Loading ...

Play interactive tourEdit tour

Analysis Report Odeme belegesi.exe

Overview

General Information

Sample Name:Odeme belegesi.exe
MD5:1929b4f1f4794fa86596221ccd33481f
SHA1:bd676273e315784fffb8fc1894b8c10d39f70ab5
SHA256:efeab498a2f5768884ead3ad716515d64d96338bfa7a4b2f88315328b7de75fb

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Capture Wi-Fi password
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Odeme belegesi.exe (PID: 4936 cmdline: 'C:\Users\user\Desktop\Odeme belegesi.exe' MD5: 1929B4F1F4794FA86596221CCD33481F)
    • RegAsm.exe (PID: 2872 cmdline: 'C:\Users\user\Desktop\Odeme belegesi.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5456 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "V4Sli3Ne", "URL: ": "http://g4hpmEtqbjJ.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "Yot2leOQZ", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.1191963632.000000001FBBF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1191963632.000000001FBBF000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 2872JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 2872JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Capture Wi-Fi passwordShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Desktop\Odeme belegesi.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 2872, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 5456
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 2872, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49751

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.2872.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "V4Sli3Ne", "URL: ": "http://g4hpmEtqbjJ.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "Yot2leOQZ", "From: ": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Odeme belegesi.exeVirustotal: Detection: 11%Perma Link

            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 00D769CBh2_2_00D76883
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 00D769CBh2_2_00D768AB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 00D769CBh2_2_00D767C7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 00D769CBh2_2_00D7679B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 00D769CBh2_2_00D76763

            Source: global trafficTCP traffic: 192.168.2.5:49751 -> 77.88.21.158:587
            Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficTCP traffic: 192.168.2.5:49751 -> 77.88.21.158:587
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1F99A09A recv,2_2_1F99A09A
            Source: unknownDNS traffic detected: queries for: www.mediafire.com
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: http://g4hpmEtqbjJ.com
            Source: RegAsm.exe, 00000002.00000002.1191963632.000000001FBBF000.00000004.00000001.sdmpString found in binary or memory: http://g4hpmEtqbjJ.comX)e
            Source: RegAsm.exe, 00000002.00000002.1189608053.00000000011D3000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
            Source: RegAsm.exe, 00000002.00000002.1189608053.00000000011D3000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
            Source: RegAsm.exe, 00000002.00000002.1193578507.00000000223E0000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmpString found in binary or memory: https://download1247.mediafire.com/qttmk37lzepg/1stooazcyr88jmr/origin_coBhIJXp234.bin
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmpString found in binary or memory: https://download1247.mediafire.com/qttmk37lzepg/1stooazcyr88jmr/origin_coBhIJXp234.bin7
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: RegAsm.exe, 00000002.00000002.1189544664.000000000119C000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: RegAsm.exe, 00000002.00000002.1192285134.000000001FD3C000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/
            Source: RegAsm.exe, 00000002.00000002.1189485365.0000000001167000.00000004.00000020.sdmp, RegAsm.exe, 00000002.00000002.1188992985.0000000000D70000.00000040.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/1stooazcyr88jmr/origin_coBhIJXp234.bin/file
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A76AD NtResumeThread,0_2_021A76AD
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A7A53 NtResumeThread,0_2_021A7A53
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A7263 NtProtectVirtualMemory,0_2_021A7263
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A78AB NtResumeThread,0_2_021A78AB
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A7ACF NtResumeThread,0_2_021A7ACF
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A76F8 NtResumeThread,0_2_021A76F8
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A78EB NtResumeThread,0_2_021A78EB
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A773B NtResumeThread,0_2_021A773B
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A794C NtResumeThread,0_2_021A794C
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A7777 NtResumeThread,0_2_021A7777
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A77EB NtResumeThread,0_2_021A77EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D776AD NtSetInformationThread,2_2_00D776AD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D70654 EnumWindows,NtSetInformationThread,2_2_00D70654
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D75503 LoadLibraryA,LoadLibraryA,NtProtectVirtualMemory,2_2_00D75503
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D77ACF NtSetInformationThread,2_2_00D77ACF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D776C8 NtSetInformationThread,2_2_00D776C8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D776F8 NtSetInformationThread,2_2_00D776F8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D778EB NtSetInformationThread,2_2_00D778EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D70687 NtSetInformationThread,2_2_00D70687
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D706BB NtSetInformationThread,2_2_00D706BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D772A1 NtProtectVirtualMemory,2_2_00D772A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D778AB NtSetInformationThread,2_2_00D778AB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D77A53 NtSetInformationThread,2_2_00D77A53
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D707E7 NtSetInformationThread,2_2_00D707E7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D777EB NtSetInformationThread,2_2_00D777EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D7075B NtSetInformationThread,2_2_00D7075B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D7794C NtSetInformationThread,2_2_00D7794C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D77777 NtSetInformationThread,2_2_00D77777
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D7071F NtSetInformationThread,2_2_00D7071F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D7773B NtSetInformationThread,2_2_00D7773B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1F99B362 NtQuerySystemInformation,2_2_1F99B362
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1F99B331 NtQuerySystemInformation,2_2_1F99B331
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_004015280_2_00401528
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D755032_2_00D75503
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D734352_2_00D73435
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D7573B2_2_00D7573B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB25F42_2_21EB25F4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EBA4E52_2_21EBA4E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB00702_2_21EB0070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB83D82_2_21EB83D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB47D82_2_21EB47D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB7F882_2_21EB7F88
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB53602_2_21EB5360
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB0F082_2_21EB0F08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EBAB182_2_21EBAB18
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB25F42_2_21EB25F4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB8D482_2_21EB8D48
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB89462_2_21EB8946
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB8D382_2_21EB8D38
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB002A2_2_21EB002A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB44212_2_21EB4421
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB003C2_2_21EB003C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB001A2_2_21EB001A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB83C82_2_21EB83C8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EBA7DE2_2_21EBA7DE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB2FD32_2_21EB2FD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB879B2_2_21EB879B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EBC3652_2_21EBC365
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB33782_2_21EB3378
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB7F782_2_21EB7F78
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB53522_2_21EB5352
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB273B2_2_21EB273B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB2F3A2_2_21EB2F3A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EBCB3D2_2_21EBCB3D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB3B012_2_21EB3B01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB26C32_2_21EB26C3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB26AC2_2_21EB26AC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB3A652_2_21EB3A65
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21EB42332_2_21EB4233
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8F0A82_2_21F8F0A8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8003C2_2_21F8003C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8F4E12_2_21F8F4E1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8F09E2_2_21F8F09E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8F5832_2_21F8F583
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8FC6D2_2_21F8FC6D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21F8F8112_2_21F8F811
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227A32702_2_227A3270
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227A00702_2_227A0070
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227A2E402_2_227A2E40
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227A08302_2_227A0830
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227A00F52_2_227A00F5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BF2282_2_227BF228
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BE6882_2_227BE688
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BB9502_2_227BB950
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BD5E02_2_227BD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BA5902_2_227BA590
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BBED82_2_227BBED8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_227BDC582_2_227BDC58
            Source: Odeme belegesi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Odeme belegesi.exe, 00000000.00000002.851020216.0000000002190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Odeme belegesi.exe
            Source: Odeme belegesi.exe, 00000000.00000002.850394601.0000000000422000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLysastrata7.exe vs Odeme belegesi.exe
            Source: Odeme belegesi.exeBinary or memory string: OriginalFilenameLysastrata7.exe vs Odeme belegesi.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1F99B1E6 AdjustTokenPrivileges,2_2_1F99B1E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1F99B1AF AdjustTokenPrivileges,2_2_1F99B1AF
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_01
            Source: Odeme belegesi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Odeme belegesi.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Odeme belegesi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Odeme belegesi.exeVirustotal: Detection: 11%
            Source: unknownProcess created: C:\Users\user\Desktop\Odeme belegesi.exe 'C:\Users\user\Desktop\Odeme belegesi.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Odeme belegesi.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Odeme belegesi.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000002.00000002.1193923385.00000000227C0000.00000002.00000001.sdmp

            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_00401528 push edx; ret 0_2_004016BF
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A123B push ecx; ret 0_2_021A12AE
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A0039 push ecx; ret 0_2_021A0216
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1C34 push ecx; ret 0_2_021A1C76
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A2C2C push ecx; ret 0_2_021A2CDE
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1E58 push ecx; ret 0_2_021A1EAA
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A0073 push ecx; ret 0_2_021A0216
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1E68 push ecx; ret 0_2_021A1EAA
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A2063 push ecx; ret 0_2_021A20B2
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A5290 push ecx; ret 0_2_021A53B2
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1896 push ecx; ret 0_2_021A18CE
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A6088 push ecx; ret 0_2_021A6126
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A2282 push ecx; ret 0_2_021A22BA
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A40B2 push esp; retf 0_2_021A416D
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A64A9 push ecx; ret 0_2_021A6492
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A64A9 push ecx; ret 0_2_021A64DE
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A12AF push ecx; ret 0_2_021A12AE
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A28C3 push ecx; ret 0_2_021A297A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A64FD push ss; ret 0_2_021A653A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A10EE push ecx; ret 0_2_021A114E
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A6EE2 push ecx; ret 0_2_021A6F96
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1AE4 push ecx; ret 0_2_021A1AE2
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A291F push ecx; ret 0_2_021A297A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A510F push ecx; ret 0_2_021A5152
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A2F06 push ecx; ret 0_2_021A2F2E
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A2F3F push ecx; ret 0_2_021A2F6A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A5B3F push ecx; ret 0_2_021A5B76
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A115C push ecx; ret 0_2_021A114E
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A115C push ecx; ret 0_2_021A123A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A1B51 push ecx; ret 0_2_021A1B9A
            Source: C:\Users\user\Desktop\Odeme belegesi.exeCode function: 0_2_021A297C push ecx; ret 0_2_021A29F6

            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Odeme belegesi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D731C3 2_2_00D731C3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D73182 2_2_00D73182
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Odeme belegesi.exeRDTSC instruction interceptor: First address: 00000000021A31CA second address: 00000000021A3217 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 jmp 00007FE8F06935DAh 0x0000000a clc 0x0000000b or edx, eax 0x0000000d clc 0x0000000e mov esi, edx 0x00000010 nop 0x00000011 pushad 0x00000012 mov eax, 00000001h 0x00000017 cpuid 0x00000019 fnop 0x0000001b bt ecx, 1Fh 0x0000001f jc 00007FE8F06935B2h 0x00000021 popad 0x00000022 lfence 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\Odeme belegesi.exeRDTSC instruction interceptor: First address: 00000000021A3217 second address: 00000000021A31CA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE8F0AA4E6Fh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007FE8F0AA4EC3h 0x0000001b push ecx 0x0000001c call 00007FE8F0AA4EEEh 0x00000021 jmp 00007FE8F0AA4F12h 0x00000023 cld 0x00000024 nop 0x00000025 lfence 0x00000028 cld 0x00000029 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D731CA second address: 0000000000D73217 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 jmp 00007FE8F06935DAh 0x0000000a clc 0x0000000b or edx, eax 0x0000000d clc 0x0000000e mov esi, edx 0x00000010 nop 0x00000011 pushad 0x00000012 mov eax, 00000001h 0x00000017 cpuid 0x00000019 fnop 0x0000001b bt ecx, 1Fh 0x0000001f jc 00007FE8F06935B2h 0x00000021 popad 0x00000022 lfence 0x00000025 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D73217 second address: 0000000000D731CA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FE8F0AA4E6Fh 0x00000011 nop 0x00000012 lfence 0x00000015 cld 0x00000016 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00D731C3 rdtsc 2_2_00D731C3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -59500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -58594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -58406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -58188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -86532s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -85923s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -56782s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -56594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -56094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -83532s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -55500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -55282s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -81891s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -54406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -53000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -52282s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -51876s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -51594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -51188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -50688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -50500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -49094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -47282s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -46594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -45688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -45188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -44782s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -44094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -43688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -43500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -43188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -42282s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -42094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -41188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -40782s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -40594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -39594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -39188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -58032s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -36906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -36188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -35500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -35282s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -35094s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -34188s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep time: -33688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5256Thread sleep ti