Loading ...

Play interactive tourEdit tour

Analysis Report Ticari Hesap #U00d6zetiniz.exe

Overview

General Information

Sample Name:Ticari Hesap #U00d6zetiniz.exe
Analysis ID:289571
MD5:9e641da7a87527dd0d430d8cddc39a38
SHA1:75a73ed680c5ebb16d3584cdf08c32b93a1eead2
SHA256:f823b4bda76194315ef0a4a46eb6be8758edaa9b7cd4246d68c206bae4a22fb1

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Ticari Hesap #U00d6zetiniz.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe' MD5: 9E641DA7A87527DD0D430D8CDDC39A38)
    • Ticari Hesap #U00d6zetiniz.exe (PID: 6936 cmdline: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe MD5: 9E641DA7A87527DD0D430D8CDDC39A38)
      • MpCmdRun.exe (PID: 2980 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
        • conhost.exe (PID: 4572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "t0RtxmJ7ThEtTo", "URL: ": "https://0jaYF9OcC4E7j.com", "To: ": "", "ByHost: ": "mail.gascuenca.es:587", "Password: ": "RW6qvy0i7d", "From: ": "angelmartinez@gascuenca.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.467201634.00000000031AC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.467201634.00000000031AC000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000002.00000002.461841891.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.212670505.00000000025F9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Ticari Hesap #U00d6zetiniz.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Ticari Hesap #U00d6zetiniz.exeAvira: detected
              Found malware configurationShow sources
              Source: Ticari Hesap #U00d6zetiniz.exe.6944.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "t0RtxmJ7ThEtTo", "URL: ": "https://0jaYF9OcC4E7j.com", "To: ": "", "ByHost: ": "mail.gascuenca.es:587", "Password: ": "RW6qvy0i7d", "From: ": "angelmartinez@gascuenca.es"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: mail.gascuenca.esVirustotal: Detection: 7%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: Ticari Hesap #U00d6zetiniz.exeVirustotal: Detection: 62%Perma Link
              Source: Ticari Hesap #U00d6zetiniz.exeReversingLabs: Detection: 47%
              Machine Learning detection for sampleShow sources
              Source: Ticari Hesap #U00d6zetiniz.exeJoe Sandbox ML: detected
              Source: 2.2.Ticari Hesap #U00d6zetiniz.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 69.73.181.211:587
              Source: Joe Sandbox ViewIP Address: 69.73.181.211 69.73.181.211
              Source: Joe Sandbox ViewASN Name: NTHLUS NTHLUS
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 69.73.181.211:587
              Source: unknownDNS traffic detected: queries for: mail.gascuenca.es
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://UyXDKP.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.470565494.00000000068C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://gascuenca.es
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://mail.gascuenca.es
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216767419.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216767419.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.198808195.00000000055E1000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.198808195.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnthe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.201719967.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htma
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200207111.00000000055DC000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200473854.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200383795.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200383795.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200383795.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200207111.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200207111.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0h
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200207111.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e-g
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200207111.00000000055DC000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200473854.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000003.200091503.00000000055DC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.216868941.00000000056C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467201634.00000000031AC000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467826932.000000000325E000.00000004.00000001.sdmpString found in binary or memory: https://0jaYF9OcC4E7j.com
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.461841891.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.467620596.000000000322A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.461841891.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.466880112.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 0_2_00C194A80_2_00C194A8
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 0_2_00C1C3A00_2_00C1C3A0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 0_2_00C1A7580_2_00C1A758
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 0_2_06CCC6E00_2_06CCC6E0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 0_2_06CC5E500_2_06CC5E50
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_014000402_2_01400040
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_014079582_2_01407958
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01401BE82_2_01401BE8
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01406D402_2_01406D40
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_0140C2582_2_0140C258
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_0157AB702_2_0157AB70
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01572D502_2_01572D50
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01571FE42_2_01571FE4
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_015726182_2_01572618
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_0157E6F02_2_0157E6F0
              Source: Ticari Hesap #U00d6zetiniz.exeBinary or memory string: OriginalFilename vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000000.194222480.000000000018F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekDNM.exe. vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZxkEYlrYHGjMpWPKcIAVxyeQgVHPmckgbo.exe4 vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.219370062.00000000073B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.219115252.00000000071D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exeBinary or memory string: OriginalFilename vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000001.00000000.207726112.000000000005F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekDNM.exe. vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exeBinary or memory string: OriginalFilename vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.464424060.00000000014A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.469727162.0000000005670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.461841891.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZxkEYlrYHGjMpWPKcIAVxyeQgVHPmckgbo.exe4 vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.462556354.0000000000C8F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamekDNM.exe. vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.463457149.0000000001157000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exeBinary or memory string: OriginalFilenamekDNM.exe. vs Ticari Hesap #U00d6zetiniz.exe
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Ticari Hesap #U00d6zetiniz.exe, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.Ticari Hesap #U00d6zetiniz.exe.150000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.Ticari Hesap #U00d6zetiniz.exe.150000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.Ticari Hesap #U00d6zetiniz.exe.20000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.0.Ticari Hesap #U00d6zetiniz.exe.20000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.Ticari Hesap #U00d6zetiniz.exe.c50000.1.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@2/1
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ticari Hesap #U00d6zetiniz.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4572:120:WilError_01
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Ticari Hesap #U00d6zetiniz.exeVirustotal: Detection: 62%
              Source: Ticari Hesap #U00d6zetiniz.exeReversingLabs: Detection: 47%
              Source: unknownProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe 'C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe
              Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Ticari Hesap #U00d6zetiniz.exeStatic file information: File size 1534976 > 1048576
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x176000
