1bc75d31b451af3ba042550fd673155e0dfa5d3c67621a4e2041656
                                                            • Instruction ID: 05cb00e2a448860a6f8e30a8236bdcdb349bcf866804e6035e8333a82530922c
                                                            • Opcode Fuzzy Hash: d6f94197b1bc75d31b451af3ba042550fd673155e0dfa5d3c67621a4e2041656
                                                            • Instruction Fuzzy Hash: B0314175A2061ADFDB55CFA4D45469EB7F2FF89300F108529E816EB350DB71AC42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098B80 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4807b03ebbfa1e4419a7cede290c551a9d8c49f389732d9942c6666a66cf0f6
                                                            • Instruction ID: 38378d6b7c572c724f00d0e10523e821b191f8c3c56099bf08c9c802dd5c4e73
                                                            • Opcode Fuzzy Hash: a4807b03ebbfa1e4419a7cede290c551a9d8c49f389732d9942c6666a66cf0f6
                                                            • Instruction Fuzzy Hash: 9C21B8B5E002069FDF10CFB9E950AAEBBF9EB49250F048139E900E7380E635D8818B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070910F8 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 509a0bb825d536854747d40f59b8c69cbbc113c1075478bd1aa8b16aa7bd93ac
                                                            • Instruction ID: b9e72b16a635b2b239fbf22673a9acca96e37ab82e366b2ca81da27c9550b081
                                                            • Opcode Fuzzy Hash: 509a0bb825d536854747d40f59b8c69cbbc113c1075478bd1aa8b16aa7bd93ac
                                                            • Instruction Fuzzy Hash: D8314B74F1020BEBDF45CFA4D95469EBBB2BF89304F148629E815EB340DB709842CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07091108 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cac17ba8a9b164b16bfaa129aee4b421a8d2088e3f1daf5511634dda05ce414c
                                                            • Instruction ID: 2264f8df323c632f359f6ef44867b5c02cdefa9f2c576ddbe8e1d342110a0ba7
                                                            • Opcode Fuzzy Hash: cac17ba8a9b164b16bfaa129aee4b421a8d2088e3f1daf5511634dda05ce414c
                                                            • Instruction Fuzzy Hash: C7213C74F1021BEBDB55DFA5D85069EF7B2BF89300F108629E815AB340DB719846CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098B90 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9c29c66528660e84516d9cfd3a560e99d241343a2b136fb7b90d169aa4a4967
                                                            • Instruction ID: 2407759715935306cc9a1ed553c60631002cae2f7c99e7908e2550f5508772c1
                                                            • Opcode Fuzzy Hash: d9c29c66528660e84516d9cfd3a560e99d241343a2b136fb7b90d169aa4a4967
                                                            • Instruction Fuzzy Hash: C32186B5E11216CFDF00CFA9D980AAEBBF5EB88210F148139E905E7390E735DC808B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07090FF8 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9dd66161d187f5a256ba8bdd2ae5334ffb5fbcf05cb5940c5e042779229bc75c
                                                            • Instruction ID: 9ca567d543f489f04272ab66feb58f74751edf243a909e823ba80a6e44b87536
                                                            • Opcode Fuzzy Hash: 9dd66161d187f5a256ba8bdd2ae5334ffb5fbcf05cb5940c5e042779229bc75c
                                                            • Instruction Fuzzy Hash: 0721A775E0064ADBCF59DFA4D4506DEB7F1AF85350F20872AE811EB740DBB29946CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D118 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2635081204.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_156d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0bd07cf453e38f46495fe3bc2a1241f3df96aa2864f8c4ced8aaaaf5918c11b4
                                                            • Instruction ID: e947d7d03f47bf27175208137b5d5711230bb0dbf32547a2b2844467c8e337dc
                                                            • Opcode Fuzzy Hash: 0bd07cf453e38f46495fe3bc2a1241f3df96aa2864f8c4ced8aaaaf5918c11b4
                                                            • Instruction Fuzzy Hash: 7E210371604304DFEB01DF54D9C4B26BBB9FB84214F20C96DE8894F246C3BAD446CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709BDE0 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73a75b2ede5e0c4be41c8665dab5f388748d45550d24864229b29b36cdb2c48d
                                                            • Instruction ID: c28eb99bb64d1eac99ef54290b2cb9615684e0b473caca1014e2f647fdb960f6
                                                            • Opcode Fuzzy Hash: 73a75b2ede5e0c4be41c8665dab5f388748d45550d24864229b29b36cdb2c48d
                                                            • Instruction Fuzzy Hash: C821A1B5B111198FDF84DB69E85469EBBFBEF85220F148635E805DB380DB319C828B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07091008 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecec2c2b974a03cd1de3eb3daeec66e3afe1a6a76adf5581fa6d9818859d2e2e
                                                            • Instruction ID: 0d3e60eae32391e9c04c0c9ccf87cfa771143056bada4cb15f886191c135700f
                                                            • Opcode Fuzzy Hash: ecec2c2b974a03cd1de3eb3daeec66e3afe1a6a76adf5581fa6d9818859d2e2e
                                                            • Instruction Fuzzy Hash: 32218070E0064ADBCF58DFA4D45059EB7F2AF89350F20872AE816FB380DBB29845CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709BDF0 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1e31803d9eb1decbe2f43d1caf471da8c0d087b35195309bcd6bf9b8209e990
                                                            • Instruction ID: c8954add10719eb5e3f3d0f2927ec20441ddbf9d6601ca1ba770a774440224b4
                                                            • Opcode Fuzzy Hash: d1e31803d9eb1decbe2f43d1caf471da8c0d087b35195309bcd6bf9b8209e990
                                                            • Instruction Fuzzy Hash: 0D219DB4B011198BDF84DB69E85469EB7FBEF85220F248635E909EB340DB319C818B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098CA0 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bfc305cd054383c2c065e5017e53a5106efd46c5003ee323f9fc5344684db9e2
                                                            • Instruction ID: d97ea058f2d0689d49425bb344dc1b77a836dfab7ed726a137aed41055d643c1
                                                            • Opcode Fuzzy Hash: bfc305cd054383c2c065e5017e53a5106efd46c5003ee323f9fc5344684db9e2
                                                            • Instruction Fuzzy Hash: EE118871B111298BDF949678D8146AF77EAEBC9710F008539D90AE7384DE35DC028B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098958 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0479eebb037aff1774322cb359e4cc81266fc9b54167c5b106b578990b39f615
                                                            • Instruction ID: d1d95db675ad0c2dec4ce42503c199986ff68eb5ec5adf8734f2fddf1b63e47d
                                                            • Opcode Fuzzy Hash: 0479eebb037aff1774322cb359e4cc81266fc9b54167c5b106b578990b39f615
                                                            • Instruction Fuzzy Hash: D22113B1D01219AFCB00DF9AD885ADEFFB8FB48310F10862AE918A7340C3746544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098ED8 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6991b5fd20345bb8567055af01b7ba9c60df01c242fabb2b3d738b2abaa4e31c
                                                            • Instruction ID: 300ff3ed1842d7e0964ff4ff42e3ce174f0a85467b7a1a93958f06bf594868e6
                                                            • Opcode Fuzzy Hash: 6991b5fd20345bb8567055af01b7ba9c60df01c242fabb2b3d738b2abaa4e31c
                                                            • Instruction Fuzzy Hash: 5901F1703041514FEBA29278D42532BBBD3DBC6610F14C93BF50ECB781EA2ACC024386
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709FDD8 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 157579ea82ebfd8b1abc9de0b17d7a84ea23359a52118454681462d2f34be1ad
                                                            • Instruction ID: f76fe7628d637d22d0a7c212979764d05ed947470ed31209e11651eb3aa5d3b8
                                                            • Opcode Fuzzy Hash: 157579ea82ebfd8b1abc9de0b17d7a84ea23359a52118454681462d2f34be1ad
                                                            • Instruction Fuzzy Hash: 6201D8F03083039BFF64367654D833A7AD49F4929CF040638DD57C6293EE98E840E261
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D113 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2635081204.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_156d000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: a991bced90c13cac6221f8f57fe3380871a76674d9879eb5326fde5c9ba91da7
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: B111BE75604284CFDB02CF54D9C4B19BBB1FB84314F24CAA9D8494F257C37AD44ACB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098960 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 355eef9879c0e1176c1def8e9b8c3d71ce401ef1cd2bda20a7d623ec3de93b05
                                                            • Instruction ID: 5579cd38c594788eafe8e9601b671fde5590d7806ec71106d682891307e83af6
                                                            • Opcode Fuzzy Hash: 355eef9879c0e1176c1def8e9b8c3d71ce401ef1cd2bda20a7d623ec3de93b05
                                                            • Instruction Fuzzy Hash: 1C11C2B1D01219AFCB00DF9AD884ADEFBB4FB49314F10852AE918A7340C3746954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709F3E0 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 513b45b95d7bcadc60780f6fb54748a4c3d98fa4fdc19d136c6082ed4216a356
                                                            • Instruction ID: 747de24be30fa9508861e973660c0df074ee8032d5bd161e35ca45147070fdcd
                                                            • Opcode Fuzzy Hash: 513b45b95d7bcadc60780f6fb54748a4c3d98fa4fdc19d136c6082ed4216a356
                                                            • Instruction Fuzzy Hash: 4301DF70B042168FDF91967CE850B2B77E6EB86610F10493AE10ECB350EF29EC818781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098EE8 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 34632dec2978a66cfc3c2ef68a69d6e932fce549323fc99371604f79a6f77112
                                                            • Instruction ID: 3f104e91cd42f1643c83a27e8a96bcac1d898c7f5f1bc3cc6c2623c968629cb8
                                                            • Opcode Fuzzy Hash: 34632dec2978a66cfc3c2ef68a69d6e932fce549323fc99371604f79a6f77112
                                                            • Instruction Fuzzy Hash: 74016D317101164FEFA4966DD46472BB2DBEBDAA20F10C93AF90EC7784EE66DC024395
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07098C90 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 007bcefbb006bb92983c63c8b55973b5bd88e319f94fddd6835a899e9b570120
                                                            • Instruction ID: 62b2176de1c1fdf270da8eaed51172da521aebef9b50303b64cab5f22be56462
                                                            • Opcode Fuzzy Hash: 007bcefbb006bb92983c63c8b55973b5bd88e319f94fddd6835a899e9b570120
                                                            • Instruction Fuzzy Hash: B901A2B2B111554BDF989678EC153EF37EA9BC9211F00853AD90AE7380EF648C424B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709F3F0 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0241e034dd6f76a065f5f66201260279681a8004bb9277366ba5f6582d0ab57f
                                                            • Instruction ID: 94a7eca68c422740b7e84f10c248f4cefd770130620583d02a4152b1cd4b12a1
                                                            • Opcode Fuzzy Hash: 0241e034dd6f76a065f5f66201260279681a8004bb9277366ba5f6582d0ab57f
                                                            • Instruction Fuzzy Hash: 3A018C70B0011A4FDFA4967CE850B2BB3D6EB89B14F108939E50ECB350EF25EC818781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709D39F Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 916dde02e82cba235dc067adcc33f2f5a5c8261f2b517248343eba91e665a9a1
                                                            • Instruction ID: 6a8597f30414680bfb863674af383c5257773bd810f8defffc15ee12121392b4
                                                            • Opcode Fuzzy Hash: 916dde02e82cba235dc067adcc33f2f5a5c8261f2b517248343eba91e665a9a1
                                                            • Instruction Fuzzy Hash: 24F0E2F5B64109CFDF248B05E5442AC77B1FB00322F1486B1D800E3180D374A9C2EB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709B548 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cba36d20edaee599ab8e13a0e6710bdade2e67cee3165b8a767a817738697809
                                                            • Instruction ID: 497d19e6e7247674e07dbc8b0e97483bd4af055205344a13278b953e8cb59fb3
                                                            • Opcode Fuzzy Hash: cba36d20edaee599ab8e13a0e6710bdade2e67cee3165b8a767a817738697809
                                                            • Instruction Fuzzy Hash: 77E092F1E09109EFDF50CEB4E99539A3BD5DB41324F208AB9D408C7650E136CD519341
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709B558 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01286a41a581f462f2cd16cd00c9152f092291e3d396a91bfb7fb991edc7bf5d
                                                            • Instruction ID: 8b2e7e8f0e6c647dbe9a222e2ca3f1a739405176038a70328ea14444079aa7c0
                                                            • Opcode Fuzzy Hash: 01286a41a581f462f2cd16cd00c9152f092291e3d396a91bfb7fb991edc7bf5d
                                                            • Instruction Fuzzy Hash: 3CE08CF0E00109EBDF50CAA4998575A73ECD741324F208AB8D408C7200E572DE01A780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0709FDA1 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2672512416.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7090000_hesaphareketi_1.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f8606e1cfe6495518abb2919256ed2ac919239626f4acf01254975954878b5a
                                                            • Instruction ID: 00949fc3e14f5f8e60b79f80b7ac186dd880b60e8e8d6c889a83d6c956d94a83
                                                            • Opcode Fuzzy Hash: 7f8606e1cfe6495518abb2919256ed2ac919239626f4acf01254975954878b5a
                                                            • Instruction Fuzzy Hash: 36C0805540D2615FE7011F3054017DA3B30EB11291F0B02C3D541FB063C61CCA5DE7B6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:6.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:71
                                                            Total number of Limit Nodes:7
                                                            execution_graph 13591 121ce10 DuplicateHandle 13592 121cea6 13591->13592 13593 121c7c0 13594 121c806 GetCurrentProcess 13593->13594 13596 121c851 13594->13596 13597 121c858 GetCurrentThread 13594->13597 13596->13597 13598 121c895 GetCurrentProcess 13597->13598 13599 121c88e 13597->13599 13600 121c8cb 13598->13600 13599->13598 13601 121c8f3 GetCurrentThreadId 13600->13601 13602 121c924 13601->13602 13603 1214528 13604 121453a 13603->13604 13607 1213cf4 13604->13607 13608 1213cff 13607->13608 13611 12140e8 13608->13611 13610 12145d9 13612 12140f3 13611->13612 13615 1214204 13612->13615 13614 12147fd 13614->13610 13616 121420f 13615->13616 13619 1214234 13616->13619 13618 12148da 13618->13614 13620 121423f 13619->13620 13623 1214264 13620->13623 13622 12149dc 13622->13618 13624 121426f 13623->13624 13626 12179db 13624->13626 13629 121a3f8 13624->13629 13625 1217a19 13625->13622 13626->13625 13633 121c4fd 13626->13633 13638 121a430 13629->13638 13641 121a420 13629->13641 13630 121a40e 13630->13626 13634 121c519 13633->13634 13635 121c53d 13634->13635 13665 121c699 13634->13665 13670 121c6a8 13634->13670 13635->13625 13645 121a528 13638->13645 13639 121a43f 13639->13630 13642 121a430 13641->13642 13644 121a528 2 API calls 13642->13644 13643 121a43f 13643->13630 13644->13643 13646 121a539 13645->13646 13647 121a55c 13645->13647 13646->13647 13653 121a7c0 13646->13653 13657 121a7b2 13646->13657 13647->13639 13648 121a554 13648->13647 13649 121a760 GetModuleHandleW 13648->13649 13650 121a78d 13649->13650 13650->13639 13654 121a7d4 13653->13654 13656 121a7f9 13654->13656 13661 12198b0 13654->13661 13656->13648 13658 121a7d4 13657->13658 13659 121a7f9 13658->13659 13660 12198b0 LoadLibraryExW 13658->13660 13659->13648 13660->13659 13662 121a9a0 LoadLibraryExW 13661->13662 13664 121aa19 13662->13664 13664->13656 13666 121c64f 13665->13666 13667 121c6a2 13665->13667 13666->13635 13668 121c6ef 13667->13668 13674 121b260 13667->13674 13668->13635 13671 121c6b5 13670->13671 13672 121c6ef 13671->13672 13673 121b260 2 API calls 13671->13673 13672->13635 13673->13672 13675 121b26b 13674->13675 13677 121d408 13675->13677 13678 121ca5c 13675->13678 13677->13677 13679 121ca67 13678->13679 13680 1214264 2 API calls 13679->13680 13681 121d477 13680->13681 13681->13677

                                                            Executed Functions

                                                            Function 0121C7B0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0121C83E
                                                            • GetCurrentThread.KERNEL32 ref: 0121C87B
                                                            • GetCurrentProcess.KERNEL32 ref: 0121C8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 0121C911
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: d726587dfe018ba3898a857bb9348323f49d963c73e9f085821bdbbec87ba8d7
                                                            • Instruction ID: 12aa18a1458c4c927046d878c7fe24a9963ecce68aac391aa00899d925372f8a
                                                            • Opcode Fuzzy Hash: d726587dfe018ba3898a857bb9348323f49d963c73e9f085821bdbbec87ba8d7
                                                            • Instruction Fuzzy Hash: 5F5166B094034A8FEB18DFAAD548BAEBFF1BF88314F208459D509A7390D7346944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121C7C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0121C83E
                                                            • GetCurrentThread.KERNEL32 ref: 0121C87B
                                                            • GetCurrentProcess.KERNEL32 ref: 0121C8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 0121C911
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 19088e614125e664cde95ed0c5c543f616e49dc5f376467c25ba136249f994ac
                                                            • Instruction ID: 78c53ff10cf17301188544151c96948a774136fa8b2fcd461dd629d8df592810
                                                            • Opcode Fuzzy Hash: 19088e614125e664cde95ed0c5c543f616e49dc5f376467c25ba136249f994ac
                                                            • Instruction Fuzzy Hash: 255167B095034A8FEB18DFAAC548BAEBBF1FF88314F208459D409A7350DB346844CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121A528 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 121a528-121a537 45 121a563-121a567 44->45 46 121a539-121a546 call 12187e4 44->46 47 121a569-121a573 45->47 48 121a57b-121a5bc 45->48 51 121a548 46->51 52 121a55c 46->52 47->48 55 121a5c9-121a5d7 48->55 56 121a5be-121a5c6 48->56 99 121a54e call 121a7c0 51->99 100 121a54e call 121a7b2 51->100 52->45 58 121a5d9-121a5de 55->58 59 121a5fb-121a5fd 55->59 56->55 57 121a554-121a556 57->52 62 121a698-121a758 57->62 60 121a5e0-121a5e7 call 1219854 58->60 61 121a5e9 58->61 63 121a600-121a607 59->63 65 121a5eb-121a5f9 60->65 61->65 94 121a760-121a78b GetModuleHandleW 62->94 95 121a75a-121a75d 62->95 66 121a614-121a61b 63->66 67 121a609-121a611 63->67 65->63 69 121a628-121a631 call 1219864 66->69 70 121a61d-121a625 66->70 67->66 75 121a633-121a63b 69->75 76 121a63e-121a643 69->76 70->69 75->76 78 121a661-121a66e 76->78 79 121a645-121a64c 76->79 85 121a691-121a697 78->85 86 121a670-121a68e 78->86 79->78 80 121a64e-121a65e call 1219874 call 1219884 79->80 80->78 86->85 96 121a794-121a7a8 94->96 97 121a78d-121a793 94->97 95->94 97->96 99->57 100->57
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0121A77E
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 5d4342294d43776796010591df30227d5d4e1c20e56eddd6261438b54d779815
                                                            • Instruction ID: 9c20e6132ae683b1c46ed8e91459c6a6d83aeb5b1a64a05b243117619f90839d
                                                            • Opcode Fuzzy Hash: 5d4342294d43776796010591df30227d5d4e1c20e56eddd6261438b54d779815
                                                            • Instruction Fuzzy Hash: 6D716970A11B468FEB29CF29D45079ABBF1FF98704F00892DD58AD7A44D774E846CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121CE09 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 101 121ce09-121cea4 DuplicateHandle 102 121cea6-121ceac 101->102 103 121cead-121ceca 101->103 102->103
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121CE97
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 8fd7ded2ba193652969cc809f2cab06cfa8002b862e36a6230927ad4aeed4d50
                                                            • Instruction ID: 693882e0a5da7a4b6ad147c813766343536aaf1eb023ee71fe5318a0baa522c6
                                                            • Opcode Fuzzy Hash: 8fd7ded2ba193652969cc809f2cab06cfa8002b862e36a6230927ad4aeed4d50
                                                            • Instruction Fuzzy Hash: 9E2103B5D002499FDB10CFAAD884AEEBFF5FF48310F14841AE958A3210C375A955CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121CE10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 106 121ce10-121cea4 DuplicateHandle 107 121cea6-121ceac 106->107 108 121cead-121ceca 106->108 107->108
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121CE97
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 9131730166e2e0574d87b798dcca4048486e404fc83d80764203f677f478dcab
                                                            • Instruction ID: 5b9a0e7c4ada48223553aa2e70564fa221090cf73903b351b262e2a8ec83ad77
                                                            • Opcode Fuzzy Hash: 9131730166e2e0574d87b798dcca4048486e404fc83d80764203f677f478dcab
                                                            • Instruction Fuzzy Hash: 6421C4B59003499FDB10CFAAD884ADEBBF9FB48310F14841AE958A3350D375A954CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121A998 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 111 121a998-121a9e0 112 121a9e2-121a9e5 111->112 113 121a9e8-121aa17 LoadLibraryExW 111->113 112->113 114 121aa20-121aa3d 113->114 115 121aa19-121aa1f 113->115 115->114
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0121A7F9,00000800,00000000,00000000), ref: 0121AA0A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 461d9da28f99f05adf6cad342ee9f95194d4771add7a73adf1e48834d81efc2e
                                                            • Instruction ID: c6e061956e5da8ca654f6b7d3b77b5952fcafdc8a6b712a78751777724687bcf
                                                            • Opcode Fuzzy Hash: 461d9da28f99f05adf6cad342ee9f95194d4771add7a73adf1e48834d81efc2e
                                                            • Instruction Fuzzy Hash: 0B1117B6C003498FDB20CFAAC585ADEFBF5EB98310F20851ED555A7600C375A546CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012198B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 118 12198b0-121a9e0 120 121a9e2-121a9e5 118->120 121 121a9e8-121aa17 LoadLibraryExW 118->121 120->121 122 121aa20-121aa3d 121->122 123 121aa19-121aa1f 121->123 123->122
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0121A7F9,00000800,00000000,00000000), ref: 0121AA0A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: e1bb40acae0c0e875efaf1c8f261e5b2306dfbc907083772b5c58b7ac9b2f03b
                                                            • Instruction ID: b5ca9b0b4931edb5ad0ada6610c4318874d242b09c6c6b402337100718026178
                                                            • Opcode Fuzzy Hash: e1bb40acae0c0e875efaf1c8f261e5b2306dfbc907083772b5c58b7ac9b2f03b
                                                            • Instruction Fuzzy Hash: 651114B68003498FDB10CF9AC444BDEFBF5EB98320F10842ED519A7600C375A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0121A718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 126 121a718-121a758 127 121a760-121a78b GetModuleHandleW 126->127 128 121a75a-121a75d 126->128 129 121a794-121a7a8 127->129 130 121a78d-121a793 127->130 128->127 130->129
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0121A77E
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568759827.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_1210000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 817fc2243e2c63fc904d3b3e3e3292aea9072d1ff99b304e1d00b6e9c870f551
                                                            • Instruction ID: 7630e48a2f018a5c0c308e817b702f4d3fb520f3229ebb141af0e141e1ff441d
                                                            • Opcode Fuzzy Hash: 817fc2243e2c63fc904d3b3e3e3292aea9072d1ff99b304e1d00b6e9c870f551
                                                            • Instruction Fuzzy Hash: 8711DFB5C013898FDB24DF9AC444B9EFBF5AB88624F10842AD519A7610C379A646CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011BD4A0 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568408295.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_11bd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9fda3399dd5fe92bb49afb61008a11d2bcf41aee8b65ecd46e5b04b5ecb0a790
                                                            • Instruction ID: ff480fdbddd2d668a455711c1e7616fa056f8caa54853a99cf0c92c513c69fe5
                                                            • Opcode Fuzzy Hash: 9fda3399dd5fe92bb49afb61008a11d2bcf41aee8b65ecd46e5b04b5ecb0a790
                                                            • Instruction Fuzzy Hash: 45212471604204DFDF0DDF44E8C0B56BF61FB84328F20C169E9090A256C33AD446CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011CD01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568512673.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_11cd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecd80166f164e46a1b2822bf01096439e38d99b19ac6f69407effb44e4af6f2f
                                                            • Instruction ID: 080732a9d499cb75661bcd14bb03dab9f5c495aab18b33ab2538c130a030b3fa
                                                            • Opcode Fuzzy Hash: ecd80166f164e46a1b2822bf01096439e38d99b19ac6f69407effb44e4af6f2f
                                                            • Instruction Fuzzy Hash: 28210375604300DFDF19DF58E884B16BB61FB94A14F20C57DD84A0B246C336D417CAA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011CD006 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568512673.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_11cd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a7575b19acbc9a2895972a94c2119591a9be7a61fcdf62255e399b82abc8d58
                                                            • Instruction ID: 3c89cb2cb76bfce08b6ceba68f6ee727a1fd681a1cf33986ccc751426ddba595
                                                            • Opcode Fuzzy Hash: 1a7575b19acbc9a2895972a94c2119591a9be7a61fcdf62255e399b82abc8d58
                                                            • Instruction Fuzzy Hash: 8C2192755083809FCB07CF58D994715BF71EB46214F28C5EED8498F2A7C33A9816CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011BD49B Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.1568408295.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_11bd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 75d25f0663580d12cc00b0d75b10cd142cc4a9d8bebd23623af2a353e2f61f27
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 5E11DF76504240CFCF0ACF48D5C0B56BF72FB84328F2481A9D9094B257C33AD456CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 04A44C20 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1587458961.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_4a40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ]n^$]n^
                                                            • API String ID: 0-1445656537
                                                            • Opcode ID: 017f8fea41743c9ac6a177506ee97b49f480ab2e8af93b86c14a1a7bc9518843
                                                            • Instruction ID: 3aa9bdb87307f2c92139dd801bf90c5d9a3949f0d05003f2ea59b02868a04133
                                                            • Opcode Fuzzy Hash: 017f8fea41743c9ac6a177506ee97b49f480ab2e8af93b86c14a1a7bc9518843
                                                            • Instruction Fuzzy Hash: 4A318474A093969FCB02DF6CC89459EBFB0BF8A210B0944DAD485DB393C724E806C7A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07781C10 Relevance: .6, Instructions: 597COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1605286934.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7780000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 966c29359b2cef99d07e245219d4a15443d6049224d19f502055586e1e884860
                                                            • Instruction ID: acf6b8bd6362272b8fd85feb3e85cf5935c62e8d106f975ffdd301e68bfee21b
                                                            • Opcode Fuzzy Hash: 966c29359b2cef99d07e245219d4a15443d6049224d19f502055586e1e884860
                                                            • Instruction Fuzzy Hash: EB126CB1B443158FC755AB68D8017AABFA2AFC6252F14C87FD905CB652DB31CC42C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04A429F0 Relevance: .2, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1587458961.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_4a40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1cbd45bb4804888b5928cc817e5d2bb36b03e47338dc06421eeb24ca786a3eae
                                                            • Instruction ID: 8d0717798cefa8462fb06449cc7f5c5f93d06cff66438cbc092c8e9f2a8b36a7
                                                            • Opcode Fuzzy Hash: 1cbd45bb4804888b5928cc817e5d2bb36b03e47338dc06421eeb24ca786a3eae
                                                            • Instruction Fuzzy Hash: C7918D75A002058FCB15CF59C494AAEFBB1FFC9310B2585A9E815AB3A5C735FC91CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07781BF0 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1605286934.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7780000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7cc6a472a6f70c5f9bdfca7a111d5bcafaddd51e6ef1c7b0ef2d96ef15f4f8a1
                                                            • Instruction ID: 3c3cab0fc84609ab1fe7cea51d0f272773fe08008ffc18e740058e25aceaa6dd
                                                            • Opcode Fuzzy Hash: 7cc6a472a6f70c5f9bdfca7a111d5bcafaddd51e6ef1c7b0ef2d96ef15f4f8a1
                                                            • Instruction Fuzzy Hash: B241F6F1A40305DFCB65AF15C905BB97BA2AF86294F54C8AED9009F652C732DC42C771
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04A42B00 Relevance: .1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1587458961.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_4a40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c685b2bbdbaf7eb0744ad0048946c712b9357789dc17cd51c70ebcae9db45f6
                                                            • Instruction ID: f23cb698428a3b141c78b2d9f1d0b910c08f7dda13f4032680d6d0d4823ff291
                                                            • Opcode Fuzzy Hash: 5c685b2bbdbaf7eb0744ad0048946c712b9357789dc17cd51c70ebcae9db45f6
                                                            • Instruction Fuzzy Hash: E8415B75A006058FCB05CF59C4D8AAEFBB1FF88314B158599E815AB364C736FC91CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04A44C10 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1587458961.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_4a40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ff7839cc19ecc642bca9995b344b8c05af48204c40ab27153b839140810a4a3
                                                            • Instruction ID: b3f72c0679dad2a667c96fb72f8a602c2607c8d02e70f510c603154425fc2618
                                                            • Opcode Fuzzy Hash: 5ff7839cc19ecc642bca9995b344b8c05af48204c40ab27153b839140810a4a3
                                                            • Instruction Fuzzy Hash: E021EA74A042598FCB00CF98D480AAEFBB1FF8D314B158599E815AB352C731FC45CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0313D006 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1586450785.000000000313D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0313D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_313d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 289873c1c97232cb50cf33a7c4d65d471d73b2ae08b54eeb208cb125fb767a84
                                                            • Instruction ID: 8a70ca53fd663408cc10e77a4a6446ca527ae10c2168cdb7b9e53707cc86e844
                                                            • Opcode Fuzzy Hash: 289873c1c97232cb50cf33a7c4d65d471d73b2ae08b54eeb208cb125fb767a84
                                                            • Instruction Fuzzy Hash: 8501807100D3C09FD7128B259C84752BFA8DF47624F1980CBD8888F193C2685C44CB72
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0313D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1586450785.000000000313D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0313D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_313d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca4634395769ef78126ea91b38f3fb433c43005023c8937cb83dd293985ab417
                                                            • Instruction ID: 6dd6d2c3f318c06c80246fcea361690b778f2113e3acd0e31164a32209f2ec29
                                                            • Opcode Fuzzy Hash: ca4634395769ef78126ea91b38f3fb433c43005023c8937cb83dd293985ab417
                                                            • Instruction Fuzzy Hash: 7301F7714043049BE7108A21DC80BA7FF98DF4AB35F18C059EC085B182C7789441CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 07781270 Relevance: 5.5, Strings: 4, Instructions: 486COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1605286934.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7780000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: l$l$l$l
                                                            • API String ID: 0-2658161240
                                                            • Opcode ID: 6ef2acfb979412f8fbc43fb28f6e7b341dec85998193e564817d563c70cd67e3
                                                            • Instruction ID: 40248d5acfc305c987f363e70ce7dc6032a2c3d99c30a22eb38346823cada6b7
                                                            • Opcode Fuzzy Hash: 6ef2acfb979412f8fbc43fb28f6e7b341dec85998193e564817d563c70cd67e3
                                                            • Instruction Fuzzy Hash: 8EF15AB17442098FD754AB68D4017AABBE2AFC6361F58C87ED84ACB651DB31CC42C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:11%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:98
                                                            Total number of Limit Nodes:11
                                                            execution_graph 43925 13c0848 43927 13c084e 43925->43927 43926 13c091b 43927->43926 43931 13c13e0 43927->43931 43935 6c52102 43927->43935 43939 6c52108 43927->43939 43933 13c13e3 43931->43933 43932 13c14fc 43932->43927 43933->43932 43943 13c82a0 43933->43943 43936 6c52108 43935->43936 43958 6c51854 43936->43958 43940 6c52117 43939->43940 43941 6c51854 2 API calls 43940->43941 43942 6c52138 43941->43942 43942->43927 43944 13c82aa 43943->43944 43945 13c82c4 43944->43945 43948 6c7fa18 43944->43948 43953 6c7fa28 43944->43953 43945->43933 43950 6c7fa3d 43948->43950 43949 6c7fc52 43949->43945 43950->43949 43951 6c7fc69 GlobalMemoryStatusEx 43950->43951 43952 6c7fc78 GlobalMemoryStatusEx 43950->43952 43951->43950 43952->43950 43955 6c7fa3d 43953->43955 43954 6c7fc52 43954->43945 43955->43954 43956 6c7fc69 GlobalMemoryStatusEx 43955->43956 43957 6c7fc78 GlobalMemoryStatusEx 43955->43957 43956->43955 43957->43955 43959 6c5185f 43958->43959 43962 6c52fc4 43959->43962 43961 6c53abe 43961->43961 43963 6c52fcf 43962->43963 43964 6c541e4 43963->43964 43966 6c55e68 43963->43966 43964->43961 43967 6c55e89 43966->43967 43968 6c55ead 43967->43968 43970 6c56018 43967->43970 43968->43964 43971 6c56025 43970->43971 43972 6c5605e 43971->43972 43974 6c53fa8 43971->43974 43972->43968 43975 6c53fb3 43974->43975 43977 6c560d0 43975->43977 43978 6c55254 43975->43978 43979 6c5525f 43978->43979 43985 6c55264 43979->43985 43981 6c5613f 43989 6c5b460 43981->43989 43995 6c5b448 43981->43995 43982 6c56179 43982->43977 43988 6c5526f 43985->43988 43986 6c573c8 43986->43981 43987 6c55e68 2 API calls 43987->43986 43988->43986 43988->43987 43991 6c5b4dd 43989->43991 43992 6c5b491 43989->43992 43990 6c5b49d 43990->43982 43991->43982 43992->43990 44000 6c5b6c8 43992->44000 44003 6c5b6d8 43992->44003 43996 6c5b460 43995->43996 43997 6c5b49d 43996->43997 43998 6c5b6c8 2 API calls 43996->43998 43999 6c5b6d8 2 API calls 43996->43999 43997->43982 43998->43997 43999->43997 44006 6c5b718 44000->44006 44001 6c5b6e2 44001->43991 44004 6c5b6e2 44003->44004 44005 6c5b718 2 API calls 44003->44005 44004->43991 44005->44004 44007 6c5b71d 44006->44007 44008 6c5b75c 44007->44008 44012 6c5b9b1 LoadLibraryExW 44007->44012 44013 6c5b9c0 LoadLibraryExW 44007->44013 44008->44001 44009 6c5b960 GetModuleHandleW 44011 6c5b98d 44009->44011 44010 6c5b754 44010->44008 44010->44009 44011->44001 44012->44010 44013->44010 44014 6c53210 44015 6c53256 GetCurrentProcess 44014->44015 44017 6c532a8 GetCurrentThread 44015->44017 44020 6c532a1 44015->44020 44018 6c532e5 GetCurrentProcess 44017->44018 44021 6c532de 44017->44021 44019 6c5331b 44018->44019 44022 6c53343 GetCurrentThreadId 44019->44022 44020->44017 44021->44018 44023 6c53374 44022->44023 44024 6c5d910 44025 6c5d978 CreateWindowExW 44024->44025 44027 6c5da34 44025->44027 44028 71e2f68 44029 71e2f90 44028->44029 44032 71e2fbc 44028->44032 44030 71e2f99 44029->44030 44033 71e23e4 44029->44033 44034 71e23ef 44033->44034 44036 71e32b3 44034->44036 44037 71e2400 44034->44037 44036->44032 44038 71e32e8 OleInitialize 44037->44038 44039 71e334c 44038->44039 44039->44036 44040 6c53458 DuplicateHandle 44041 6c534ee 44040->44041 43921 71e0c70 43922 71e0cb2 43921->43922 43924 71e0cb9 43921->43924 43923 71e0d0a CallWindowProcW 43922->43923 43922->43924 43923->43924

                                                            Executed Functions

                                                            Function 06C75598 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 573 6c75598-6c755b5 574 6c755b7-6c755ba 573->574 575 6c755d0-6c755d3 574->575 576 6c755bc-6c755cb 574->576 577 6c755d5-6c755d6 575->577 578 6c755db-6c755de 575->578 576->575 577->578 580 6c75616-6c75619 578->580 581 6c755e0-6c755e6 578->581 584 6c75635-6c75638 580->584 585 6c7561b-6c75630 580->585 582 6c755ec-6c755f4 581->582 583 6c75778-6c75788 581->583 582->583 586 6c755fa-6c75607 582->586 596 6c757b7-6c757c4 583->596 597 6c7578a-6c757a3 583->597 587 6c7564b-6c7564e 584->587 588 6c7563a-6c75640 584->588 585->584 586->583 594 6c7560d-6c75611 586->594 592 6c75662-6c75665 587->592 593 6c75650-6c7565d 587->593 589 6c75646 588->589 590 6c756cc-6c756d6 588->590 589->587 607 6c756dd-6c756df 590->607 598 6c75667-6c7566b 592->598 599 6c75676-6c75679 592->599 593->592 594->580 601 6c757c5-6c757d1 596->601 602 6c7589a-6c758d4 596->602 608 6c757ad-6c757b0 597->608 603 6c75671 598->603 604 6c7576a-6c75777 598->604 605 6c75685-6c75688 599->605 606 6c7567b-6c75684 599->606 609 6c757d2-6c757d5 601->609 624 6c758d6-6c758d9 602->624 603->599 611 6c75692-6c75695 605->611 612 6c7568a-6c7568d 605->612 610 6c756e4-6c756e7 607->610 608->609 615 6c757b2-6c757b6 608->615 617 6c757d7-6c757de 609->617 618 6c757df-6c757e2 609->618 619 6c756f5-6c756f8 610->619 620 6c756e9-6c756f0 610->620 613 6c75697-6c7569d 611->613 614 6c756a8-6c756ab 611->614 612->611 613->581 621 6c756a3 613->621 622 6c756b5-6c756b8 614->622 623 6c756ad-6c756b0 614->623 615->596 615->602 625 6c757e4-6c757f5 618->625 626 6c757fa-6c757fd 618->626 627 6c75715-6c75718 619->627 628 6c756fa-6c75710 619->628 620->619 621->614 631 6c756c7-6c756ca 622->631 632 6c756ba-6c756c0 622->632 623->622 633 6c758e3-6c758e6 624->633 634 6c758db-6c758e0 624->634 625->626 635 6c7581f-6c75822 626->635 636 6c757ff-6c75803 626->636 629 6c7573c-6c7573f 627->629 630 6c7571a-6c75737 627->630 628->627 642 6c75746-6c75749 629->642 643 6c75741-6c75743 629->643 630->629 631->590 631->610 632->612 641 6c756c2 632->641 644 6c75944-6c75ad8 633->644 645 6c758e8-6c758eb 633->645 634->633 639 6c75824-6c7582b 635->639 640 6c75832-6c75835 635->640 636->602 637 6c75809-6c75811 636->637 637->602 647 6c75817-6c7581a 637->647 649 6c75892-6c75899 639->649 650 6c7582d 639->650 651 6c75837-6c75841 640->651 652 6c75846-6c75849 640->652 641->631 642->613 653 6c7574f-6c75752 642->653 643->642 723 6c75c11-6c75c24 644->723 724 6c75ade-6c75ae5 644->724 654 6c758ed-6c758fe 645->654 655 6c75909-6c7590c 645->655 647->635 650->640 651->652 658 6c75863-6c75866 652->658 659 6c7584b-6c7584f 652->659 653->588 661 6c75758-6c7575a 653->661 678 6c75904 654->678 679 6c75c9d-6c75cb0 654->679 656 6c7590e-6c75915 655->656 657 6c7591a-6c7591d 655->657 656->657 662 6c7591f-6c75930 657->662 663 6c7593b-6c7593e 657->663 669 6c75880-6c75882 658->669 670 6c75868-6c7586c 658->670 659->602 666 6c75851-6c75859 659->666 667 6c75761-6c75764 661->667 668 6c7575c 661->668 684 6c75936 662->684 685 6c75c8c-6c75c93 662->685 663->644 674 6c75c27-6c75c2a 663->674 666->602 675 6c7585b-6c7585e 666->675 667->574 667->604 668->667 672 6c75884 669->672 673 6c75889-6c7588c 669->673 670->602 677 6c7586e-6c75876 670->677 672->673 673->608 673->649 682 6c75c44-6c75c47 674->682 683 6c75c2c-6c75c3d 674->683 675->658 677->602 680 6c75878-6c7587b 677->680 678->655 680->669 687 6c75c61-6c75c64 682->687 688 6c75c49-6c75c5a 682->688 683->685 697 6c75c3f 683->697 684->663 690 6c75c98-6c75c9b 685->690 687->644 692 6c75c6a-6c75c6d 687->692 688->685 701 6c75c5c 688->701 690->679 696 6c75cb3-6c75cb5 690->696 693 6c75c87-6c75c8a 692->693 694 6c75c6f-6c75c80 692->694 693->685 693->690 694->683 705 6c75c82 694->705 699 6c75cb7 696->699 700 6c75cbc-6c75cbf 696->700 697->682 699->700 700->624 704 6c75cc5-6c75cce 700->704 701->687 705->693 725 6c75aeb-6c75b1e 724->725 726 6c75b99-6c75ba0 724->726 737 6c75b23-6c75b64 725->737 738 6c75b20 725->738 726->723 727 6c75ba2-6c75bd5 726->727 739 6c75bd7 727->739 740 6c75bda-6c75c07 727->740 748 6c75b66-6c75b77 737->748 749 6c75b7c-6c75b83 737->749 738->737 739->740 740->704 748->704 751 6c75b8b-6c75b8d 749->751 751->704
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: 52efa5fc64131a8eec4742c3a005a184389afa585c09d240319b0410534ae80a
                                                            • Instruction ID: 0bd7db9b7c5ece8627d5ea4f183d7af38749e3f71ac0572282f318459dd2e7b0
                                                            • Opcode Fuzzy Hash: 52efa5fc64131a8eec4742c3a005a184389afa585c09d240319b0410534ae80a
                                                            • Instruction Fuzzy Hash: 4222A075E102158FDF64DBA4C4806AEBBB6FF89310F64846AD809EB385DB35ED41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C72760 Relevance: 1.5, Instructions: 1491COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd5c90410f253e4fb2f7db68273cd6e7258fa2f1f5570c5dbdaaf50a6cc1ff1f
                                                            • Instruction ID: f28aaa56a57b461aabfa0ca3e1a66a7b71fee28eef11f2799c0473c4e2ae6bab
                                                            • Opcode Fuzzy Hash: bd5c90410f253e4fb2f7db68273cd6e7258fa2f1f5570c5dbdaaf50a6cc1ff1f
                                                            • Instruction Fuzzy Hash: A7D27D30E00219CFDB64DB68C584AADB7B2FF89310F54C5AAD449AB351DB75EE81CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C765E0 Relevance: .8, Instructions: 815COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 814d302580d6e007e099833d0e707afc050a6de4e6f8530c2c0aaff5f24e4e5e
                                                            • Instruction ID: 2d8ba7f113360f878d1a082b88c68175702061149a1fd055b333ab98e1647038
                                                            • Opcode Fuzzy Hash: 814d302580d6e007e099833d0e707afc050a6de4e6f8530c2c0aaff5f24e4e5e
                                                            • Instruction Fuzzy Hash: 5A628B30B006098FDB54DB69D594BAEBBF2EF85310F148469E806EB390DB76ED45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7C580 Relevance: .6, Instructions: 636COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2b0eb4a001f1923c41dfcc7b41cf7e362760fe7c8925d68b7f6997974654b9c
                                                            • Instruction ID: c13909a2670dbf058ab894e6408679ef5bf119fb55e29caf6b1a6b7018d74416
                                                            • Opcode Fuzzy Hash: b2b0eb4a001f1923c41dfcc7b41cf7e362760fe7c8925d68b7f6997974654b9c
                                                            • Instruction Fuzzy Hash: B2329434B1020A9FDF54DB69D994BAEB7B2FB88310F208529E415EB380DB75ED41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7B230 Relevance: .6, Instructions: 572COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf22c3f14333cc80a59d3b04f9989cc8984d08acf05ba20bf71ad3b29463fe6b
                                                            • Instruction ID: 7de2dcfc5903aff848c15d2bdc0c75108067559852bf26bcf87a5e4551aa4d60
                                                            • Opcode Fuzzy Hash: cf22c3f14333cc80a59d3b04f9989cc8984d08acf05ba20bf71ad3b29463fe6b
                                                            • Instruction Fuzzy Hash: 66226F30E102098FEFA4CF68D5947ADB7B6EB89310F64842AE419DB391DB35DE81CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C77D70 Relevance: .5, Instructions: 470COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bb6f1f6f663df588bf6902b10e3cffc37d51453b88699fbd56f78512644f732
                                                            • Instruction ID: 012504599fa1d1c21318d5f35ddea23a4c0d0aecd750eec51da7377927e5d733
                                                            • Opcode Fuzzy Hash: 6bb6f1f6f663df588bf6902b10e3cffc37d51453b88699fbd56f78512644f732
                                                            • Instruction Fuzzy Hash: F002AF30B012198FDB54DB69D8987AEB7E2FF84310F148569D906DB384DB76ED82CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C53200 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06C5328E
                                                            • GetCurrentThread.KERNEL32 ref: 06C532CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06C53308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06C53361
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 1d7a00df65619ca2a70100a57043970893f5c377ff606ac7b1901d0aa948e632
                                                            • Instruction ID: 2da93cf3a9e14858e91e43626c86ad44064f3fdf60fb363097ee436ea9dc9ff3
                                                            • Opcode Fuzzy Hash: 1d7a00df65619ca2a70100a57043970893f5c377ff606ac7b1901d0aa948e632
                                                            • Instruction Fuzzy Hash: 9B5165B0900749CFDB54DFAAC988B9EBBF1FF88314F208059E409A7250DB745985CF6A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C53210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06C5328E
                                                            • GetCurrentThread.KERNEL32 ref: 06C532CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06C53308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06C53361
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: aee14aeb56143dd73d8820b4d0361e78735b24b7f3f3464336d88c58cabf1091
                                                            • Instruction ID: bc19292d03d9be0ca9c4826cc2cc178553ba039e57402a6f65a7709e82f6285b
                                                            • Opcode Fuzzy Hash: aee14aeb56143dd73d8820b4d0361e78735b24b7f3f3464336d88c58cabf1091
                                                            • Instruction Fuzzy Hash: 165146B0900749CFDB54DFAAD988B9EBBF1FB88314F208019E409A7250DB746984CF69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5B718 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 752 6c5b718-6c5b737 754 6c5b763-6c5b767 752->754 755 6c5b739-6c5b746 call 6c5a6c8 752->755 757 6c5b769-6c5b773 754->757 758 6c5b77b-6c5b7bc 754->758 761 6c5b75c 755->761 762 6c5b748 755->762 757->758 764 6c5b7be-6c5b7c6 758->764 765 6c5b7c9-6c5b7d7 758->765 761->754 809 6c5b74e call 6c5b9b1 762->809 810 6c5b74e call 6c5b9c0 762->810 764->765 766 6c5b7d9-6c5b7de 765->766 767 6c5b7fb-6c5b7fd 765->767 769 6c5b7e0-6c5b7e7 call 6c5a6d4 766->769 770 6c5b7e9 766->770 772 6c5b800-6c5b807 767->772 768 6c5b754-6c5b756 768->761 771 6c5b898-6c5b958 768->771 774 6c5b7eb-6c5b7f9 769->774 770->774 804 6c5b960-6c5b98b GetModuleHandleW 771->804 805 6c5b95a-6c5b95d 771->805 775 6c5b814-6c5b81b 772->775 776 6c5b809-6c5b811 772->776 774->772 779 6c5b81d-6c5b825 775->779 780 6c5b828-6c5b831 call 6c53d2c 775->780 776->775 779->780 784 6c5b833-6c5b83b 780->784 785 6c5b83e-6c5b843 780->785 784->785 786 6c5b845-6c5b84c 785->786 787 6c5b861-6c5b865 785->787 786->787 789 6c5b84e-6c5b85e call 6c58ee8 call 6c5a6e4 786->789 811 6c5b868 call 6c5bc80 787->811 812 6c5b868 call 6c5bc70 787->812 789->787 792 6c5b86b-6c5b86e 794 6c5b891-6c5b897 792->794 795 6c5b870-6c5b88e 792->795 795->794 806 6c5b994-6c5b9a8 804->806 807 6c5b98d-6c5b993 804->807 805->804 807->806 809->768 810->768 811->792 812->792
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06C5B97E
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 63dfa94bbfcc104c9d62fbd957b7fc06996dd376b457c4ae5b9e4349dccb7b04
                                                            • Instruction ID: 26a475ac45a15cb69fbec35f96e74396f9eedd71fdc219f62d9258b27b6ff027
                                                            • Opcode Fuzzy Hash: 63dfa94bbfcc104c9d62fbd957b7fc06996dd376b457c4ae5b9e4349dccb7b04
                                                            • Instruction Fuzzy Hash: A7818970A00B058FD764DF2AC85575ABBF1FF88204F00892ED88AD7B40DB75E985CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5D904 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 813 6c5d904-6c5d976 815 6c5d981-6c5d988 813->815 816 6c5d978-6c5d97e 813->816 817 6c5d993-6c5d9cb 815->817 818 6c5d98a-6c5d990 815->818 816->815 819 6c5d9d3-6c5da32 CreateWindowExW 817->819 818->817 820 6c5da34-6c5da3a 819->820 821 6c5da3b-6c5da73 819->821 820->821 825 6c5da75-6c5da78 821->825 826 6c5da80 821->826 825->826 827 6c5da81 826->827 827->827
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C5DA22
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: d38a72a5f6294f2be04a63ac44069e7f8b94a775143e9a56968068c0c47f243b
                                                            • Instruction ID: 7b820f34bd0c93b47d4924c4e5da53da2264fb85278f2a2af833d0d87f362199
                                                            • Opcode Fuzzy Hash: d38a72a5f6294f2be04a63ac44069e7f8b94a775143e9a56968068c0c47f243b
                                                            • Instruction Fuzzy Hash: CD51C3B5D00349DFDB14CF99C884ADEBFB5BF88310F25812AE819AB210D771A985CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5D910 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 828 6c5d910-6c5d976 829 6c5d981-6c5d988 828->829 830 6c5d978-6c5d97e 828->830 831 6c5d993-6c5da32 CreateWindowExW 829->831 832 6c5d98a-6c5d990 829->832 830->829 834 6c5da34-6c5da3a 831->834 835 6c5da3b-6c5da73 831->835 832->831 834->835 839 6c5da75-6c5da78 835->839 840 6c5da80 835->840 839->840 841 6c5da81 840->841 841->841
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C5DA22
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 688649c58ca68db7f2db9cc133f94a66a05aa99b8a1b06388a6010f21e40e40f
                                                            • Instruction ID: ca9cf9be4db4c46130a9b135470cf86ea9242abfed2daad5c84a994e8e264344
                                                            • Opcode Fuzzy Hash: 688649c58ca68db7f2db9cc133f94a66a05aa99b8a1b06388a6010f21e40e40f
                                                            • Instruction Fuzzy Hash: AB41B0B1D00309DFDB14CF9AC884ADEBBB5FF48310F25812AE819AB210D775A985CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 071E0C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 842 71e0c70-71e0cac 843 71e0d5c-71e0d7c 842->843 844 71e0cb2-71e0cb7 842->844 850 71e0d7f-71e0d8c 843->850 845 71e0d0a-71e0d42 CallWindowProcW 844->845 846 71e0cb9-71e0cf0 844->846 847 71e0d4b-71e0d5a 845->847 848 71e0d44-71e0d4a 845->848 852 71e0cf9-71e0d08 846->852 853 71e0cf2-71e0cf8 846->853 847->850 848->847 852->850 853->852
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 071E0D31
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1685924792.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_71e0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 7b222aabbe3cbadcb81cff767e862480eadc1a41599831bc5a8327bd6b809b4f
                                                            • Instruction ID: 19e946a6f3ff22d1fe979090c6bbbd922a1b78d639d5f67d003104c0837d3e6d
                                                            • Opcode Fuzzy Hash: 7b222aabbe3cbadcb81cff767e862480eadc1a41599831bc5a8327bd6b809b4f
                                                            • Instruction Fuzzy Hash: 264149B4900709CFCB14CF99C848AAABBF5FB88314F258499D419AB361D775E841CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C53450 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 856 6c53450-6c53455 857 6c53458-6c534ec DuplicateHandle 856->857 858 6c534f5-6c53512 857->858 859 6c534ee-6c534f4 857->859 859->858
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C534DF
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: b00bbbd10f30e0b1c6dca8ced31892aa09bb3ea34212aee6c1bbc1fd1880bea4
                                                            • Instruction ID: 24bec9108bcb81f9f2ed4d75e41b65b95a1f98496bd7ec0dc5b51e0bae56c947
                                                            • Opcode Fuzzy Hash: b00bbbd10f30e0b1c6dca8ced31892aa09bb3ea34212aee6c1bbc1fd1880bea4
                                                            • Instruction Fuzzy Hash: 2021E3B5D003499FDB10CFAAD884ADEBBF9FB48310F14805AE919A7350D375A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C53458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 862 6c53458-6c534ec DuplicateHandle 863 6c534f5-6c53512 862->863 864 6c534ee-6c534f4 862->864 864->863
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C534DF
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 712a67b3272bd54482e7436fe316b5f59ff4784c51f8b4907aefac51526fc5cd
                                                            • Instruction ID: 4b99061b4cb1ef8a85e70aadd3cf26350c8c1ac5ee5ee721b17ab1661ca41e93
                                                            • Opcode Fuzzy Hash: 712a67b3272bd54482e7436fe316b5f59ff4784c51f8b4907aefac51526fc5cd
                                                            • Instruction Fuzzy Hash: 5221E3B59002499FDB10CFAAD884ADEBBF8FB48310F14801AE918A7350D375A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5BB79 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 867 6c5bb79-6c5bbc0 869 6c5bbc2-6c5bbc5 867->869 870 6c5bbc8-6c5bbf7 LoadLibraryExW 867->870 869->870 871 6c5bc00-6c5bc1d 870->871 872 6c5bbf9-6c5bbff 870->872 872->871
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06C5B9F9,00000800,00000000,00000000), ref: 06C5BBEA
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: e5213175593aa72864aabad7d6b430139c49b36b58092b9cd7d0f01157d00b2b
                                                            • Instruction ID: b1f152048262ff4c698e1f5cb958182b593970b56f0d77324eba31a7bc43dae4
                                                            • Opcode Fuzzy Hash: e5213175593aa72864aabad7d6b430139c49b36b58092b9cd7d0f01157d00b2b
                                                            • Instruction Fuzzy Hash: 901103B6C003099FDB14DF9AD884ADEFBF9EB88310F11841EE819A7240C7B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5A710 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 882 6c5a710-6c5bbc0 884 6c5bbc2-6c5bbc5 882->884 885 6c5bbc8-6c5bbf7 LoadLibraryExW 882->885 884->885 886 6c5bc00-6c5bc1d 885->886 887 6c5bbf9-6c5bbff 885->887 887->886
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06C5B9F9,00000800,00000000,00000000), ref: 06C5BBEA
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: abca1ee9b62841622d203e845d9d7b19c5e8d635ec0cc6121ed1a1b41f56b094
                                                            • Instruction ID: acf866fcfd65103e0c90eba49b630db2a8853100775088cd24648038e3428b2c
                                                            • Opcode Fuzzy Hash: abca1ee9b62841622d203e845d9d7b19c5e8d635ec0cc6121ed1a1b41f56b094
                                                            • Instruction Fuzzy Hash: C51117B6C003098FDB10DF9AD884B9EFBF4EB49310F11842EE919A7210C3B5A945CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013CE75C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 13ce75c-13cf09c GlobalMemoryStatusEx 878 13cf09e-13cf0a4 875->878 879 13cf0a5-13cf0cd 875->879 878->879
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,013CEFA2), ref: 013CF08F
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1656177884.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_13c0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: a3c4d06d499d0adb6d2494fdea7b858c25327d8f87771da16068d0124831a742
                                                            • Instruction ID: cc7027f538e5319e504f234970b622155816c1fd7053078d045b561a8d2b13db
                                                            • Opcode Fuzzy Hash: a3c4d06d499d0adb6d2494fdea7b858c25327d8f87771da16068d0124831a742
                                                            • Instruction Fuzzy Hash: 561136B1C0065A9BDB10DF9AC44479EFBF8BB48614F10816AE914A7240D378A944CFE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013CF024 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 890 13cf024-13cf066 892 13cf06e-13cf09c GlobalMemoryStatusEx 890->892 893 13cf09e-13cf0a4 892->893 894 13cf0a5-13cf0cd 892->894 893->894
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,013CEFA2), ref: 013CF08F
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1656177884.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_13c0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: c9ff128d6389c49e21fad0c53026e3046a7b264577ddb9e2872e0d4759cf104e
                                                            • Instruction ID: 8c10b2aae136d53a760ab952e6ab87f7b545a5cec70e2b588005a347d71aae89
                                                            • Opcode Fuzzy Hash: c9ff128d6389c49e21fad0c53026e3046a7b264577ddb9e2872e0d4759cf104e
                                                            • Instruction Fuzzy Hash: 6D1126B1C0065A9FDB10DF9AC4447DEFBF4BF48724F11816AE818A7240D378A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C5B918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 897 6c5b918-6c5b958 898 6c5b960-6c5b98b GetModuleHandleW 897->898 899 6c5b95a-6c5b95d 897->899 900 6c5b994-6c5b9a8 898->900 901 6c5b98d-6c5b993 898->901 899->898 901->900
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06C5B97E
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1683692594.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: d73755fcb13b1e8a48c8b9eb66de26e953afe2ef29613f8bd6e8e1361e266b71
                                                            • Instruction ID: 0f2e32675b3ce02951363e8c901de3fbac097a53b934f67cf7f2ca03dbb4833e
                                                            • Opcode Fuzzy Hash: d73755fcb13b1e8a48c8b9eb66de26e953afe2ef29613f8bd6e8e1361e266b71
                                                            • Instruction Fuzzy Hash: F21113B5C003498FCB10DF9AC844BDEFBF4EB88214F11841AD859A7210C379A645CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 071E32E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 071E333D
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1685924792.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_71e0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 0b5880c449bc4b1231812d870cbf6dea17d5ec5395c31525a8fa42180c5d469d
                                                            • Instruction ID: 65db161a5fa4358421a1d392b2fbea3c2c5d966aa2afb95b471a2c7e9bdaa63c
                                                            • Opcode Fuzzy Hash: 0b5880c449bc4b1231812d870cbf6dea17d5ec5395c31525a8fa42180c5d469d
                                                            • Instruction Fuzzy Hash: 961127B58007498FCB10DF9AD444BCEFBF8EB48324F248419E559A7340D778A544CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 071E2400 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 071E333D
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1685924792.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_71e0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: f5ecc6a7f2af6cd7ee0111342a25f4f6b440aa16857184b578d4393fb06e067b
                                                            • Instruction ID: 0c6ae1998da56b9f2afc73b96f208122dd6e50dab1dc5f0dd727cf6a0172e1e5
                                                            • Opcode Fuzzy Hash: f5ecc6a7f2af6cd7ee0111342a25f4f6b440aa16857184b578d4393fb06e067b
                                                            • Instruction Fuzzy Hash: CC1145B58007498FCB20DF9AD444B9EFBF8EB48220F208419E569A7340D778A944CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7D338 Relevance: .8, Instructions: 801COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c2362b12704c06d22ed825918a614f6549964859a80da1b2c5f6c268b855374e
                                                            • Instruction ID: 939fef68ffc2a4bd9351165851288d3ffe8bdc653c9b30dc50fd90fe8b07cef0
                                                            • Opcode Fuzzy Hash: c2362b12704c06d22ed825918a614f6549964859a80da1b2c5f6c268b855374e
                                                            • Instruction Fuzzy Hash: 87624D30B1030A9FDB55DB68D580A5DB7B2FF84304F208A69D40A9B358DB76FD46CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7ACC8 Relevance: .4, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf7a2180944fc57eb239112c455112872a830956d5765fac22b13e15745e2a8d
                                                            • Instruction ID: 04627bc528a2820a934df8418fec70864dc79179fa7ecc2e01b07e4e8b05dc9d
                                                            • Opcode Fuzzy Hash: cf7a2180944fc57eb239112c455112872a830956d5765fac22b13e15745e2a8d
                                                            • Instruction Fuzzy Hash: 62E16E30E102199FDB68DFA9D8906AEB7B2FF89301F208529D815DB244DB75ED46CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7B21F Relevance: .3, Instructions: 291COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb525dcc82889b9baf7b7cbd75634d0a0fbd0abffe2dd6886c3e53fe25278c5c
                                                            • Instruction ID: 5c4cff0c5cd099f0bdb9a6ca5c71a6f7194818b0aabd6e7922baa7a5c1a45d9b
                                                            • Opcode Fuzzy Hash: bb525dcc82889b9baf7b7cbd75634d0a0fbd0abffe2dd6886c3e53fe25278c5c
                                                            • Instruction Fuzzy Hash: E2A18530E012099BEFA4CFADD9947AEB7B6EB89310F608429E405E7391CB35DD819751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7B628 Relevance: .3, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7bd25fe91600a290ab321a7d8a8043c591f84ac1493fb383e78f434c945df5a5
                                                            • Instruction ID: d32f28b0272685bc0e909a79acadf2126ab97ee4fcb8cde37c36f6bdaf4fff70
                                                            • Opcode Fuzzy Hash: 7bd25fe91600a290ab321a7d8a8043c591f84ac1493fb383e78f434c945df5a5
                                                            • Instruction Fuzzy Hash: C7A14930E102098FDBA4CF68D584BADB7B2FB45310F24856AE469EB351D735EE81CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C79140 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54e62234d6ef380f425f9ff53b2a9ac833d82316841e2a76452fd126db1dfbaf
                                                            • Instruction ID: f5f75b897748ae8f772818cc691e965b063c3de084e551b166a665d0b1261ad6
                                                            • Opcode Fuzzy Hash: 54e62234d6ef380f425f9ff53b2a9ac833d82316841e2a76452fd126db1dfbaf
                                                            • Instruction Fuzzy Hash: 7C913E30B1021A8FDB94DB79D8507AEB7B6FFC9200F108569C81AEB344EB75DD418B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C761E0 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a148a90476203be94ad43cc5d1c1a8b491e9623b3fe437664b9cd5e126221578
                                                            • Instruction ID: 0a511984191a645566f90e5417a30748ec83a3f743ead7d4d7e91b889ca03027
                                                            • Opcode Fuzzy Hash: a148a90476203be94ad43cc5d1c1a8b491e9623b3fe437664b9cd5e126221578
                                                            • Instruction Fuzzy Hash: B161D471F005214BDF54AA7EC884A6FBADBEFC4610B15403AD80ADB3A0DEB5ED4287C5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C74298 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16cc4778902d0dc457566a71489ccb5412868f75aa736d97887733a7238e8e94
                                                            • Instruction ID: 0a7aee1fdca0999636f079b0c5b81dee9a932b62e3ef77ab7e8a67c140a45477
                                                            • Opcode Fuzzy Hash: 16cc4778902d0dc457566a71489ccb5412868f75aa736d97887733a7238e8e94
                                                            • Instruction Fuzzy Hash: 23812E30B112098FDB98DFA5D4547AEBBF6AF89300F148529D40ADB384DB75DD428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C742A8 Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6055f0a3142d64a218f5371536e50c2d02954d8c377bcdb5a5d1759cbae43d9a
                                                            • Instruction ID: 382f6d4475ff5a14bce44066269f2211a75cc1d0a3cc6488e18bc7d70edc55f6
                                                            • Opcode Fuzzy Hash: 6055f0a3142d64a218f5371536e50c2d02954d8c377bcdb5a5d1759cbae43d9a
                                                            • Instruction Fuzzy Hash: 50811E30B112098FDB98DFA9D4547AEBBF6EF89300F148529D80ADB384DB75DD428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C745BC Relevance: .2, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebbcc8840c7e0e9656bfa827eb1475cee83dbc8e7e26b5c3f7b8509c07c93011
                                                            • Instruction ID: 5afac64e75c897863ed9d60f6e390dcb426f1ea325f5058cfb78d52481758281
                                                            • Opcode Fuzzy Hash: ebbcc8840c7e0e9656bfa827eb1475cee83dbc8e7e26b5c3f7b8509c07c93011
                                                            • Instruction Fuzzy Hash: 2E913B30E106198BDF64DF68C880B99B7B1FF89304F20C699D549EB285DB71AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C745D0 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b19cc7b5b66cb8441fdb7768cdbb312c868cc636be06192e3492eaf7a5441308
                                                            • Instruction ID: 83c90d9c8735bb9b9f3e433a6f6b399b67b862dbc4fb2197fddec1fb42c071cc
                                                            • Opcode Fuzzy Hash: b19cc7b5b66cb8441fdb7768cdbb312c868cc636be06192e3492eaf7a5441308
                                                            • Instruction Fuzzy Hash: FD912B30E106198BDF64DF68C880B9DB7B1FF89314F20C699D509BB244DB71AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7EF00 Relevance: .2, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4322f6a246e9df68c8e7104c6492496ace045bdea27116338cd65774d1d234f0
                                                            • Instruction ID: d7ccfa94d59b9a6362ea8eee6a4426cce2baa06c8ec82a5395a5170e4d682e14
                                                            • Opcode Fuzzy Hash: 4322f6a246e9df68c8e7104c6492496ace045bdea27116338cd65774d1d234f0
                                                            • Instruction Fuzzy Hash: 26715971A002099FDB54DFA9D980AAEBBF6FF88310F248469D419EB354DB30ED46CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7EF10 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 34eee947b802de510784db6ec7020d8c420c478bbfaa242d1633ea043dae713f
                                                            • Instruction ID: 8bfe1b1283aa4abc61300318671c6525e433f0c0c79186d40e9d494060ef3fe7
                                                            • Opcode Fuzzy Hash: 34eee947b802de510784db6ec7020d8c420c478bbfaa242d1633ea043dae713f
                                                            • Instruction Fuzzy Hash: C3713B71B002099FDB54DBA9D980A9EBBF6FF88310F248469D419EB354DB30ED46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C74B68 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c65a6ec26d3c53b2b0eafe8e1c032f705a0ee319495df73e13dfb16910ae6c6
                                                            • Instruction ID: ea28a9aecc5c75b290a8d8c3ebed768231a08de7480aa5a468740e29af3f42a8
                                                            • Opcode Fuzzy Hash: 8c65a6ec26d3c53b2b0eafe8e1c032f705a0ee319495df73e13dfb16910ae6c6
                                                            • Instruction Fuzzy Hash: 76617270F002099FEF589BA9C8547AEBBF6FF88300F208529E505AB394DFB55C458B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7FC78 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b8282321f59146d1b43a60f3c84285def3bcc4a5ace177934ffef329900b9b5
                                                            • Instruction ID: 4a261de16b0e326cd7f5f3ff06a34a04625d59095463bb19dcb5b6e15b8ca44f
                                                            • Opcode Fuzzy Hash: 8b8282321f59146d1b43a60f3c84285def3bcc4a5ace177934ffef329900b9b5
                                                            • Instruction Fuzzy Hash: EE51CF31E00209DFDF64EFB8E4846ADBBB2FB84215F10886EE526D7250DB359E55CB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7FA18 Relevance: .2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9494b6afd47fc9d85b796f5a00b1d7a716d5020971c3ce2eb327c98cd8898e0
                                                            • Instruction ID: 360e0800440f49b9183603e59cf98bdad75ea7706b779ddaceffac8039dd79aa
                                                            • Opcode Fuzzy Hash: c9494b6afd47fc9d85b796f5a00b1d7a716d5020971c3ce2eb327c98cd8898e0
                                                            • Instruction Fuzzy Hash: 8051E270B202049BFF64566CD994B6E7A9AE7CD710F60442EE41BC7390CF6DCE4193A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C79131 Relevance: .2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de076a9308b292449e1624affaace9e927d2b971c0b7c9c9fbafc885471a5701
                                                            • Instruction ID: 17f684790a182603eafdb131ae0e6f96b5b44b6b215ec67d3e761a8509ffc1cc
                                                            • Opcode Fuzzy Hash: de076a9308b292449e1624affaace9e927d2b971c0b7c9c9fbafc885471a5701
                                                            • Instruction Fuzzy Hash: 55514F30B0114A9FDB94DB79D860B6E77F6EFC9200F108569D80ADB385EA35DD428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7FA28 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e0ead9597bbc1e9ac4b4ea88f9c3ecf90e86a4211cdef9acd28e678e0f731ee
                                                            • Instruction ID: eec24e7df7d9149167601e6db61fc6a9deaccd0d41d6ffa65c77e7116cb2bf35
                                                            • Opcode Fuzzy Hash: 2e0ead9597bbc1e9ac4b4ea88f9c3ecf90e86a4211cdef9acd28e678e0f731ee
                                                            • Instruction Fuzzy Hash: BE51F070B202049BFF64566CC994B6E7A9AE7CD710F60442EE41BC7390CF6EDE4193A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C74B58 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4108de943a58638a8a8b08b4205f49528f7c4c94bb960da5b0b65c0538a1ffa
                                                            • Instruction ID: 3bd25e5807c8fa237240a5842fb0f26728302a608dce4c6e12ef733b9cb1c669
                                                            • Opcode Fuzzy Hash: a4108de943a58638a8a8b08b4205f49528f7c4c94bb960da5b0b65c0538a1ffa
                                                            • Instruction Fuzzy Hash: E1515070F002089FEB589BA5C8547AEBAF6FF88300F208529D505AB394DA759C45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C75420 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61c47a493be1d21e620099f566a913a279617debe0843fe5eb0a752e32d5b135
                                                            • Instruction ID: ecc09eb5ea7d235c6f9f4130f79bfcf4375fead61f84b2123c954e6efecfbf12
                                                            • Opcode Fuzzy Hash: 61c47a493be1d21e620099f566a913a279617debe0843fe5eb0a752e32d5b135
                                                            • Instruction Fuzzy Hash: 55415C71E006098FDF70CFA9D880AAFF7B6FB84310F50492AE21AD7650DB30E9559B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7DEC0 Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cff3c911b6417ffb54100031f902ace47520fc0173b042ebdcf8bd83f878b67d
                                                            • Instruction ID: abfe23e321b9e3fe54a13cb0e3069fdb318f5235d0675cb22f6a849d6d92d90b
                                                            • Opcode Fuzzy Hash: cff3c911b6417ffb54100031f902ace47520fc0173b042ebdcf8bd83f878b67d
                                                            • Instruction Fuzzy Hash: 3E418370E1030ADFDB64DF69D44469EBBB6BF85740F208429E806EB340DB71E946CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7DEAD Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5606739ace60bd6d244fb96b1b10a056e510f465b7d2ba6ee0e99d54dc9e831
                                                            • Instruction ID: f4055d8da60904c79164101e5239c36726872d1862b2f96ec894866208b024f1
                                                            • Opcode Fuzzy Hash: b5606739ace60bd6d244fb96b1b10a056e510f465b7d2ba6ee0e99d54dc9e831
                                                            • Instruction Fuzzy Hash: EA41B470E10746DFDB65DF79D88469EBBB2BF85300F248529E806EB240DB71E946CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C721C5 Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65d237a4f2a44f82a3d0c3ff3e36473ad2e9df5e0ab714c098d29c841bd0d192
                                                            • Instruction ID: ccfc69a3ca796e2a2a9173732f44105453dc0074b72d1a05f8ae5dbf1103d590
                                                            • Opcode Fuzzy Hash: 65d237a4f2a44f82a3d0c3ff3e36473ad2e9df5e0ab714c098d29c841bd0d192
                                                            • Instruction Fuzzy Hash: 6631DE30B003028FDB699B74D45866E3BA6BF89610F24856CD806EB381DF39CE46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C721D8 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea11a67a29c97e9408a417382c0d44ca3b81840763e0a9bc59ae6e0c74c9c4b2
                                                            • Instruction ID: da229d6a09a3ab99a372e5b2dd9a7ee1b9b9411a779bd8fb75226e9eda1cc5b5
                                                            • Opcode Fuzzy Hash: ea11a67a29c97e9408a417382c0d44ca3b81840763e0a9bc59ae6e0c74c9c4b2
                                                            • Instruction Fuzzy Hash: 0731A230B002068FDB599B75D45866E7BE6BF89610F24856CD806DB384DF39CE46CBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7DD60 Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c26804375b30bfd061b5a23d76bd50abe9afb2186df723926d808e3fa92a469
                                                            • Instruction ID: bf09d1c6f24c2d878e67c07588733e576de1a6e2c7068b5dea112da2fd2e3978
                                                            • Opcode Fuzzy Hash: 9c26804375b30bfd061b5a23d76bd50abe9afb2186df723926d808e3fa92a469
                                                            • Instruction Fuzzy Hash: 7D31C830E1071A9FDF25DF69D88069EBBB1FF85304F144929D805E7244DBB1B946CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C72089 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 041f09c8cfd5b765e70032cf018ed524374c85ccb94cbcc50b83798dca96dfff
                                                            • Instruction ID: 423fc8ff7fcf1cebe5ab6d5eb15244dbc6efc84967a4796c51e257c41ce999e5
                                                            • Opcode Fuzzy Hash: 041f09c8cfd5b765e70032cf018ed524374c85ccb94cbcc50b83798dca96dfff
                                                            • Instruction Fuzzy Hash: 7B313C30E106059BDB54CF65C894AAEB7B2BF89300F108529E806EB751EBB5ED42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C72098 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44df2368095a78ca1692de0eed3ed7554f3eabca5bd9c1def3c567d55b02cecc
                                                            • Instruction ID: 9c33f78b2ae84aa36b37ec28e013a8287217e63323dcab1b238e91a755cdea80
                                                            • Opcode Fuzzy Hash: 44df2368095a78ca1692de0eed3ed7554f3eabca5bd9c1def3c567d55b02cecc
                                                            • Instruction Fuzzy Hash: BB316230E106199FDB54CF65D85469EB7B6FF89300F108929E816E7350EBB5ED42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73EA0 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ff7f86d1ee64ccdc1de8cb22a97e41a58966ccc6365c1c46febf9f946a7cbb9
                                                            • Instruction ID: 81f215b005e315c6db020cc8843939f6fd1fc5112074f265b2ca008474d1dde4
                                                            • Opcode Fuzzy Hash: 7ff7f86d1ee64ccdc1de8cb22a97e41a58966ccc6365c1c46febf9f946a7cbb9
                                                            • Instruction Fuzzy Hash: 3A215E75F01216DFDB50CFAAD880AAEBBF1EB88750F108069E949E7341E735DD419B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73EB0 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a85ef3bd7d2592b6631197bb0a2e92106735f6c8f83ffb75f20fa18e48b11c7
                                                            • Instruction ID: 5be109fb768b2f47aa11e6644f24f7376182e78ebb188d85cccdfeb40a22a1f4
                                                            • Opcode Fuzzy Hash: 6a85ef3bd7d2592b6631197bb0a2e92106735f6c8f83ffb75f20fa18e48b11c7
                                                            • Instruction Fuzzy Hash: 3C213975F0021ADFDB50CF6AD880AAEBBF5FB88650F108169E909E7340E735DD418B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0137D044 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1653521391.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_137d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b998462b6fb15af3c7d3825e9663eaa4aac4d19b6db14be29a85f22360d46986
                                                            • Instruction ID: 6599454b1549e40c6f74fa14e1ff99219acfae86e89d8aec72efc4d6f7e12479
                                                            • Opcode Fuzzy Hash: b998462b6fb15af3c7d3825e9663eaa4aac4d19b6db14be29a85f22360d46986
                                                            • Instruction Fuzzy Hash: 8B212571604304DFDB22DF64D8C4B16BB65FF84318F20C56DE8490B342C73AD446CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C76CF8 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bfd80385dad5ed94dea645e223d19e30bbc5eb8329c3ff1d78ab8dd3b8cffd50
                                                            • Instruction ID: f0e4133c8a92e6dde0c367662defa9035f6f69084602fa85bf1390b906ff7ade
                                                            • Opcode Fuzzy Hash: bfd80385dad5ed94dea645e223d19e30bbc5eb8329c3ff1d78ab8dd3b8cffd50
                                                            • Instruction Fuzzy Hash: B821F330F111099FDF94DB6AE9546AEBBB6EB84310F248429E805E7380DB36DD418B84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C76D08 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8159f0cd6eeaa4c79ffc0e1bc811a1e4d6806651a9bf2c5b446094cf0e1ac422
                                                            • Instruction ID: 8b4795a243056fae554fd9f1ebf2a32a796d4e20bb4ec6eee7eb20d2733fefd7
                                                            • Opcode Fuzzy Hash: 8159f0cd6eeaa4c79ffc0e1bc811a1e4d6806651a9bf2c5b446094cf0e1ac422
                                                            • Instruction Fuzzy Hash: 8B21E130F101199FCF94DB6AE9506AEBBB6EF84310F208429D805EB380DB36ED518B84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7A2F8 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f825160dc0c9463be1f58f11b8579bf35a0ec4fa036e43e67a90bbf546bc74b
                                                            • Instruction ID: 9f49bdee87b3f00bd53c2de8ad54c252dd8c627d6241a35e5ecc4eda55f678f2
                                                            • Opcode Fuzzy Hash: 8f825160dc0c9463be1f58f11b8579bf35a0ec4fa036e43e67a90bbf546bc74b
                                                            • Instruction Fuzzy Hash: 3D11D636F101154FDBA0DABCE8907AFB7A1EB85720F10893DE10ED7355DA66DD428780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73FC0 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3cc475a4738d57ccc403255f3f8ec80f15b0285307121b85a9801c5f92316e0
                                                            • Instruction ID: 00f70bd2f60b3d51098cf2194086d56c9670c7b78e649ee0867d0418e22d0324
                                                            • Opcode Fuzzy Hash: c3cc475a4738d57ccc403255f3f8ec80f15b0285307121b85a9801c5f92316e0
                                                            • Instruction Fuzzy Hash: 59116135B101298FDF99DA79D8146AE7BEAEBC8250F048539D40AE7340EF65DD028BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7F181 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4d21d8701f2a11e4e9c5b82d04e040744e89b0269c68f82bc0c96839e079ea1
                                                            • Instruction ID: b86b2a054011146ba2af9eac54859c335ad6d36bcc6916a675f330cc9cbe845a
                                                            • Opcode Fuzzy Hash: d4d21d8701f2a11e4e9c5b82d04e040744e89b0269c68f82bc0c96839e079ea1
                                                            • Instruction Fuzzy Hash: 81019772B101000FDB61863C988473FABDADBC7610F00887EF40ACB381ED28CE028380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C741F7 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11440132669b871393007493c0a452f5ba63e90b7736ba0d0ca9cbd7633c6637
                                                            • Instruction ID: 81c918f9120b7b7729755ba79ba2c3e2e0148d8484accaa1a795d1e6fb90d9a8
                                                            • Opcode Fuzzy Hash: 11440132669b871393007493c0a452f5ba63e90b7736ba0d0ca9cbd7633c6637
                                                            • Instruction Fuzzy Hash: 79018435B101104BEB6896ADD45876BA7DBDBC9611F24C43DE10EC7384E9A5DD264381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0137D03F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1653521391.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_137d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: 74bdc83109ebb5ce82fa4c07b9310683bb7e8fe5438384d784bdff0bbdc3e2ac
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: C611BB75504284CFCB22CF54D9C4B15BFA2FB84328F28C6A9D8494B292C33AD44ACF62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73460 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1b83b94b4ff862cdf122d4ac2c40028de3dac28ba6fb126e331b58108d85145
                                                            • Instruction ID: 89eb506090e77c1d11fd56e5806dbc1624f99dc5dc27f69d8c7104bba284bb66
                                                            • Opcode Fuzzy Hash: c1b83b94b4ff862cdf122d4ac2c40028de3dac28ba6fb126e331b58108d85145
                                                            • Instruction Fuzzy Hash: D401A171E002698BCB59DB79C8405DEFBB6EB88310F0085A9D40AE7341EA319A40DBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73C80 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eab4c5419ccae3930f6b696b37037b62f3eea759c9c1a79f62884c0f441ea46d
                                                            • Instruction ID: 0fe53386b43f474cd33f63b0dfa45eab8944ee896a20e8dfc8fab813882d2f7a
                                                            • Opcode Fuzzy Hash: eab4c5419ccae3930f6b696b37037b62f3eea759c9c1a79f62884c0f441ea46d
                                                            • Instruction Fuzzy Hash: 7811D3B5D01259AFCB00DF9AD884ACEFFB4FB48710F10812AE918A7240C374A654CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C74208 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79d9ffdbfa77aafc2b7cc66c3a1544fbad308b36dc56664489da5bf64199653d
                                                            • Instruction ID: e9d2f233566ac12870f732c992af8b318c7aeb4063e24adfe3d267facd637fee
                                                            • Opcode Fuzzy Hash: 79d9ffdbfa77aafc2b7cc66c3a1544fbad308b36dc56664489da5bf64199653d
                                                            • Instruction Fuzzy Hash: 8D016D35B100205BEBA89AAED45976BB3DADBCA610F20C43DE50EC7384DDA6DD164391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73C7A Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 408b865eda26c544c78262b7a84e8561316493b46dca7235dd71da58e6b34aca
                                                            • Instruction ID: d716032a9616a054ad33aaf4214da43aa48e0ed760dbaa8f0eeb421a66d84663
                                                            • Opcode Fuzzy Hash: 408b865eda26c544c78262b7a84e8561316493b46dca7235dd71da58e6b34aca
                                                            • Instruction Fuzzy Hash: 3F11D3B6D012599FCB00DF9AD985BDEFBB4BB48710F10811AE518B7240D374AA54CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C73FAF Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 718eed1871b33fba5be5d23f8e461b77b5fb54c9464a322978f038ae99829267
                                                            • Instruction ID: 5bf9097b728f937fb955e1bf7666ceb01e0207c6772d1f31ca8883bffe2510e4
                                                            • Opcode Fuzzy Hash: 718eed1871b33fba5be5d23f8e461b77b5fb54c9464a322978f038ae99829267
                                                            • Instruction Fuzzy Hash: CE01DF36B100194BDB95CA68D8106AF76AB9BC8250F04443ED40AE7280EE60CD0287D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7F190 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 322d0036ec8e31d8a1f79da6395fc1979656cdf42dd5cccbe3bd7699db80b62c
                                                            • Instruction ID: 6fd7b98bc0497c581a525df999e59b1cba017e354995684d48c12efbff430a0d
                                                            • Opcode Fuzzy Hash: 322d0036ec8e31d8a1f79da6395fc1979656cdf42dd5cccbe3bd7699db80b62c
                                                            • Instruction Fuzzy Hash: 8D018176B105154BDB64956C989472FB7DAE7C9610F10883EF51BC7380EE65DD024385
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7A308 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcec9266a83e25d0a67a162b280ca5610cbc2972de878674f4309b5a126f7ba5
                                                            • Instruction ID: 6d22b8ef2805a203eefff73bd3d1d3c03ae2aa0765edca06736d58589dc10877
                                                            • Opcode Fuzzy Hash: bcec9266a83e25d0a67a162b280ca5610cbc2972de878674f4309b5a126f7ba5
                                                            • Instruction Fuzzy Hash: C9018C31B101144FDBA49ABDE46072FB3D6EB8A750F10883DE40EC7344EE66ED428780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C7CBD0 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44403826bd07f167dcdc86730b204e7acddecc568f1882f109b2e8a57f0a0b45
                                                            • Instruction ID: 4781ee0558dcab97a85ecc85a49014448fbf0ef444c5265c1d572fbf8c8f77f2
                                                            • Opcode Fuzzy Hash: 44403826bd07f167dcdc86730b204e7acddecc568f1882f109b2e8a57f0a0b45
                                                            • Instruction Fuzzy Hash: 51012831F20225AFCF68AA6EE840A9EB779F785350F00443DE801E7344DB76AD0087C4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C782B7 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7cc293400675d56278cccd15ba98719f11f9888b766a0cf6c5bded2fb57b68fc
                                                            • Instruction ID: 4d30a2c5917f1b4a7b1d43a9cc07d9b38693e649fa3bc66f1e29c83d09d650cf
                                                            • Opcode Fuzzy Hash: 7cc293400675d56278cccd15ba98719f11f9888b766a0cf6c5bded2fb57b68fc
                                                            • Instruction Fuzzy Hash: FAF0A036E02114DFDF68CE5AE98C6AD77B1FB40312F1880BADA01E7150D3359E82CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C74A51 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fbc87255b339ebc169cc85a3314a0905d61d8153156caf4329fde04f995c45c0
                                                            • Instruction ID: c9249a725711d3c47bbbe77325195d9fa1542a9edbaefb70354e6d994329fa44
                                                            • Opcode Fuzzy Hash: fbc87255b339ebc169cc85a3314a0905d61d8153156caf4329fde04f995c45c0
                                                            • Instruction Fuzzy Hash: 6BF0F470A20219DFDB18DF94D8697ADBBB1FF44710F204129E402A7284CB701C05CBC4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C76460 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f003b22fc4c28e72e6567768d94fcff33b3f1f0f2152080f5ff1653225a9b65
                                                            • Instruction ID: 8e65d863af151b7da120cf221c579c9f9c77f313abbf70b311e009910a5a26ce
                                                            • Opcode Fuzzy Hash: 6f003b22fc4c28e72e6567768d94fcff33b3f1f0f2152080f5ff1653225a9b65
                                                            • Instruction Fuzzy Hash: B5E0DFB2E106049BEB50CFB18A6834BB7AAEB45304F3148AED008EB311E136DF069701
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06C76470 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.1684021021.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_6c70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b996b5257d912014684181d89fd3465bbdc9df6c08fb94f59a6fdd0633af75f
                                                            • Instruction ID: dd15101d607979089d467fd13db28f7be6ee54d9f5c58e50469cb710bf4aa431
                                                            • Opcode Fuzzy Hash: 5b996b5257d912014684181d89fd3465bbdc9df6c08fb94f59a6fdd0633af75f
                                                            • Instruction Fuzzy Hash: 76E0C270E10209ABDFA0CEB2C95575EB7ADD701304F2088A9D409CB201E136DB016780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:7.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:72
                                                            Total number of Limit Nodes:4
                                                            execution_graph 16615 fb4528 16616 fb453a 16615->16616 16619 fb3cf4 16616->16619 16620 fb3cff 16619->16620 16623 fb40e8 16620->16623 16622 fb45d9 16624 fb40f3 16623->16624 16627 fb4204 16624->16627 16626 fb47fd 16626->16622 16628 fb420f 16627->16628 16631 fb4234 16628->16631 16630 fb48da 16630->16626 16632 fb423f 16631->16632 16635 fb4264 16632->16635 16634 fb49dc 16634->16630 16637 fb426f 16635->16637 16636 fb7a19 16636->16634 16638 fb79db 16637->16638 16641 fba3f8 16637->16641 16638->16636 16646 fbc4eb 16638->16646 16642 fba3fc 16641->16642 16651 fba430 16642->16651 16654 fba420 16642->16654 16643 fba40e 16643->16638 16647 fbc4f4 16646->16647 16648 fbc53d 16647->16648 16675 fbc699 16647->16675 16679 fbc6a8 16647->16679 16648->16636 16658 fba528 16651->16658 16652 fba43f 16652->16643 16655 fba424 16654->16655 16657 fba528 LoadLibraryExW 16655->16657 16656 fba43f 16656->16643 16657->16656 16659 fba539 16658->16659 16660 fba554 16658->16660 16659->16660 16663 fba7b3 16659->16663 16667 fba7c0 16659->16667 16660->16652 16665 fba7c0 16663->16665 16664 fba7f9 16664->16660 16665->16664 16671 fb98b0 16665->16671 16668 fba7d4 16667->16668 16669 fb98b0 LoadLibraryExW 16668->16669 16670 fba7f9 16668->16670 16669->16670 16670->16660 16672 fba9a0 LoadLibraryExW 16671->16672 16674 fbaa19 16672->16674 16674->16664 16676 fbc69c 16675->16676 16677 fbc64f 16676->16677 16683 fbb260 16676->16683 16677->16648 16681 fbc6b5 16679->16681 16680 fbc6ef 16680->16648 16681->16680 16682 fbb260 LoadLibraryExW 16681->16682 16682->16680 16684 fbb265 16683->16684 16686 fbd408 16684->16686 16687 fbca5c 16684->16687 16686->16686 16688 fbca67 16687->16688 16689 fb4264 LoadLibraryExW 16688->16689 16690 fbd477 16689->16690 16690->16686 16691 fba718 16692 fba75a 16691->16692 16693 fba760 GetModuleHandleW 16691->16693 16692->16693 16694 fba78d 16693->16694 16695 fbc7c0 16696 fbc806 GetCurrentProcess 16695->16696 16698 fbc858 GetCurrentThread 16696->16698 16699 fbc851 16696->16699 16700 fbc88e 16698->16700 16701 fbc895 GetCurrentProcess 16698->16701 16699->16698 16700->16701 16702 fbc8cb 16701->16702 16703 fbc8f3 GetCurrentThreadId 16702->16703 16704 fbc924 16703->16704 16705 fbce10 DuplicateHandle 16706 fbcea6 16705->16706

                                                            Executed Functions

                                                            Function 00FBC7B0 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00FBC83E
                                                            • GetCurrentThread.KERNEL32 ref: 00FBC87B
                                                            • GetCurrentProcess.KERNEL32 ref: 00FBC8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 00FBC911
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 27c9f03d2d729616f47317359aedcac1c1f029ecdedef521beace37b04b6d740
                                                            • Instruction ID: 246591db75074a05c698554a98d9cffcce95e8c5691f1402de46ce3c04066da4
                                                            • Opcode Fuzzy Hash: 27c9f03d2d729616f47317359aedcac1c1f029ecdedef521beace37b04b6d740
                                                            • Instruction Fuzzy Hash: CF5165B0D003498FEB14DFAAD548B9EBBF1AF88314F20845DE419A7391DB749944CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FBC7C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00FBC83E
                                                            • GetCurrentThread.KERNEL32 ref: 00FBC87B
                                                            • GetCurrentProcess.KERNEL32 ref: 00FBC8B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 00FBC911
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 22526bd122336db8bbe2de540b0d9bb7a6d411f4379b7403f3776042fa3e3373
                                                            • Instruction ID: 8479a6a586e7b3be2a2a19847c1ab7e467cbde7f0afec8bcc81eebd2052b8557
                                                            • Opcode Fuzzy Hash: 22526bd122336db8bbe2de540b0d9bb7a6d411f4379b7403f3776042fa3e3373
                                                            • Instruction Fuzzy Hash: BD5144B0D007498FEB14DFAAD548BDEBBF1AB88314F20845DE409A7391DB749944CF66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FBCE09 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 427 fbce09-fbcea4 DuplicateHandle 428 fbcead-fbceca 427->428 429 fbcea6-fbceac 427->429 429->428
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FBCE97
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: f867a1c649a2362d46ae907191152f975ba6bc4209ff0eb54e6a9395b52dc83f
                                                            • Instruction ID: 29250ad550b6bccb5af5fd0cce9506d40180466f97d9a1c77799493ed0ee2073
                                                            • Opcode Fuzzy Hash: f867a1c649a2362d46ae907191152f975ba6bc4209ff0eb54e6a9395b52dc83f
                                                            • Instruction Fuzzy Hash: 7521E5B5900249DFDB10CFAAD484ADEBFF5FB48310F14841AE958A7251D375A951CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FBCE10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 432 fbce10-fbcea4 DuplicateHandle 433 fbcead-fbceca 432->433 434 fbcea6-fbceac 432->434 434->433
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FBCE97
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: f8e5f13883ab56e3f89fe8957f457f26a62344a992d5d35f79641bdd03cad3fa
                                                            • Instruction ID: bf6f19db30e653b7d6082791e1f3a9ab2b9a3f0214732de5aafb48d5e779c5c3
                                                            • Opcode Fuzzy Hash: f8e5f13883ab56e3f89fe8957f457f26a62344a992d5d35f79641bdd03cad3fa
                                                            • Instruction Fuzzy Hash: C621C4B5900249DFDB10CFAAD884ADEBBF9FB48320F14841AE958A3350D374A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FB98B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 437 fb98b0-fba9e0 439 fba9e8-fbaa17 LoadLibraryExW 437->439 440 fba9e2-fba9e5 437->440 441 fbaa19-fbaa1f 439->441 442 fbaa20-fbaa3d 439->442 440->439 441->442
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FBA7F9,00000800,00000000,00000000), ref: 00FBAA0A
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: e013d20602cee459c40829971199accc730d2c3d665ffc6d5de335bf78c3eb94
                                                            • Instruction ID: caa7672574450df6a7c13266259ca2720b9399671095e542dec451b562acc05f
                                                            • Opcode Fuzzy Hash: e013d20602cee459c40829971199accc730d2c3d665ffc6d5de335bf78c3eb94
                                                            • Instruction Fuzzy Hash: 0E1106B68003099FDB10DF9AC444BDEFBF4EB88310F14842ED519A7200C375A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00FBA718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 445 fba718-fba758 446 fba75a-fba75d 445->446 447 fba760-fba78b GetModuleHandleW 445->447 446->447 448 fba78d-fba793 447->448 449 fba794-fba7a8 447->449 448->449
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FBA77E
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1658903640.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_fb0000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: bbb31e22354113cc25a112d02592e660ae325503f341d8f94072f920f806a605
                                                            • Instruction ID: 53689d23ee79b3af802488a78477de91db017480464439f31bee578ac5f2ac4f
                                                            • Opcode Fuzzy Hash: bbb31e22354113cc25a112d02592e660ae325503f341d8f94072f920f806a605
                                                            • Instruction Fuzzy Hash: 5A1110B6C003498FCB20CF9AC844BDEFBF5EB88320F20841AD419A7210C779A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F5D4A0 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1657124560.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_f5d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e18626c363318a2d8026f09c801da620481571c854184fca774f651b419237b8
                                                            • Instruction ID: 01e9c487fb687281b2033623d01c94a3dd740b0793d87aa8cafa3c4661bc9e5c
                                                            • Opcode Fuzzy Hash: e18626c363318a2d8026f09c801da620481571c854184fca774f651b419237b8
                                                            • Instruction Fuzzy Hash: 31214872905304DFDB25DF04D8C0B26BF61FB94325F24C169DE090B256C336D84AEBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1657468842.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_f6d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c41d13227e756b1baf66513c4786252c9b71b709bab1c8a15f8d0751a73d0ee8
                                                            • Instruction ID: bade58bdc990676ed8d6638a724c9325f00da6709ccc1d200dca93359d4e8b06
                                                            • Opcode Fuzzy Hash: c41d13227e756b1baf66513c4786252c9b71b709bab1c8a15f8d0751a73d0ee8
                                                            • Instruction Fuzzy Hash: 9F21D375A04344EFDB14DF14D984B16BB65FB84324F24C569D84A4B28AC336D847DA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F6D005 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1657468842.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_f6d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75d3dd5ad65e4e0d075798911d85ea3a8d6ebc575737569c379d8af10a4772ac
                                                            • Instruction ID: 9c8ad7385b28465fca3f2e703314e5aedc83d4708bc3a67007bb798bc38b0896
                                                            • Opcode Fuzzy Hash: 75d3dd5ad65e4e0d075798911d85ea3a8d6ebc575737569c379d8af10a4772ac
                                                            • Instruction Fuzzy Hash: 882165759093C09FC712CF24D594715BF71EB46324F28C5EAD8498F6A7C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00F5D49B Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1657124560.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_f5d000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 679b9c1ea29264eb31ad43bf5d4e2c99ae479a3f49b9aa835e9fdc1d9d90d367
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: A1110376904244CFCB16CF04D5C0B16BF72FB84324F28C1A9DD090B656C33AD85ADBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:9.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:105
                                                            Total number of Limit Nodes:9
                                                            execution_graph 40366 6d53210 40367 6d53256 GetCurrentProcess 40366->40367 40369 6d532a1 40367->40369 40370 6d532a8 GetCurrentThread 40367->40370 40369->40370 40371 6d532e5 GetCurrentProcess 40370->40371 40372 6d532de 40370->40372 40373 6d5331b 40371->40373 40372->40371 40378 6d533f0 40373->40378 40381 6d533e0 40373->40381 40374 6d53343 GetCurrentThreadId 40375 6d53374 40374->40375 40384 6d52ef4 40378->40384 40382 6d5341e 40381->40382 40383 6d52ef4 DuplicateHandle 40381->40383 40382->40374 40383->40382 40385 6d53458 DuplicateHandle 40384->40385 40387 6d5341e 40385->40387 40387->40374 40388 7122f68 40389 7122fbc 40388->40389 40390 7122f90 40388->40390 40391 7122f99 40390->40391 40393 71223e4 40390->40393 40394 71223ef 40393->40394 40395 71232b3 40394->40395 40397 7122400 40394->40397 40395->40389 40398 71232e8 OleInitialize 40397->40398 40399 712334c 40398->40399 40399->40395 40400 2d60848 40402 2d6084e 40400->40402 40401 2d6091b 40402->40401 40405 6d52102 40402->40405 40409 6d52108 40402->40409 40406 6d52108 40405->40406 40413 6d51854 40406->40413 40410 6d52117 40409->40410 40411 6d51854 4 API calls 40410->40411 40412 6d52138 40411->40412 40412->40402 40414 6d5185f 40413->40414 40417 6d52fc4 40414->40417 40416 6d53abe 40416->40416 40418 6d52fcf 40417->40418 40419 6d541e4 40418->40419 40421 6d55e68 40418->40421 40419->40416 40422 6d55e89 40421->40422 40423 6d55ead 40422->40423 40425 6d56018 40422->40425 40423->40419 40426 6d56025 40425->40426 40427 6d5605e 40426->40427 40429 6d53fa8 40426->40429 40427->40423 40430 6d53fb3 40429->40430 40431 6d560d0 40430->40431 40433 6d55254 40430->40433 40431->40431 40434 6d5525f 40433->40434 40440 6d55264 40434->40440 40436 6d5613f 40444 6d5b448 40436->40444 40452 6d5b460 40436->40452 40437 6d56179 40437->40431 40441 6d5526f 40440->40441 40442 6d573c8 40441->40442 40443 6d55e68 4 API calls 40441->40443 40442->40436 40443->40442 40445 6d5b460 40444->40445 40447 6d5b49d 40445->40447 40461 6d5b6d8 40445->40461 40464 6d5b6c8 40445->40464 40446 6d5b4dd 40468 6d5c9c9 40446->40468 40473 6d5c9d8 40446->40473 40447->40437 40454 6d5b491 40452->40454 40456 6d5b591 40452->40456 40453 6d5b49d 40453->40437 40454->40453 40457 6d5b6d8 2 API calls 40454->40457 40458 6d5b6c8 2 API calls 40454->40458 40455 6d5b4dd 40459 6d5c9c9 2 API calls 40455->40459 40460 6d5c9d8 2 API calls 40455->40460 40456->40437 40457->40455 40458->40455 40459->40456 40460->40456 40478 6d5b718 40461->40478 40462 6d5b6e2 40462->40446 40465 6d5b6d8 40464->40465 40467 6d5b718 2 API calls 40465->40467 40466 6d5b6e2 40466->40446 40467->40466 40469 6d5ca03 40468->40469 40470 6d5cab2 40469->40470 40486 6d5d8c0 40469->40486 40489 6d5d8b0 40469->40489 40474 6d5ca03 40473->40474 40475 6d5cab2 40474->40475 40476 6d5d8c0 CreateWindowExW 40474->40476 40477 6d5d8b0 2 API calls 40474->40477 40476->40475 40477->40475 40479 6d5b71d 40478->40479 40480 6d5b75c 40479->40480 40484 6d5b9c0 LoadLibraryExW 40479->40484 40485 6d5b9b3 LoadLibraryExW 40479->40485 40480->40462 40481 6d5b754 40481->40480 40482 6d5b960 GetModuleHandleW 40481->40482 40483 6d5b98d 40482->40483 40483->40462 40484->40481 40485->40481 40487 6d5a884 CreateWindowExW 40486->40487 40488 6d5d8f5 40487->40488 40488->40470 40490 6d5d8c6 40489->40490 40493 6d5d8fe CreateWindowExW 40489->40493 40491 6d5d8f5 40490->40491 40492 6d5a884 CreateWindowExW 40490->40492 40491->40470 40492->40491 40495 6d5da34 40493->40495 40495->40495 40496 2d6f028 40497 2d6f06e GlobalMemoryStatusEx 40496->40497 40498 2d6f09e 40497->40498

                                                            Executed Functions

                                                            Function 06D7B21F Relevance: .6, Instructions: 570COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8e67ec72014a3a9c39a4106ea86719b162e8da5b35b07893cddb2173a43a9d2
                                                            • Instruction ID: a4799f1d35d05e5b46790458f2a5f08182d700d16cb6fdba2b7eadcc6c044ec6
                                                            • Opcode Fuzzy Hash: e8e67ec72014a3a9c39a4106ea86719b162e8da5b35b07893cddb2173a43a9d2
                                                            • Instruction Fuzzy Hash: F4225030E112098FEF64DF58D4907ADB7B2EB89310F64842AE455DB391EB35DC81DB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73460 Relevance: .5, Instructions: 545COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06b0a9b6bf2f571a19aa185d47a5f9455575d9472427d9eb839082030e183426
                                                            • Instruction ID: 29acf189ee5929cb7127805f8303f64aad7aa4444a58bb7f5ad3840d5f527036
                                                            • Opcode Fuzzy Hash: 06b0a9b6bf2f571a19aa185d47a5f9455575d9472427d9eb839082030e183426
                                                            • Instruction Fuzzy Hash: E3323D31E1071ACFDB14EB75C89069DB7B2FFC9300F61C6AAD409A7214EB30A985DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D53200 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06D5328E
                                                            • GetCurrentThread.KERNEL32 ref: 06D532CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06D53308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06D53361
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: d7ee51fc564f17229d994d94cc13e1650f6eb512cc215f74a647c97434a8bf34
                                                            • Instruction ID: caba7812002702f267937309eb3d2c1f928c24d5ef09eba3c717bc468ccb58cb
                                                            • Opcode Fuzzy Hash: d7ee51fc564f17229d994d94cc13e1650f6eb512cc215f74a647c97434a8bf34
                                                            • Instruction Fuzzy Hash: E25144B0900349CFDB54DFAAD988B9EBBF1FB88314F258059E409A7350DB34A944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D53210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06D5328E
                                                            • GetCurrentThread.KERNEL32 ref: 06D532CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06D53308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06D53361
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: dc1ee991535f748fb387063d6e0be2d084970a04bd7eb453418328e9f7823eaa
                                                            • Instruction ID: fcf4d2aafef9a1852814e6fd2d1c1aa2ee96d68ee632cb2887ae780886154940
                                                            • Opcode Fuzzy Hash: dc1ee991535f748fb387063d6e0be2d084970a04bd7eb453418328e9f7823eaa
                                                            • Instruction Fuzzy Hash: 4F5144B09007098FDB54DFAAD948B9EBBF2FB88314F258059E409A7350DB74A944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5B718 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 47 6d5b718-6d5b737 49 6d5b763-6d5b767 47->49 50 6d5b739-6d5b746 call 6d5a6c8 47->50 51 6d5b769-6d5b773 49->51 52 6d5b77b-6d5b7bc 49->52 57 6d5b75c 50->57 58 6d5b748 50->58 51->52 59 6d5b7be-6d5b7c6 52->59 60 6d5b7c9-6d5b7d7 52->60 57->49 106 6d5b74e call 6d5b9c0 58->106 107 6d5b74e call 6d5b9b3 58->107 59->60 61 6d5b7d9-6d5b7de 60->61 62 6d5b7fb-6d5b7fd 60->62 65 6d5b7e0-6d5b7e7 call 6d5a6d4 61->65 66 6d5b7e9 61->66 64 6d5b800-6d5b807 62->64 63 6d5b754-6d5b756 63->57 67 6d5b898-6d5b958 63->67 68 6d5b814-6d5b81b 64->68 69 6d5b809-6d5b811 64->69 71 6d5b7eb-6d5b7f9 65->71 66->71 99 6d5b960-6d5b98b GetModuleHandleW 67->99 100 6d5b95a-6d5b95d 67->100 72 6d5b81d-6d5b825 68->72 73 6d5b828-6d5b831 call 6d53d2c 68->73 69->68 71->64 72->73 79 6d5b833-6d5b83b 73->79 80 6d5b83e-6d5b843 73->80 79->80 81 6d5b845-6d5b84c 80->81 82 6d5b861-6d5b865 80->82 81->82 84 6d5b84e-6d5b85e call 6d58ee8 call 6d5a6e4 81->84 104 6d5b868 call 6d5bc80 82->104 105 6d5b868 call 6d5bc70 82->105 84->82 85 6d5b86b-6d5b86e 88 6d5b891-6d5b897 85->88 89 6d5b870-6d5b88e 85->89 89->88 101 6d5b994-6d5b9a8 99->101 102 6d5b98d-6d5b993 99->102 100->99 102->101 104->85 105->85 106->63 107->63
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06D5B97E
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 98ea49f0d430e6e122b6e3801caa0aa2dbaaaea8ba2fc7b0ad90ae22ccd8a6ff
                                                            • Instruction ID: 3ba990f83b2288d6a40dcd65e26cdf0744595b75f9d96592eac2ac325602cf71
                                                            • Opcode Fuzzy Hash: 98ea49f0d430e6e122b6e3801caa0aa2dbaaaea8ba2fc7b0ad90ae22ccd8a6ff
                                                            • Instruction Fuzzy Hash: 81816770A00B058FDBA4DF2AD45176ABBF1FF88200F11892ED88AD7B50DB75E845CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5D8B0 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 108 6d5d8b0-6d5d8c4 109 6d5d8c6-6d5d8ed 108->109 110 6d5d8fe-6d5d976 108->110 111 6d5d8f5-6d5d8f6 109->111 112 6d5d8f0 call 6d5a884 109->112 114 6d5d981-6d5d988 110->114 115 6d5d978-6d5d97e 110->115 112->111 116 6d5d993-6d5da32 CreateWindowExW 114->116 117 6d5d98a-6d5d990 114->117 115->114 119 6d5da34-6d5da3a 116->119 120 6d5da3b-6d5da73 116->120 117->116 119->120 124 6d5da75-6d5da78 120->124 125 6d5da80 120->125 124->125 126 6d5da81 125->126 126->126
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D5DA22
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 98adf1fa8eb4d625be3248ce73eaa93f369f71b5b0b1eea7db273bb8efba64ed
                                                            • Instruction ID: 5bf42a52db193cf1946d94bbc6f66dbe064ca0210aba93d3d1c0650dc0b081b0
                                                            • Opcode Fuzzy Hash: 98adf1fa8eb4d625be3248ce73eaa93f369f71b5b0b1eea7db273bb8efba64ed
                                                            • Instruction Fuzzy Hash: B451F0B1C00249AFDF15CFA9C880ADDBFB6FF49310F25816AE818AB221D7759955CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5A884 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 127 6d5a884-6d5d976 129 6d5d981-6d5d988 127->129 130 6d5d978-6d5d97e 127->130 131 6d5d993-6d5da32 CreateWindowExW 129->131 132 6d5d98a-6d5d990 129->132 130->129 134 6d5da34-6d5da3a 131->134 135 6d5da3b-6d5da73 131->135 132->131 134->135 139 6d5da75-6d5da78 135->139 140 6d5da80 135->140 139->140 141 6d5da81 140->141 141->141
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D5DA22
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 52ee72760f1df17355fb65b334e90816362bc96cc4697d94be2c7aff48385ce5
                                                            • Instruction ID: 2a58728e1ff2213be12a781049fecfb78f33dbaf2643a5bebfc82cf851b9c823
                                                            • Opcode Fuzzy Hash: 52ee72760f1df17355fb65b334e90816362bc96cc4697d94be2c7aff48385ce5
                                                            • Instruction Fuzzy Hash: A851AEB1D00309DFDF14CF9AC884ADEBBB6BF48710F25812AE819AB210D775A945CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D53518 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 142 6d53518-6d53520 143 6d534f2-6d53512 142->143 144 6d53522-6d53646 142->144
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08d3bd1e2a0b0137da88b59adeb3c761aefbd16b93a2d175885df21fd57ef3a4
                                                            • Instruction ID: cb791164ea21c757765292b400307800f4f4b23bc9fd425784745d6399c1e273
                                                            • Opcode Fuzzy Hash: 08d3bd1e2a0b0137da88b59adeb3c761aefbd16b93a2d175885df21fd57ef3a4
                                                            • Instruction Fuzzy Hash: 9041A075A503849FE700EF60F4A576A3FA6FB94310F15806AFA02DB3D6DBB40845CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D758B0 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 158 6d758b0-6d758d4 159 6d758d6-6d758d9 158->159 160 6d758e3-6d758e6 159->160 161 6d758db-6d758e0 159->161 162 6d75944-6d75ad8 160->162 163 6d758e8-6d758eb 160->163 161->160 218 6d75c11-6d75c24 162->218 219 6d75ade-6d75ae5 162->219 164 6d758ed-6d758fe 163->164 165 6d75909-6d7590c 163->165 173 6d75904 164->173 174 6d75c9d-6d75cb0 164->174 166 6d7590e-6d75915 165->166 167 6d7591a-6d7591d 165->167 166->167 170 6d7591f-6d75930 167->170 171 6d7593b-6d7593e 167->171 180 6d75936 170->180 181 6d75c8c-6d75c93 170->181 171->162 175 6d75c27-6d75c2a 171->175 173->165 176 6d75c44-6d75c47 175->176 177 6d75c2c-6d75c3d 175->177 183 6d75c61-6d75c64 176->183 184 6d75c49-6d75c5a 176->184 177->181 192 6d75c3f 177->192 180->171 186 6d75c98-6d75c9b 181->186 183->162 185 6d75c6a-6d75c6d 183->185 184->181 194 6d75c5c 184->194 188 6d75c87-6d75c8a 185->188 189 6d75c6f-6d75c80 185->189 186->174 191 6d75cb3-6d75cb5 186->191 188->181 188->186 189->177 200 6d75c82 189->200 195 6d75cb7 191->195 196 6d75cbc-6d75cbf 191->196 192->176 194->183 195->196 196->159 197 6d75cc5-6d75cce 196->197 200->188 220 6d75aeb-6d75b1e 219->220 221 6d75b99-6d75ba0 219->221 231 6d75b23-6d75b64 220->231 232 6d75b20 220->232 221->218 222 6d75ba2-6d75bd5 221->222 234 6d75bd7 222->234 235 6d75bda-6d75c07 222->235 243 6d75b66-6d75b77 231->243 244 6d75b7c-6d75b83 231->244 232->231 234->235 235->197 235->218 243->197 245 6d75b8b-6d75b8d 244->245 245->197
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: a7b7655649aa07bf3001891212d2c4e2d0718b9174517a21fadc4d19f11e826d
                                                            • Instruction ID: 1aaf29e298edbd2cd0e5a7f2685aa470fa1ce4ca63aec493f9c07db8ed1f873c
                                                            • Opcode Fuzzy Hash: a7b7655649aa07bf3001891212d2c4e2d0718b9174517a21fadc4d19f11e826d
                                                            • Instruction Fuzzy Hash: B4C17D75F00219CFDF54DBA4D4506AEB7B6EF88311F208569D902AB354EF31AD42CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D52EF4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 247 6d52ef4-6d534ec DuplicateHandle 250 6d534f5-6d53512 247->250 251 6d534ee-6d534f4 247->251 251->250
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D5341E,?,?,?,?,?), ref: 06D534DF
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 3a3914a1ffe910670556eb799e8385ad49e0e2a88de69f06614716f4688077a2
                                                            • Instruction ID: afed3d66c920cbaefd40fc4c2237716c5ea8e550f2df2674b98cd8775ed83219
                                                            • Opcode Fuzzy Hash: 3a3914a1ffe910670556eb799e8385ad49e0e2a88de69f06614716f4688077a2
                                                            • Instruction Fuzzy Hash: 5E2116B5D003499FDB10CFAAD884ADEBBF4FB48310F15801AE914A7310D379A940CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D53450 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 254 6d53450-6d534d1 256 6d534d4-6d534ec DuplicateHandle 254->256 257 6d534f5-6d53512 256->257 258 6d534ee-6d534f4 256->258 258->257
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D5341E,?,?,?,?,?), ref: 06D534DF
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 96542908715f59d45ce7c354c8c15eff7dd2cabac785bbc248ec51d83a61d155
                                                            • Instruction ID: 25af7e1d6bb23a90dc290160ff66bea41438c2c2902086e1fb21526624f1e076
                                                            • Opcode Fuzzy Hash: 96542908715f59d45ce7c354c8c15eff7dd2cabac785bbc248ec51d83a61d155
                                                            • Instruction Fuzzy Hash: C921D2B5D003499FDB10CFAAD884ADEBBF9EB48310F15841AE918A3350D379A940CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5BB7B Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 261 6d5bb7b-6d5bbc0 263 6d5bbc2-6d5bbc5 261->263 264 6d5bbc8-6d5bbf7 LoadLibraryExW 261->264 263->264 265 6d5bc00-6d5bc1d 264->265 266 6d5bbf9-6d5bbff 264->266 266->265
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06D5B9F9,00000800,00000000,00000000), ref: 06D5BBEA
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 09ca797594bfd378357e8c5325e388000a0e540df617b1ba041427dd253fbe82
                                                            • Instruction ID: 144f784650293ac641d67e0d56b923c30e758004240456003372f2fd7e9354d0
                                                            • Opcode Fuzzy Hash: 09ca797594bfd378357e8c5325e388000a0e540df617b1ba041427dd253fbe82
                                                            • Instruction Fuzzy Hash: 911114B6C003098FDB10DF9AD844AEEFBF4EB88710F11841ED819A7600C779A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5A710 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 269 6d5a710-6d5bbc0 271 6d5bbc2-6d5bbc5 269->271 272 6d5bbc8-6d5bbf7 LoadLibraryExW 269->272 271->272 273 6d5bc00-6d5bc1d 272->273 274 6d5bbf9-6d5bbff 272->274 274->273
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06D5B9F9,00000800,00000000,00000000), ref: 06D5BBEA
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 06c5f51ce51d3109cea1b78ad0c6d90777b63237b0d6d4434b860a8ca2bda327
                                                            • Instruction ID: 2f8cdb15aa2cc9816d8e5dad4a3e724c0cc0b7e162aec3238ef235692a9447c1
                                                            • Opcode Fuzzy Hash: 06c5f51ce51d3109cea1b78ad0c6d90777b63237b0d6d4434b860a8ca2bda327
                                                            • Instruction Fuzzy Hash: C31117B6C003098FDB10DF9AC884BAEFBF4EB48710F11841ED959A7600C7B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6F023 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 277 2d6f023-2d6f066 279 2d6f06e-2d6f09c GlobalMemoryStatusEx 277->279 280 2d6f0a5-2d6f0cd 279->280 281 2d6f09e-2d6f0a4 279->281 281->280
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 02D6F08F
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2638807041.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_2d60000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 9b45aa5cda8356165a97e3239ecce95f75589f4a8834a55d6d8e589fac5a9dbc
                                                            • Instruction ID: daca52b0b37d03df5168c3dedc8bb519aa13b22e429eafbdbc2175389db626af
                                                            • Opcode Fuzzy Hash: 9b45aa5cda8356165a97e3239ecce95f75589f4a8834a55d6d8e589fac5a9dbc
                                                            • Instruction Fuzzy Hash: 121103B1D0065A9FDB10DFAAC844B9EFBF4AB48620F11812AD818A7341D378A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6F028 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 284 2d6f028-2d6f09c GlobalMemoryStatusEx 286 2d6f0a5-2d6f0cd 284->286 287 2d6f09e-2d6f0a4 284->287 287->286
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 02D6F08F
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2638807041.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_2d60000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 397a1af7ddfad79a4c5572473f64e141d1f36a14c2e4a56ab9b7509ae1093f50
                                                            • Instruction ID: 87c6a1c7d89cbbcad72bea62dad09450ca1d6c9881be0b123a329111320f8e96
                                                            • Opcode Fuzzy Hash: 397a1af7ddfad79a4c5572473f64e141d1f36a14c2e4a56ab9b7509ae1093f50
                                                            • Instruction Fuzzy Hash: E51114B1C0065A9FDB10DF9AC44479EFBF4BF48720F11812AD818A7341D378A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D5B918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 290 6d5b918-6d5b958 291 6d5b960-6d5b98b GetModuleHandleW 290->291 292 6d5b95a-6d5b95d 290->292 293 6d5b994-6d5b9a8 291->293 294 6d5b98d-6d5b993 291->294 292->291 294->293
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06D5B97E
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2668893809.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d50000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 738155e8106b3638168e1b8a6bc495e089e4d9781451d78f68a945fb6f3920a2
                                                            • Instruction ID: 54fcd7bb231ba82f7f91c47ad1462a9c82f07a89ea3c9d4f67052e2a5a2f3d17
                                                            • Opcode Fuzzy Hash: 738155e8106b3638168e1b8a6bc495e089e4d9781451d78f68a945fb6f3920a2
                                                            • Instruction Fuzzy Hash: 3C11E0B6C007498FDB20DF9AC844BDEFBF5EB88624F11841AD869A7710C379A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07122400 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 296 7122400-712334a OleInitialize 298 7123353-7123370 296->298 299 712334c-7123352 296->299 299->298
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 0712333D
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2670527438.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_7120000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 86e0be0d8c229430a5cf6b971024282a0c29f1d25f99e8aadb2868dd3fdf10c2
                                                            • Instruction ID: 23440545e2167172725eb2e22909b05761650e0a45611275bf1d6673344ce748
                                                            • Opcode Fuzzy Hash: 86e0be0d8c229430a5cf6b971024282a0c29f1d25f99e8aadb2868dd3fdf10c2
                                                            • Instruction Fuzzy Hash: A41115B58043598FCB20DF9AD444B9EBBF4EB48620F108419D569A7340C779A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 071232E0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 0712333D
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2670527438.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_7120000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 3e954da41dcb6185710d80952f80b867a657c416c5f06fab857df14b200d4f4e
                                                            • Instruction ID: 189e7e90e922bd948f3d02758ef8c0708c91fe493e14d2f8ac6a719e3693d5a2
                                                            • Opcode Fuzzy Hash: 3e954da41dcb6185710d80952f80b867a657c416c5f06fab857df14b200d4f4e
                                                            • Instruction Fuzzy Hash: 491135B58003598FDB20DFAAD844BDEFBF4EB48324F20841AD519A7340C778A645CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D758AB Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: f099815f86b14fb8efe8430995606b424fd7556ee60b5ae64116545eab76456f
                                                            • Instruction ID: 3086577304f9334581135ef8693b93e4014cff7447eb2a78ec22a80c110e222b
                                                            • Opcode Fuzzy Hash: f099815f86b14fb8efe8430995606b424fd7556ee60b5ae64116545eab76456f
                                                            • Instruction Fuzzy Hash: 6E914875E002199FDF54DBA4D550ADEBBF6EF88320F208569D801BB354EB32AD42CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7D338 Relevance: .8, Instructions: 804COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa1378c3b163adf18051e87791f52877e5172ba74b21001538dcc2e9fad15254
                                                            • Instruction ID: 7565cfd53567491dd099988df00200e845842b480e06dbc2f6c2b72d342a5019
                                                            • Opcode Fuzzy Hash: fa1378c3b163adf18051e87791f52877e5172ba74b21001538dcc2e9fad15254
                                                            • Instruction Fuzzy Hash: 26621C30A003198FDB55EB68E590A5EB7F3FF84710B218A68D4059B359EB71ED46CBC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7ACC8 Relevance: .4, Instructions: 393COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b2f73ec70077e72ac84a669c29c8c4d0fa08fff51525e121607c2c6f7f4333e
                                                            • Instruction ID: d561287583e8ebe0b4125417748d8974fcbddd27ca38b65c0604369a5b1f35a6
                                                            • Opcode Fuzzy Hash: 5b2f73ec70077e72ac84a669c29c8c4d0fa08fff51525e121607c2c6f7f4333e
                                                            • Instruction Fuzzy Hash: 35E15B30F1021A9FDB64DF68D4506AEB7B2FF89311F24852AD806DB354EB719846CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7B638 Relevance: .3, Instructions: 278COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d50a894edd6f8e9a0973e772c86edd9f19d5def0cd6d1bd577ee85a03ea03579
                                                            • Instruction ID: dd4938726ef95e94023594fb8ccd4962473886f347ec768ea390893316280dfc
                                                            • Opcode Fuzzy Hash: d50a894edd6f8e9a0973e772c86edd9f19d5def0cd6d1bd577ee85a03ea03579
                                                            • Instruction Fuzzy Hash: 72B12830E002098FEBA0DF68D494BADB7B2EB45310F64896BE455DB351EB34DD85CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D76D08 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d091a0bdae8c6cff1339ffc6c5572e3405b13af4ffcd323d7a5002131870af88
                                                            • Instruction ID: 60cdedc254b6e56f53c7cb1df66fa529cb2f1d8950208858db4507e8e109b6e7
                                                            • Opcode Fuzzy Hash: d091a0bdae8c6cff1339ffc6c5572e3405b13af4ffcd323d7a5002131870af88
                                                            • Instruction Fuzzy Hash: 96A17A30B00614CFDB54EB68D554B6DB7F2EF84310F648869D40AAB390EB36EC45CB85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D78068 Relevance: .2, Instructions: 246COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7bb08606cc886182fba1cad0e007f3d828cd5333dfb8b1314cb87fff2dac89d8
                                                            • Instruction ID: 59cfa3132d39ae1a6029008f12c8550527406310672641563086298913fca9d8
                                                            • Opcode Fuzzy Hash: 7bb08606cc886182fba1cad0e007f3d828cd5333dfb8b1314cb87fff2dac89d8
                                                            • Instruction Fuzzy Hash: 87817E30B006158FDB68EB79D86466EB7A2FFC5311F108539D806DB394EB71E842DB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D79140 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5214894fcbd0cf2927fb0ea329cbcc70fb64d5d22bf49251808546547e08e3b
                                                            • Instruction ID: 6c63961c6983f16300e09e9ee825d06c125c796066365531fe3317acba005840
                                                            • Opcode Fuzzy Hash: e5214894fcbd0cf2927fb0ea329cbcc70fb64d5d22bf49251808546547e08e3b
                                                            • Instruction Fuzzy Hash: 80912F31F0061A8FDB94DB69D8607AEB7B6BFC9300F108569D809EB384EB319D458B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D761E0 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0ffc16f7a4dad7762889ce1c2fb20e9508940b6d20cc7b65ae90c8253194260
                                                            • Instruction ID: dff33f5e4693197894447476c53977acbc281377d2ba98622ee0dc5d23d899af
                                                            • Opcode Fuzzy Hash: b0ffc16f7a4dad7762889ce1c2fb20e9508940b6d20cc7b65ae90c8253194260
                                                            • Instruction Fuzzy Hash: 9761C771F005214BDF64AB7DC840A5EBADBEFC4610B154436D80ADB3A4EE65EC4287D6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D742A3 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86b53d1345ddf8edb89a2dbe87130d6cfe81137e10cc7244b005a7a049dad4fa
                                                            • Instruction ID: a47a2ed8deaee14da90ed38f4c3a3a2c8c1969d5830da07d4adfdee99912f047
                                                            • Opcode Fuzzy Hash: 86b53d1345ddf8edb89a2dbe87130d6cfe81137e10cc7244b005a7a049dad4fa
                                                            • Instruction Fuzzy Hash: E8813030B0120A8FDB95DFA4D45076EBBF7AF89710F108529D80ADB384EB75DD428B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D745BC Relevance: .2, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d3d740eecd84b37ac6b1dea9c1a4d1661ee4db73e20272150dbcab8e1ae28d36
                                                            • Instruction ID: a3d70e00036f84aae63d746fa354e5164b10559d71257962d451d24a29cfa074
                                                            • Opcode Fuzzy Hash: d3d740eecd84b37ac6b1dea9c1a4d1661ee4db73e20272150dbcab8e1ae28d36
                                                            • Instruction Fuzzy Hash: 87914C30E102198BDF60DF68C880BDDB7B1FF89310F208699D549BB245EB71AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74298 Relevance: .2, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4eb7fbb11326547284dd1bc7ad849064ee24cdf267420ee7d5bcb38196d9493a
                                                            • Instruction ID: 057fc2f554fb97fba483c8133417ffc7f708fc4bd19a98bb6f09690f5d85c64b
                                                            • Opcode Fuzzy Hash: 4eb7fbb11326547284dd1bc7ad849064ee24cdf267420ee7d5bcb38196d9493a
                                                            • Instruction Fuzzy Hash: 27812E30B0120A8FDB95DFA4D45076EB7F7AF89710F208529D40ADB394EB75DD428B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D745D0 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c25f21917a87ea4a686e29666ce17560f813d77108387c100f623019bc83e4d0
                                                            • Instruction ID: 8cc8799ae168de91f1f1b72dc3d7faf882f23df598fc45b60e942404afe6532a
                                                            • Opcode Fuzzy Hash: c25f21917a87ea4a686e29666ce17560f813d77108387c100f623019bc83e4d0
                                                            • Instruction Fuzzy Hash: D5912C30E106198BDF64DF68C880B9DB7B1FF89310F208699D549BB345EB71AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7EF00 Relevance: .2, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11033cca0a5e9c1dcdf6d263eacc608e31e55e570fe465d8ddc2fa8d48b1d288
                                                            • Instruction ID: ffa80c576f3ca15987101f22124b00086a13fd9e576ab6b89152de3d52abcbba
                                                            • Opcode Fuzzy Hash: 11033cca0a5e9c1dcdf6d263eacc608e31e55e570fe465d8ddc2fa8d48b1d288
                                                            • Instruction Fuzzy Hash: 1F715A30A002499FDB54EBA9D890AAEFBF6FF84310F248469D455EB355EB30EC42CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7EF10 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a2ff5dad7651f1a75867371d81bbd7f016fe3cc45ab0696a65a0237c049d881
                                                            • Instruction ID: c90644e690284242e3620de1b7f6b3feac0fd00a37ad2ecff5aa64239593ec34
                                                            • Opcode Fuzzy Hash: 2a2ff5dad7651f1a75867371d81bbd7f016fe3cc45ab0696a65a0237c049d881
                                                            • Instruction Fuzzy Hash: 83713A70A002498FDB54DBA9D990A9EBBF6FF84310F248469D405EB354EB30EC42CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74B68 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d7e39735fd6e561eeff3bed2dd72a6d9aa02f02cd9c7b332dc64374c7732272
                                                            • Instruction ID: 51d1aaac92f5582a48d49153f63ee73b7a84c1b5871af566d824e356e0855e69
                                                            • Opcode Fuzzy Hash: 6d7e39735fd6e561eeff3bed2dd72a6d9aa02f02cd9c7b332dc64374c7732272
                                                            • Instruction Fuzzy Hash: 13618C70F002189FEB559BA4D8147AEBBF6EF88310F20852AD506AB394DF758C458F95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D75598 Relevance: .2, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05f215bf71c1431c304fe7da411f13847bd028b6170706915660e3135d05cb05
                                                            • Instruction ID: 956a0c50f42bdee5d5827c31e165c2b4699105709f84114bf28246546c581759
                                                            • Opcode Fuzzy Hash: 05f215bf71c1431c304fe7da411f13847bd028b6170706915660e3135d05cb05
                                                            • Instruction Fuzzy Hash: DA510635E042458FEF718F68E4C077EBBB2EB45310F64886AD059DB292EA35D941CB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7FC69 Relevance: .2, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbaa5d7d3abbc03261843085f74e5a76d96ea407d67c255ec61d3b3c30c0ec4f
                                                            • Instruction ID: 4599f1537dad451021fcf40da36d30849d262cad67c489fc26852f2b62bb1e02
                                                            • Opcode Fuzzy Hash: cbaa5d7d3abbc03261843085f74e5a76d96ea407d67c255ec61d3b3c30c0ec4f
                                                            • Instruction Fuzzy Hash: 8751D031E00209DFDF64EBB8E4946ADB7B2EB84315F20886AD106DB250EB318955CBD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7FA18 Relevance: .2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1643c71d1c309d4358b4b603abfc338407a780e8589618dafd2fb3dae370b9d2
                                                            • Instruction ID: 768a5d8246f143171c7ca5de41aac135766f7ffc644c03eab2bf98ee9850f303
                                                            • Opcode Fuzzy Hash: 1643c71d1c309d4358b4b603abfc338407a780e8589618dafd2fb3dae370b9d2
                                                            • Instruction Fuzzy Hash: F051A130B202098BEF746768D8A4B6F7A5AD7C9710F60442AE40AC7399DB69CC4197E3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7913B Relevance: .2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c30586d9d8e7e1eb3098d153ad2163ac69265f0fa61c1d2ccb899cb18caba25c
                                                            • Instruction ID: e05a03e1ef0a80089ce8dc36ffebd0504e697783574f1bb121891b3117ee9fdb
                                                            • Opcode Fuzzy Hash: c30586d9d8e7e1eb3098d153ad2163ac69265f0fa61c1d2ccb899cb18caba25c
                                                            • Instruction Fuzzy Hash: AD512131B0151A9FDB94EB68D860B6EB7F6BFC9740F108469D80ADB384EA31DD058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7FA28 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f9a9b91aa9effdbe6b5aebed93f12a9655b046d6b995ad38fd88c4afb9abcec
                                                            • Instruction ID: 6acd44f2ffa1cf901789c6026bbab1000b20f98869d8572452dfff72466bdd88
                                                            • Opcode Fuzzy Hash: 6f9a9b91aa9effdbe6b5aebed93f12a9655b046d6b995ad38fd88c4afb9abcec
                                                            • Instruction Fuzzy Hash: C0518F30B202088BEF746768E8A4B6F765AD7CD711F60442AE50AC7398DF69CC4197E3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7CBD0 Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e13bbf2281d151c4583733f6134643a6a8b96a0c2312780d0af998d56cb7a17
                                                            • Instruction ID: 4240763e273b385d4d64f1ceae31f3553a5632cb5050484f7bd5b6ead8039be7
                                                            • Opcode Fuzzy Hash: 5e13bbf2281d151c4583733f6134643a6a8b96a0c2312780d0af998d56cb7a17
                                                            • Instruction Fuzzy Hash: ED513031B103198FDB54EB78E450A9EB7F2FBC8311F218569D805AB359EB71EC428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74B5B Relevance: .1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d98a39471f79cd28cad502ef84528c34bfad36ea3678288a4095548bb53d60de
                                                            • Instruction ID: 0b7ccfbcda1a62066cafa691e92741b823b6974641f242a5cc9895d862abb46d
                                                            • Opcode Fuzzy Hash: d98a39471f79cd28cad502ef84528c34bfad36ea3678288a4095548bb53d60de
                                                            • Instruction Fuzzy Hash: 69517D70F002089FEB599BA5C814BAEBBF7FFC8700F20852AD505AB395DE719C058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D75411 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5666d90bde0fe653ef796b5bed3ac5a4848657111885846ff6dd302a683f47d
                                                            • Instruction ID: 20edd09e674acdb8541b0811a49db27e1f28b31bf5b8fc5deb429f9f4071ddb1
                                                            • Opcode Fuzzy Hash: e5666d90bde0fe653ef796b5bed3ac5a4848657111885846ff6dd302a683f47d
                                                            • Instruction Fuzzy Hash: 4D419571E002099FDF70CFA9E881ABFF7B6EB88314F10492AE155D3550EB30E8558B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7DEAD Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de34caab41ff0bc40499684959ef1458bf8557e8f3baf983a2f72a4e1dc32972
                                                            • Instruction ID: 244c60742a4d34593c9473bcbdbb6ca19591b7181ec55bbd4dad2724c8a70d63
                                                            • Opcode Fuzzy Hash: de34caab41ff0bc40499684959ef1458bf8557e8f3baf983a2f72a4e1dc32972
                                                            • Instruction Fuzzy Hash: FB41A330E0024ADFDB55DF65D84569EFBB2BF85300F208529E806EB240EB71D845CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D721D8 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0bb771354b5ea84e51dbaa1b774eaf667e6146b9f9d6cfe1919ee92504013dd1
                                                            • Instruction ID: 864a63727af747da9d1907a3a957db10d8eec250c0106c04d60e01f7141e9690
                                                            • Opcode Fuzzy Hash: 0bb771354b5ea84e51dbaa1b774eaf667e6146b9f9d6cfe1919ee92504013dd1
                                                            • Instruction Fuzzy Hash: 49317E30B002898FDB59AB74D45466E7AB2BB89710F20856CC806EB344EF31CD018BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7DD60 Relevance: .1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edfec31a6d94221230fbd513869b594aff152484c11f96266e5b77e9f507a7fe
                                                            • Instruction ID: 02cd7fc8f6f7493f432cc1b9b1bebcafa53662bc1b4e8feebe70812982334861
                                                            • Opcode Fuzzy Hash: edfec31a6d94221230fbd513869b594aff152484c11f96266e5b77e9f507a7fe
                                                            • Instruction Fuzzy Hash: C231A630E1071A9FDB15DF64D89069EFBB6FF85310F244929E805EB244EB71E846CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7208A Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06af67f507c676ba95ffc5b5d13e9ef8cb93629117374cb3f25865d59b097bac
                                                            • Instruction ID: 51f37391e60333274863e7b749f8f051709b5eedb7a0c5b7e25a44820fda087a
                                                            • Opcode Fuzzy Hash: 06af67f507c676ba95ffc5b5d13e9ef8cb93629117374cb3f25865d59b097bac
                                                            • Instruction Fuzzy Hash: 5231BE30E1025ADBCB58DFA4D85469EB7F2FF89310F608529E806EB340EB71AD42CB41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D72098 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96917ed125e607d079781d8d5649af3fdd91d71ca84b29353263ddcfea2eab99
                                                            • Instruction ID: d8ee3a5e9113e92d5fb183538bd8763d04457d0810cd6b4aa70e1e42f2fb02af
                                                            • Opcode Fuzzy Hash: 96917ed125e607d079781d8d5649af3fdd91d71ca84b29353263ddcfea2eab99
                                                            • Instruction Fuzzy Hash: E4317C30E1065ADBCB58DFA4D85469EB7F2FF89300F208529E906EB340EB71AD46CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73EA3 Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a3093a656364a04d9eff47bf350d99dc098fd7f73acb8b45dc3d362b418da3d
                                                            • Instruction ID: 3baeae13eee5170f838cdc3f28dc3d8b838462e2e71ec139bd68b08ef7467f7a
                                                            • Opcode Fuzzy Hash: 1a3093a656364a04d9eff47bf350d99dc098fd7f73acb8b45dc3d362b418da3d
                                                            • Instruction Fuzzy Hash: AC21AE75F00619DFEB50DF69E850AAEBBF5EB88710F048025E905E7340EB31DC018B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73EB0 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0299b2f7c983ddcc765b30b9dce7388987688056f15f3bb2ebdefe8df402468e
                                                            • Instruction ID: 8cc7cd94c8d4546a79174cb4063cde74b64e2617b92839ccb87aec8ced68835f
                                                            • Opcode Fuzzy Hash: 0299b2f7c983ddcc765b30b9dce7388987688056f15f3bb2ebdefe8df402468e
                                                            • Instruction Fuzzy Hash: 4F214875F00619DFEB50DFA9E890AAEBBF5EB88750F118029E905E7384E731DC418B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02CDD044 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2638132516.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_2cdd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0b84e0d7328720cc072340cbd0c72bee5fb55cd3cb62e926f479a7d164888de
                                                            • Instruction ID: d2bff013ea10a8ab1eac1ba25bfa7763d36014a9046e4491033b10a9c6ca3461
                                                            • Opcode Fuzzy Hash: c0b84e0d7328720cc072340cbd0c72bee5fb55cd3cb62e926f479a7d164888de
                                                            • Instruction Fuzzy Hash: BD212572A043049FDB10DF20D9C4B16BBA5FBC4314F20C56DEA4A0B242C736E446CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D76CFF Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47f208e33d919f0ea867132abaab8767aa6bf71f676f04f0adca43b3e9fc791e
                                                            • Instruction ID: cb574cca750ce9f2282162249c8d63fd6bdd8a3c28ecfb7c7ed24abe5644a7d4
                                                            • Opcode Fuzzy Hash: 47f208e33d919f0ea867132abaab8767aa6bf71f676f04f0adca43b3e9fc791e
                                                            • Instruction Fuzzy Hash: FA219030F111199FDF94EB69E8506AEBBB6EBC4310F248425E805EB385FB32DC418B85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73453 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8068bf6af1c2696bdd09a68f3d29263692651c927184bb7fe04adf0218da082
                                                            • Instruction ID: fbbf9cd218c52fdbe856b0151d9d41b4df9f7f1c2c0cbecf55945132e3faa98b
                                                            • Opcode Fuzzy Hash: e8068bf6af1c2696bdd09a68f3d29263692651c927184bb7fe04adf0218da082
                                                            • Instruction Fuzzy Hash: 9111C671E002299FCB59DB79C8415DEFBF5EF89310F05896AD546E7201EA31C940DBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7F181 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9cf79969c81cc3e2612eee9b74cf31cb21a23c3f6c71e5ca219873dcc99e6a2
                                                            • Instruction ID: 6abf55c76897486fe360b9a5b342d2d890849dd7aeb211e085c2772850baa6f2
                                                            • Opcode Fuzzy Hash: c9cf79969c81cc3e2612eee9b74cf31cb21a23c3f6c71e5ca219873dcc99e6a2
                                                            • Instruction Fuzzy Hash: 7201F576B101151FC771977CA890B2B77DADBC6610F21883AF90AC7341EA14CD068392
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73FC0 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6eaa98d29d8397b7802915a23a587cfc3356c59f186abcfd8fde00ecbbf00b6
                                                            • Instruction ID: b816f3424f66e4455b36b77e297845d9b63922091ce98c19d1cd234e734658b6
                                                            • Opcode Fuzzy Hash: e6eaa98d29d8397b7802915a23a587cfc3356c59f186abcfd8fde00ecbbf00b6
                                                            • Instruction Fuzzy Hash: EE11AD35B001298FDF95DA69D8246AE77FAEBC8350B008439D90AE7340EE35DC028BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73C79 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea2c2f243cd05dd9766e968c8692baa4cdabe21a7f72c96da47d711eff5b46e1
                                                            • Instruction ID: 8c89cbe7c6e4c95610a8d1603972173d0883764517acb1ad73e540c4c891661a
                                                            • Opcode Fuzzy Hash: ea2c2f243cd05dd9766e968c8692baa4cdabe21a7f72c96da47d711eff5b46e1
                                                            • Instruction Fuzzy Hash: 492103B1C01219AFDB10DF9AD884ADEFFB8FB48710F10812AE918A7340D774A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74203 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cbd61dd6d25b8400f8f21b84af1a8722a05d0968a2cb4be965fbfa6eb4732a7
                                                            • Instruction ID: 79a2835cbaea6f1ef04e853b605bde4048ccdb602e365461c2d45038b42cea47
                                                            • Opcode Fuzzy Hash: 8cbd61dd6d25b8400f8f21b84af1a8722a05d0968a2cb4be965fbfa6eb4732a7
                                                            • Instruction Fuzzy Hash: 5301A231B100210BDBB59AADA42476FB3DBDBC6610F20843AE60EC7384EA65DC1643D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02CDD03F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2638132516.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_2cdd000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: fa78a0be85fd9f87f603f82215a77ca77690a9619a34d905e22127acdf98e481
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: 3D11D076904244CFCB11CF10C9C4B15BBB2FB84324F24C6AED94A4B252C33AE44ACF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7A2FB Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcb325cc2ac6058706bc65cc6d38c03261aefbccb44552acee12629b9209ba94
                                                            • Instruction ID: 25b73cddea99990dcad4946d056d9880509e5f206c20991b7027d8808c2ccf0f
                                                            • Opcode Fuzzy Hash: dcb325cc2ac6058706bc65cc6d38c03261aefbccb44552acee12629b9209ba94
                                                            • Instruction Fuzzy Hash: 4701BC30B046114FD761ABB8E86072F77E6EB86710F648469E10ACB395EE25EC028392
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73FB3 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0b7107fc35310d78eed3e98a50e4b64a6e60586d7792949686be8a88d2090bc
                                                            • Instruction ID: 95a176e20ee8cdb0f7f72bccef421dd5f1b982d40a13b8baab31b17af1db7377
                                                            • Opcode Fuzzy Hash: b0b7107fc35310d78eed3e98a50e4b64a6e60586d7792949686be8a88d2090bc
                                                            • Instruction Fuzzy Hash: 1301A236B100294BDBA4D669DC20AAFB7EADBC8350F048139E50BD7340EE25CC0247D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D73C80 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7497168f6de99f3bf37bca2edc9ffce0a0d0daa67b1592b782be4e47799f906e
                                                            • Instruction ID: aba8c97e799a98d91bc0eaa4bbeac2306cddcdc71dac786a92e566c3789fb338
                                                            • Opcode Fuzzy Hash: 7497168f6de99f3bf37bca2edc9ffce0a0d0daa67b1592b782be4e47799f906e
                                                            • Instruction Fuzzy Hash: 0F11B0B5D01259AFCB10DF9AD884ADEFFB4FB48710F10812AE918A7340D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74208 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 55b0baf759ef10299e47fd5a0b19a925c0305d9661f3ab9950317e6f67f6bad5
                                                            • Instruction ID: b9eacad68b6ce0f64ca9b0f6193d072fec074938e2e7c4c774d4466b4728f9de
                                                            • Opcode Fuzzy Hash: 55b0baf759ef10299e47fd5a0b19a925c0305d9661f3ab9950317e6f67f6bad5
                                                            • Instruction Fuzzy Hash: 84016231B100214BDBB59AAD941471FB3DBDBC6610F208439E60EC7344EA65DC1643D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7F190 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8119e30f419f4a7a3c84d498a65195ae758d0c91f944a8bbd0abb234845b13ec
                                                            • Instruction ID: dfe29c9bef36d6ec4c25b3b36b8936843f73cf5f80f2b02e9ef2546352a96a00
                                                            • Opcode Fuzzy Hash: 8119e30f419f4a7a3c84d498a65195ae758d0c91f944a8bbd0abb234845b13ec
                                                            • Instruction Fuzzy Hash: C5018136B101154BDBB4D76C989072F73D6E7C9620F20883AF90AC7344EE25DC024382
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7CBCB Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cb41936833735eb3cb99a9cda3c2985223028bd7ede66c78c212a03a2bd0be2
                                                            • Instruction ID: 0ffc494e292ae315ccdbe7fcef90aa03d579479974cea563892b985ec5f78fb1
                                                            • Opcode Fuzzy Hash: 8cb41936833735eb3cb99a9cda3c2985223028bd7ede66c78c212a03a2bd0be2
                                                            • Instruction Fuzzy Hash: A101F931F202289FDF54AB79F85069AB776FB84310F108139E905EB344EB319C048BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D7A308 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73a740d014658ab7892c490ba77e13d9c6e64420ae9701b96d9dd5e9e27e5683
                                                            • Instruction ID: 903b16854c59e6b3a2e0892039f495c8d9bd838bb8ae35eccc7c51a3947502df
                                                            • Opcode Fuzzy Hash: 73a740d014658ab7892c490ba77e13d9c6e64420ae9701b96d9dd5e9e27e5683
                                                            • Instruction Fuzzy Hash: CF01A430B105154FDBA0EABCE46071F73D6E786711F248439E50ECB354EE21DC024782
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D782B7 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c9f213a3b83914af283e1613bbbcaaa6e34726133a47019f9424440d96fc864
                                                            • Instruction ID: cba05fa41ae2a7e8eb19a7d2f71ed37a15aacde80770e6d9ea71e15f4ca4efbe
                                                            • Opcode Fuzzy Hash: 4c9f213a3b83914af283e1613bbbcaaa6e34726133a47019f9424440d96fc864
                                                            • Instruction Fuzzy Hash: 39F08C31E00218DFDB649B98E99C6ACBBB1EB41312F584072D801E3254E331D982EB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D76463 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f264093bf80adbb65ad20640c062d0708f1afa69e93a069c238efd71beae3c81
                                                            • Instruction ID: c85e1cc3f46d054ac2d442074c2f59349bd42ab0a56c6a2109946d9716ca6736
                                                            • Opcode Fuzzy Hash: f264093bf80adbb65ad20640c062d0708f1afa69e93a069c238efd71beae3c81
                                                            • Instruction Fuzzy Hash: A3E0D870A197886FDB50CF708D1576A7BACD746208F208896E408CB102F136DE4193A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06D74A51 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000013.00000002.2669464567.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_19_2_6d70000_cbsBVT.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 734fbd5c0e64a0c76da22990692f4993856a0d882a44f86038d8c489e1750287
                                                            • Instruction ID: 432b0b6b6a7e668669cf627f69fed6827ec9a166ba6eaa433c1fb93ae713d362
                                                            • Opcode Fuzzy Hash: 734fbd5c0e64a0c76da22990692f4993856a0d882a44f86038d8c489e1750287
                                                            • Instruction Fuzzy Hash: 14F0DA30E6021ADFDB14DF94E868BAEBBB2FF84704F204129E402A7284DB701C05CBC5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%