              Source: Ticari Hesap #U00d6zetiniz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: Ticari Hesap #U00d6zetiniz.exe, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.Ticari Hesap #U00d6zetiniz.exe.150000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.Ticari Hesap #U00d6zetiniz.exe.150000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.Ticari Hesap #U00d6zetiniz.exe.20000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.Ticari Hesap #U00d6zetiniz.exe.20000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Ticari Hesap #U00d6zetiniz.exe.c50000.1.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Ticari Hesap #U00d6zetiniz.exe.c50000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_0140BF48 pushad ; retf 2_2_0140BF49
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01577A37 push edi; retn 0000h2_2_01577A39
              Source: initial sampleStatic PE information: section name: .text entropy: 7.18917737588
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.212670505.00000000025F9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Ticari Hesap #U00d6zetiniz.exe PID: 6892, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWindow / User API: threadDelayed 705Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 6896Thread sleep time: -58457s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5424Thread sleep count: 192 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5424Thread sleep count: 705 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -118624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -88077s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -58218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -87000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -85968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -56906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -85077s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -84750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -84327s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -56000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -83718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -55406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -82827s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -82077s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -81468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -79827s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -52718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -78468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -51906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -77577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -76827s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -76218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -75891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -50312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -49906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -74577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -49218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -73218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -72891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -48406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -72327s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -95436s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -95000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -47312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -70641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -46812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -46594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -69609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -92436s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -69000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -45500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -67968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -90188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -44906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -67077s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -44406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -88436s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -43594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -43312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -64641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -42906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -42718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -63327s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -41812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -62391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -41406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -41218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -61359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -81436s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -60750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -39812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -59391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -59109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -58827s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -58077s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -77000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -57468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -57141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -37906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -56109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -74436s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -55500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -36594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -72624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -72188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -35718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -35218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -70000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -34812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -34594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -51609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -50859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -33312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -32594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -32218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -31718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -47250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -31312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -30812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -45891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -45609s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -41577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -53718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -52812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -52594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -50218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -49312s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -46718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -45812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -45594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -30218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -44577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -42406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -40218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -38906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -37812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -37594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -36718s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -35406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -33594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe TID: 5952Thread sleep time: -33406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.470565494.00000000068C2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000000.00000002.212505985.0000000002591000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeCode function: 2_2_01400040 LdrInitializeThunk,2_2_01400040
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeMemory written: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exe C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz.exeJump to behavior
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.464734151.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.464734151.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.464734151.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Ticari Hesap #U00d6zetiniz.exe, 00000002.00000002.464734151.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock