Edit tour

Windows Analysis Report
fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Overview

General Information

Sample name:	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe renamed because original name is a hash value
Original sample name:	fiyati_teklif 615TBI507_ ACCADO san tic_ Siparii jpeg docx .exe
Analysis ID:	1586806
MD5:	3e9b50da2409b41170a088fc4bb0e5f1
SHA1:	7cbeabc06f45357344cdc6c876a1ecdb90b685da
SHA256:	6964e678bccc61457b0d3f3ea6264d7c1e92d33802fffbb59f2f3c15f9dc5656
Tags:	exeuser-lowmal3
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe (PID: 7472 cmdline: "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe" MD5: 3E9B50DA2409B41170A088FC4BB0E5F1)

powershell.exe (PID: 7672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe (PID: 7680 cmdline: "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe" MD5: 3E9B50DA2409B41170A088FC4BB0E5F1)

fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe (PID: 7696 cmdline: "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe" MD5: 3E9B50DA2409B41170A088FC4BB0E5F1)

WerFault.exe (PID: 7296 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 1520 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1444231240.0000000009CD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1435443149.0000000004B73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d03b:$a1: get_encryptedPassword 0x2d350:$a2: get_encryptedUsername 0x2ce4b:$a3: get_timePasswordChanged 0x2cf54:$a4: get_passwordField 0x2d051:$a5: set_encryptedPassword 0x2e6f7:$a7: get_logins 0x2e65a:$a10: KeyLoggerEventArgs 0x2e2bf:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3bae73:$a1: get_encryptedPassword 0x3fd893:$a1: get_encryptedPassword 0x4400b3:$a1: get_encryptedPassword 0x3bb188:$a2: get_encryptedUsername 0x3fdba8:$a2: get_encryptedUsername 0x4403c8:$a2: get_encryptedUsername 0x3bac83:$a3: get_timePasswordChanged 0x3fd6a3:$a3: get_timePasswordChanged 0x43fec3:$a3: get_timePasswordChanged 0x3bad8c:$a4: get_passwordField 0x3fd7ac:$a4: get_passwordField 0x43ffcc:$a4: get_passwordField 0x3bae89:$a5: set_encryptedPassword 0x3fd8a9:$a5: set_encryptedPassword 0x4400c9:$a5: set_encryptedPassword 0x3bc52f:$a7: get_logins 0x3fef4f:$a7: get_logins 0x44176f:$a7: get_logins 0x3bc492:$a10: KeyLoggerEventArgs 0x3feeb2:$a10: KeyLoggerEventArgs 0x4416d2:$a10: KeyLoggerEventArgs
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x64568:$a1: get_encryptedPassword 0x64740:$a2: get_encryptedUsername 0x643a2:$a3: get_timePasswordChanged 0x64492:$a4: get_passwordField 0x6457e:$a5: set_encryptedPassword 0x662b5:$a7: get_logins 0x6622d:$a10: KeyLoggerEventArgs 0x66005:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc1c8:$a1: get_encryptedPassword 0xc4d3:$a2: get_encryptedUsername 0xbfe2:$a3: get_timePasswordChanged 0xc0eb:$a4: get_passwordField 0xc1de:$a5: set_encryptedPassword 0xe678:$a7: get_logins 0xe5db:$a10: KeyLoggerEventArgs 0xe244:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d23b:$a1: get_encryptedPassword 0x2d550:$a2: get_encryptedUsername 0x2d04b:$a3: get_timePasswordChanged 0x2d154:$a4: get_passwordField 0x2d251:$a5: set_encryptedPassword 0x2e8f7:$a7: get_logins 0x2e85a:$a10: KeyLoggerEventArgs 0x2e4bf:$a11: KeyLoggerEventArgsEventHandler
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b063:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a706:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a963:$a4: \Orbitum\User Data\Default\Login Data 0x3b342:$a5: \Kometa\User Data\Default\Login Data
6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de65:$s1: UnHook 0x2de6c:$s2: SetHook 0x2de74:$s3: CallNextHook 0x2de81:$s4: _hook
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb405b:$a1: get_encryptedPassword 0xf6a7b:$a1: get_encryptedPassword 0x13929b:$a1: get_encryptedPassword 0xb4370:$a2: get_encryptedUsername 0xf6d90:$a2: get_encryptedUsername 0x1395b0:$a2: get_encryptedUsername 0xb3e6b:$a3: get_timePasswordChanged 0xf688b:$a3: get_timePasswordChanged 0x1390ab:$a3: get_timePasswordChanged 0xb3f74:$a4: get_passwordField 0xf6994:$a4: get_passwordField 0x1391b4:$a4: get_passwordField 0xb4071:$a5: set_encryptedPassword 0xf6a91:$a5: set_encryptedPassword 0x1392b1:$a5: set_encryptedPassword 0xb5717:$a7: get_logins 0xf8137:$a7: get_logins 0x13a957:$a7: get_logins 0xb567a:$a10: KeyLoggerEventArgs 0xf809a:$a10: KeyLoggerEventArgs 0x13a8ba:$a10: KeyLoggerEventArgs
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb4c85:$s1: UnHook 0xf76a5:$s1: UnHook 0x139ec5:$s1: UnHook 0xb4c8c:$s2: SetHook 0xf76ac:$s2: SetHook 0x139ecc:$s2: SetHook 0xb4c94:$s3: CallNextHook 0xf76b4:$s3: CallNextHook 0x139ed4:$s3: CallNextHook 0xb4ca1:$s4: _hook 0xf76c1:$s4: _hook 0x139ee1:$s4: _hook
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13ae7b:$a1: get_encryptedPassword 0x17d89b:$a1: get_encryptedPassword 0x1c00bb:$a1: get_encryptedPassword 0x13b190:$a2: get_encryptedUsername 0x17dbb0:$a2: get_encryptedUsername 0x1c03d0:$a2: get_encryptedUsername 0x13ac8b:$a3: get_timePasswordChanged 0x17d6ab:$a3: get_timePasswordChanged 0x1bfecb:$a3: get_timePasswordChanged 0x13ad94:$a4: get_passwordField 0x17d7b4:$a4: get_passwordField 0x1bffd4:$a4: get_passwordField 0x13ae91:$a5: set_encryptedPassword 0x17d8b1:$a5: set_encryptedPassword 0x1c00d1:$a5: set_encryptedPassword 0x13c537:$a7: get_logins 0x17ef57:$a7: get_logins 0x1c1777:$a7: get_logins 0x13c49a:$a10: KeyLoggerEventArgs 0x17eeba:$a10: KeyLoggerEventArgs 0x1c16da:$a10: KeyLoggerEventArgs
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13baa5:$s1: UnHook 0x17e4c5:$s1: UnHook 0x1c0ce5:$s1: UnHook 0x13baac:$s2: SetHook 0x17e4cc:$s2: SetHook 0x1c0cec:$s2: SetHook 0x13bab4:$s3: CallNextHook 0x17e4d4:$s3: CallNextHook 0x1c0cf4:$s3: CallNextHook 0x13bac1:$s4: _hook 0x17e4e1:$s4: _hook 0x1c0d01:$s4: _hook
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ba053:$a1: get_encryptedPassword 0x3fca73:$a1: get_encryptedPassword 0x43f293:$a1: get_encryptedPassword 0x3ba368:$a2: get_encryptedUsername 0x3fcd88:$a2: get_encryptedUsername 0x43f5a8:$a2: get_encryptedUsername 0x3b9e63:$a3: get_timePasswordChanged 0x3fc883:$a3: get_timePasswordChanged 0x43f0a3:$a3: get_timePasswordChanged 0x3b9f6c:$a4: get_passwordField 0x3fc98c:$a4: get_passwordField 0x43f1ac:$a4: get_passwordField 0x3ba069:$a5: set_encryptedPassword 0x3fca89:$a5: set_encryptedPassword 0x43f2a9:$a5: set_encryptedPassword 0x3bb70f:$a7: get_logins 0x3fe12f:$a7: get_logins 0x44094f:$a7: get_logins 0x3bb672:$a10: KeyLoggerEventArgs 0x3fe092:$a10: KeyLoggerEventArgs 0x4408b2:$a10: KeyLoggerEventArgs
0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bac7d:$s1: UnHook 0x3fd69d:$s1: UnHook 0x43febd:$s1: UnHook 0x3bac84:$s2: SetHook 0x3fd6a4:$s2: SetHook 0x43fec4:$s2: SetHook 0x3bac8c:$s3: CallNextHook 0x3fd6ac:$s3: CallNextHook 0x43fecc:$s3: CallNextHook 0x3bac99:$s4: _hook 0x3fd6b9:$s4: _hook 0x43fed9:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", ParentImage: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, ParentProcessId: 7472, ParentProcessName: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", ProcessId: 7672, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", ParentImage: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, ParentProcessId: 7472, ParentProcessName: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe", ProcessId: 7672, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Avira: detected

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing
Source: http://varders.kozow.com:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}
Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Unpacked PE file: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.ce0000.0.unpack

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630907951.00000000017E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbP source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb4 source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.pdbMZ source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdbTz source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp, WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb" source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Code function: 4x nop then jmp 12900C93h

0_2_12900239

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003307000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003307000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1434287481.000000000372C000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031407F4 NtQueryInformationProcess,		0_2_031407F4
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03149C09 NtQueryInformationProcess,		0_2_03149C09

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031483D9	0_2_031483D9
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03149A00	0_2_03149A00
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_0314A130	0_2_0314A130
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031426B0	0_2_031426B0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03143590	0_2_03143590
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03141468	0_2_03141468
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03149337	0_2_03149337
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03149350	0_2_03149350
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031413C0	0_2_031413C0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145AE0	0_2_03145AE0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_0314A120	0_2_0314A120
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031499F0	0_2_031499F0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145890	0_2_03145890
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145880	0_2_03145880
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031408D0	0_2_031408D0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145678	0_2_03145678
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145688	0_2_03145688
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031486B0	0_2_031486B0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031486C0	0_2_031486C0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03143517	0_2_03143517
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03148D18	0_2_03148D18
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031444B9	0_2_031444B9
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03148CD4	0_2_03148CD4
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03145CC0	0_2_03145CC0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_031444C8	0_2_031444C8
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F7C350	0_2_09F7C350
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F779F0	0_2_09F779F0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F7C3AC	0_2_09F7C3AC
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F7D5B1	0_2_09F7D5B1
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F75648	0_2_09F75648
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F7563F	0_2_09F7563F
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F838E7	0_2_09F838E7
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F80730	0_2_09F80730
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F86648	0_2_09F86648
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8C9D8	0_2_09F8C9D8
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F82C68	0_2_09F82C68
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8AE78	0_2_09F8AE78
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8AE69	0_2_09F8AE69
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8B2B0	0_2_09F8B2B0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8C5A0	0_2_09F8C5A0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8D498	0_2_09F8D498
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F80448	0_2_09F80448
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F80439	0_2_09F80439
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8072F	0_2_09F8072F
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F86638	0_2_09F86638
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_12902178	0_2_12902178
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 6_2_018839F0	6_2_018839F0
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 6_2_01883E09	6_2_01883E09
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 6_2_018829EC	6_2_018829EC

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 1520

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1444231240.0000000009CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000000.1396944301.0000000000DBC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIQbz.exe: vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004B73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1434287481.000000000377C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1432365642.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1445503652.000000000D4D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Binary or memory string: OriginalFilenameIQbz.exe: vs fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/11@1/1

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.log

Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7696
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Mutant created: \Sessions\1\BaseNamedObjects\heoNtRrAUmycrUH

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsmlomam.xlm.ps1

Jump to behavior

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

File read: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 1520
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630907951.00000000017E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbP source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb4 source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.pdbMZ source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdbTz source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp, WERA608.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb" source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA608.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA608.tmp.dmp.12.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Unpacked PE file: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.ce0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Unpacked PE file: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.ce0000.0.unpack

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_03148B89 push ecx; retf	0_2_03148B8A
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F72BCE push eax; iretd	0_2_09F72BCF
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F753B4 push ebx; iretd	0_2_09F753C7
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Code function: 0_2_09F8EE08 pushad ; iretd	0_2_09F8EE09

Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Static PE information: section name: .text entropy: 7.568644152152716

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	File created: \fiyati_teklif 615tbi507_ accado san tic_ sipari#u015fi jpeg docx .exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 57F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 67F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 6920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: EDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: FDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 10260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 11260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Memory allocated: 18A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5667			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4049			Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe TID: 7496	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1630488283.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Memory written: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Process created: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1444231240.0000000009CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.9cd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4b95e00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1444231240.0000000009CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 6.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4ebbe18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4e34ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.4bb5e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe PID: 7696, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm
fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	100%	Avira	HEUR/AGEN.1309493
fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	132.226.8.169	true	false		high
checkip.dyndns.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.12.dr	false		high
http://checkip.dyndns.org	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003307000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003307000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1434287481.000000000372C000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://varders.kozow.com:8081	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org/q	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586806
Start date and time:	2025-01-09 16:39:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe renamed because original name is a hash value
Original Sample Name:	fiyati_teklif 615TBI507_ ACCADO san tic_ Siparii jpeg docx .exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/11@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 56 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 23.56.254.164, 52.149.20.212, 20.190.159.23
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe, PID 7696 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Simulations

Behavior and APIs

Time	Type	Description
10:40:01	API Interceptor	1x Sleep call for process: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe modified
10:40:03	API Interceptor	9x Sleep call for process: powershell.exe modified
10:40:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fiyati_teklif 61_9b3f9204fc23af452eebf8d04d2286f116ccaa_dca9ff1b_feeb8f7a-e277-4a2c-ad0c-11151d4b8816\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.139370676300173
Encrypted:	false
SSDEEP:	192:b+obXbgT0BU/Ca6ce36izuiFcHZ24IO8dt:KobXbgABU/CarVizuiFcHY4IO8d
MD5:	AFC4EED7060D215AD37572FE6488ECCF
SHA1:	8C4055E9C6DB706A7D8120F2324A119880AC983A
SHA-256:	3643C48BE6E5644D79DCEE0893B65B21E00490AE43E49F969E821C15F1A8744F
SHA-512:	9F8E40EA8F42C61E0A2E7952B65C34C16E6FBBC157C039A466A332318AE357C631FCB02513DDC81CC56CB63F46E00C0D1C93C7348D2487CE2C0EE2F03AFB0DEC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.1.0.8.1.9.3.5.1.0.4.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.1.0.8.1.9.8.8.2.2.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.e.b.8.f.7.a.-.e.2.7.7.-.4.a.2.c.-.a.d.0.c.-.1.1.1.5.1.d.4.b.8.8.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.e.3.a.1.e.0.-.e.b.b.e.-.4.5.5.9.-.a.4.f.0.-.9.f.0.2.0.8.9.c.0.6.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.y.a.t.i._.t.e.k.l.i.f. .6.1.5.T.B.I.5.0.7._. .A.C.C.A.D.O. .s.a.n. .t.i.c._. .S.i.p.a.r.i.#.U.0.1.5.f.i. .j.p.e.g. .d.o.c.x.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.Q.b.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.1.0.-.0.0.0.1.-.0.0.1.4.-.a.9.a.6.-.5.8.b.f.a.c.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.2.f.4.2.f.d.2.9.0.0.1.1.2.e.0.b.4.d.0.5.c.e.d.c.3.4.7.e.7.7.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA608.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 15:40:19 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	274552
Entropy (8bit):	3.703449988822458
Encrypted:	false
SSDEEP:	3072:BAK6Llhpt4uEqpEg5LTgS0yVT3639Nd1CYnBEYM/od:aKslhpt4IFTgS0yVTK72K
MD5:	26A63B9EF25C68D4AD3334A4C58F3EAE
SHA1:	4B0E7FE0952A660179948F0A76CFBDD8D33055AA
SHA-256:	0D3480067F5070FA97B4CBFC054B80D1B7BE79E657D821B5BC86A5496DD97E15
SHA-512:	F114190BB13590850A3CBFD13E6CEBE1BC43F463C48C6A2ECE1F28DF120009707FC63F15E60AE9F3B9DCBD5BB5FA0F237378D8F7CFB6F59BEAB3C33007DB3956
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............D...............X.......<....#......t%...T..........`.......8...........T............;..............,$...........&..............................................................................eJ.......&......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA751.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6530
Entropy (8bit):	3.743438661463887
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbg26XozY64xuQE/Ge0t5aM4U089bfKsfbU1m:R6l7wVeJg268Y640kpr089bfKsfbU1m
MD5:	5E1C9B64DCC53B24AC0F4421394BF171
SHA1:	38BED4B9633EDA5835C450B91BA7DCFA8A5886AB
SHA-256:	40F24BA1E7CED0F2FA38B93026E1EFAF1345E2BE0DF68C6220A49F83B59DF6B2
SHA-512:	C707FB21E3D8B3FE692ED4445291B586987841418A47F4533EFA33175B9837A3647B6615BE4AA5E5CF6C89FE38BD1F950845E2E8D0A3A179353D7DE726EE1869
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA781.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4914
Entropy (8bit):	4.58796773204682
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg77aI9AzWpW8VYrYm8M4J+xIxtjFP+q8Lxk2pk20x3tpx33d:uIjfUI7iC7VXJ+xIx3uxTpk20x3Dx33d
MD5:	8DD45D45749ACCF1FD81D5B60BF098CE
SHA1:	3FBCB49BDB88FBE845C06235B25112F4A56DB993
SHA-256:	2BAE8534645D8E59FCCF323FEA59978332E7D7A31571B4D30523E63E3BAD0794
SHA-512:	34B014638E7BE68FCACC4EB8E316C90ABF376004E408B9D15F8A5D2101796DD8E6778624845228F3103C88142874F270AF7C492FC641A554E76C274FCF12E48E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668563" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.log

Download File

Process:	C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:QWSU4xympjms4RIoU99tK8NDv
MD5:	F614CCA1D985910D63FFFF70966F53F5
SHA1:	A9BD00A65E13088BD96A2420E289487CD07D9D4C
SHA-256:	3714147C391F57DCDB11C8D0E7076367B3BD1D628A5FB73E2BEE67B99F034157
SHA-512:	AE362137DA68C2853EB39BC2EC5A6AD2361689225F28337F0738617D6DB986E4BCF985FE12E910405E621CE407B4E6AF3308ADDDE4F9D81E02F2ED8E27831CAE
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsmlomam.xlm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmyo41tx.q0o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryu2gzrd.uey.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whdye43u.gop.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372667601340581
Encrypted:	false
SSDEEP:	6144:xFVfpi6ceLP/9skLmb0GyWWSPtaJG8nAge35OlMMhA2AX4WABlguNTiL:3V1gyWWI/glMM6kF75q
MD5:	67F5846CECBB7EA2D171B9BD5064048C
SHA1:	E0C41EAA846A5ABC08E9A8EB8A5357D080AC33B9
SHA-256:	2C2605F5C850A9B426100FAD9444319C82CE32C665507734D60C533507DC0769
SHA-512:	CC21931368674CC23F363A6E30B19C69217426670785757BEDBA4CED4CC2AC30F3DE1E9091517821EB30E1AF882B7278CAB607BD00036226926160C1EC9A6433
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....b..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.557333673165223
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
File size:	894'976 bytes
MD5:	3e9b50da2409b41170a088fc4bb0e5f1
SHA1:	7cbeabc06f45357344cdc6c876a1ecdb90b685da
SHA256:	6964e678bccc61457b0d3f3ea6264d7c1e92d33802fffbb59f2f3c15f9dc5656
SHA512:	91a2bc914c3b798c88c9af73e38ea76e1321ecb273778e46af3d9a2ef24b626f3b40c1247b286383febe5044773f8113ef706cbed2262c831043b10b820fcf72
SSDEEP:	12288:fFCuDcWYMV+I4MVKWkUcfiuQ0PBgyxJbDfkDfbZtgpktca+ewex9VlVQn1Zrpj:FYGRgxxpWcJbsZqU+e/7VlVE
TLSH:	D7159C092352E4CDD0D749BC54A3FFB791011D494622C2C247EEB9AB7AAB98E790F1C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%}g..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	46992606071d1a94

Static PE Info

General

Entrypoint:	0x4da8be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677D2588 [Tue Jan 7 13:00:56 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xda86c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x19c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd88c4	0xd8a00	5328f04dd985e4fa2a3d416701abcf68	False	0.8161222410559723	data	7.568644152152716	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x19c0	0x1a00	2adfa802a5e51abdafad9210f8116601	False	0.2737379807692308	data	3.9083455018494364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0xc	0x200	9dd0bf0ed9feac27c7076e07c56c9993	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xdc148	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.3953900709219858
RT_ICON	0xdc5b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.21693245778611633
RT_GROUP_ICON	0xdd658	0x22	data	0.9411764705882353
RT_GROUP_ICON	0xdd67c	0x22	data	0.9411764705882353
RT_VERSION	0xdd6a0	0x31c	data	0.4321608040201005

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:40:03.778392076 CET	49708	80	192.168.2.8	132.226.8.169
Jan 9, 2025 16:40:03.783426046 CET	80	49708	132.226.8.169	192.168.2.8
Jan 9, 2025 16:40:03.783508062 CET	49708	80	192.168.2.8	132.226.8.169
Jan 9, 2025 16:40:03.783703089 CET	49708	80	192.168.2.8	132.226.8.169
Jan 9, 2025 16:40:03.788558006 CET	80	49708	132.226.8.169	192.168.2.8
Jan 9, 2025 16:40:19.374141932 CET	80	49708	132.226.8.169	192.168.2.8
Jan 9, 2025 16:40:19.421976089 CET	49708	80	192.168.2.8	132.226.8.169
Jan 9, 2025 16:40:24.983536005 CET	49708	80	192.168.2.8	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:40:03.758990049 CET	55936	53	192.168.2.8	1.1.1.1
Jan 9, 2025 16:40:03.766453028 CET	53	55936	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 16:40:03.758990049 CET	192.168.2.8	1.1.1.1	0xf90a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:40:03.766453028 CET	1.1.1.1	192.168.2.8	0xf90a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	132.226.8.169	80	7696	C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:40:03.783703089 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:40:19.374141932 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 09 Jan 2025 15:40:19 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	10:40:00
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Imagebase:	0xce0000
File size:	894'976 bytes
MD5 hash:	3E9B50DA2409B41170A088FC4BB0E5F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1444231240.0000000009CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1435443149.0000000004B73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1435443149.0000000004BB5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:40:02
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Imagebase:	0x960000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:40:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Imagebase:	0x370000
File size:	894'976 bytes
MD5 hash:	3E9B50DA2409B41170A088FC4BB0E5F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:40:02
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:40:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe"
Imagebase:	0xf30000
File size:	894'976 bytes
MD5 hash:	3E9B50DA2409B41170A088FC4BB0E5F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1629459951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.1631438046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:40:19
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 1520
Imagebase:	0x190000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.1%
Total number of Nodes:	186
Total number of Limit Nodes:	8

Executed Functions

Function 031407F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03149CC5

Strings

qMOW, xrefs: 03149C35

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: InformationProcessQuery
String ID: qMOW
API String ID: 1778838933-141267435
Opcode ID: 12790099bd5e44830b59f97287fe0d20a15da2769bbbc8669a1789b49de54572
Instruction ID: da66ec55113c4a0b7980201c4f8a25cac5f8172c180ac97d558b1b7491663739
Opcode Fuzzy Hash: 12790099bd5e44830b59f97287fe0d20a15da2769bbbc8669a1789b49de54572
Instruction Fuzzy Hash: 294154B9D042589FCB10CFAAD984A9EFBF5BB49310F14902AE918B7310D375A945CF68

Function 03149C09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03149CC5

Strings

qMOW, xrefs: 03149C35

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: InformationProcessQuery
String ID: qMOW
API String ID: 1778838933-141267435
Opcode ID: 746a69a65915b928babe436d8c34ad4b47653d165b5999805c76b3ac12913281
Instruction ID: 95506b890664a35b73339a51841cda5b1572f2c1d759e102e2b6b696ea3455d9
Opcode Fuzzy Hash: 746a69a65915b928babe436d8c34ad4b47653d165b5999805c76b3ac12913281
Instruction Fuzzy Hash: 2E4157B9D042589FCF10CFA9D984ADEFBB5BB59310F24A02AE814B7310D335A946CF64

Function 0314A130 Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

:+NB, xrefs: 0314A3ED
[hL, xrefs: 0314A4DD

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: CloseHandle
String ID: :+NB$[hL
API String ID: 2962429428-3337694584
Opcode ID: cdd8de237e1dbac9821458ebb74b11e2de2cb791085b8e98f8984ac9f7a9e1dd
Instruction ID: a4788fd659edf25e824a162081608d57eb5b6a727a1dfe53d0d78ff20b551c78
Opcode Fuzzy Hash: cdd8de237e1dbac9821458ebb74b11e2de2cb791085b8e98f8984ac9f7a9e1dd
Instruction Fuzzy Hash: 72B13670D45218CFDB28CFA5D9846ADBBB6FF8C300F2198A9D40ABB254DB359980CF54

Function 0314A120 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

:+NB, xrefs: 0314A3ED
[hL, xrefs: 0314A4DD

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: :+NB$[hL
API String ID: 0-3337694584
Opcode ID: 29d1f94a00ba5ccd0142f16ef113664851a8d0fe4d82eeb8c9158178a90f829f
Instruction ID: a27bd823694a1736e395312fe1a9764a04390abb1ea8614d86c9c63e19fbf7a0
Opcode Fuzzy Hash: 29d1f94a00ba5ccd0142f16ef113664851a8d0fe4d82eeb8c9158178a90f829f
Instruction Fuzzy Hash: 4AB13670D45218CFDB28CFA5C940AAEBBB6FF8C300F2594AAC406BB250DB359980CF55

Function 031483D9 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

">EY, xrefs: 0314843B
uE}, xrefs: 03148473

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: uE}$">EY
API String ID: 0-2935044547
Opcode ID: d65bef77c2174fb9ebb7355c11a903a031297fbc9b9047d0fb199af279fc8419
Instruction ID: 1754950bc8ceba523e16f5b93037e283fbda03f2638731a9f6b75e78d99ff7fb
Opcode Fuzzy Hash: d65bef77c2174fb9ebb7355c11a903a031297fbc9b9047d0fb199af279fc8419
Instruction Fuzzy Hash: 5B8124B4E01209DFDB48CFA5D5806AEFBB2FF88340F64846AC416AB354D7359A42CF51

Function 09F80730 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON

Download Yara Rule

Strings

\ lw, xrefs: 09F80B39

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: \ lw
API String ID: 0-2684086738
Opcode ID: 0c9c13f8ad199a889fa8184474b99cd62740a35bb10231df30c126614fc7bf59
Instruction ID: 6b415c701448f917334b22f260b9e74154d516e68adf8d8dce8c43919140048c
Opcode Fuzzy Hash: 0c9c13f8ad199a889fa8184474b99cd62740a35bb10231df30c126614fc7bf59
Instruction Fuzzy Hash: 29B2C075E00628CFDB64DF69C984AD9BBB2FF89304F1581E9D509AB221DB319E85CF40

Function 03143517 Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

MLx, xrefs: 031438CC

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: MLx
API String ID: 0-1359996642
Opcode ID: 582caaf6532a7fc0e1abe2b1e4fb7758636b4a960cfa4c2e6795356de18727a9
Instruction ID: cb06182bb00444d63afffc20d378d854aef325f1ff7e8d9be4da3c6e3de3805a
Opcode Fuzzy Hash: 582caaf6532a7fc0e1abe2b1e4fb7758636b4a960cfa4c2e6795356de18727a9
Instruction Fuzzy Hash: 42E13974E0420ADFDB08CFA9C4818AEFBB2FF89310B55C955D425AB214D734DA92CFA4

Function 03143590 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

MLx, xrefs: 031438CC

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: MLx
API String ID: 0-1359996642
Opcode ID: b1ce8d93437912c8f7c11f94601424e5d8449321ff234c3c75289cbec683d319
Instruction ID: 87323c9319fe48b70dc0db9bc2dd2d97c465f60ac79e4fc22c1a2d9f92ba9e69
Opcode Fuzzy Hash: b1ce8d93437912c8f7c11f94601424e5d8449321ff234c3c75289cbec683d319
Instruction Fuzzy Hash: 55D11974E0020ADFDB08CF99C5818AEFBB2FF89350B15D959D425AB214D734DA92CFA4

Function 031413C0 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

fw~, xrefs: 03141559

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: fw~
API String ID: 0-3679341647
Opcode ID: f0a0499ffa599d04cf4deae60f363cf11ffe1fdfdde0162a5002a9cdd29fc93d
Instruction ID: 467631720e2dde44deff14d1a9cfe669682e3a12c8eb60ed4762679d14586c11
Opcode Fuzzy Hash: f0a0499ffa599d04cf4deae60f363cf11ffe1fdfdde0162a5002a9cdd29fc93d
Instruction Fuzzy Hash: 48B13674E002488FDB08CFA9D984AEEFBB2EF8D310F18946AD915AB355D7349946CB50

Function 03141468 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

fw~, xrefs: 03141559

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: fw~
API String ID: 0-3679341647
Opcode ID: f55031edf92e2ab47161de344a15e59765823586a4f0670bf089af4a3e040315
Instruction ID: 55185142448611468f08ca80adbb21e3eae577132d19e03218bfb8a95ecbd8fa
Opcode Fuzzy Hash: f55031edf92e2ab47161de344a15e59765823586a4f0670bf089af4a3e040315
Instruction Fuzzy Hash: DE81C174E002189FDB48CFAAD984AAEFBB2FF8D300F14942AD915AB354D7349945CF54

Function 12902178 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447481114.0000000012900000.00000040.00000800.00020000.00000000.sdmp, Offset: 12900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12900000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bf98f638d1b666eb35ab62d7387614f162714ab6ad8f8a3b917c9fd6ec6c48
Instruction ID: bb4f7a3a35e2a7fc311d766193bf4b8503c8642196bd10b4bf868f46e84ace19
Opcode Fuzzy Hash: b4bf98f638d1b666eb35ab62d7387614f162714ab6ad8f8a3b917c9fd6ec6c48
Instruction Fuzzy Hash: AF329E71B012089FDB49DB69C860BAE77FAAF89704F2444ADE5459B3A0CB34ED05CB51

Function 09F7C350 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20748532b57893e5de04630bb2ac23e1c3fb4e4d7d7cd20082a4a293ab34251e
Instruction ID: 3c292b28e7131cf5c38aaddf997cff26dc6e2c51405c62108e448f441398344e
Opcode Fuzzy Hash: 20748532b57893e5de04630bb2ac23e1c3fb4e4d7d7cd20082a4a293ab34251e
Instruction Fuzzy Hash: EF221831A002198FDB24DF68C884BADF7B1FF48304F1495AAE84AEB355DB70A985CF50

Function 03149A00 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbca8329544a0e4add19750ad7345fac17b76a16c40090067f0736a286fea224
Instruction ID: 7eabe2093c81d014c62ed5554d88237a07a543e2717cf24dcc0e7c68fc4e74b3
Opcode Fuzzy Hash: cbca8329544a0e4add19750ad7345fac17b76a16c40090067f0736a286fea224
Instruction Fuzzy Hash: A7511770E14759CBCB18DFA9C9405DDFBB6FF89300F24962AD419AB214EB306986CF41

Function 031499F0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da59581e9378df5d28672fa9ac11ca35ff1f62f51201b5fa972452256a00e7b
Instruction ID: f25c292734b2a8f834b8c792968904b202ca42b9017371183671e2c64eec2eae
Opcode Fuzzy Hash: 8da59581e9378df5d28672fa9ac11ca35ff1f62f51201b5fa972452256a00e7b
Instruction Fuzzy Hash: 0851F475E14719CBDB18DFA9C9505DDFBB2FF88300F24962AD419AB214EB70A992CF40

Function 031426B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a080058a79cef330280a049139f4c9422615003506823d9b50b8cf7fdad9260
Instruction ID: e3bb9736c94047e75e8827f13ca4ead4ec4333014e86e3ec5c10efeb0f019791
Opcode Fuzzy Hash: 7a080058a79cef330280a049139f4c9422615003506823d9b50b8cf7fdad9260
Instruction Fuzzy Hash: FB2128B1E006188BEB18CF9AD9547DEFBF3AFC9310F14C56AD408AA254DB340A59CF50

Function 09F838E7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d25749262eb1267ee43356e5573bff040838d1e993b67027b35267c21b13534
Instruction ID: ef1628ce7ac210fe9d6a024223b287879d73acc2baaf0e3d90ad5e1e57198da4
Opcode Fuzzy Hash: 8d25749262eb1267ee43356e5573bff040838d1e993b67027b35267c21b13534
Instruction Fuzzy Hash: 2421C9B1D046188BEB58DFABC84069EFBF6BFC8300F14C06AC418A7264EB7009468F50

Function 09F86638 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bebc8a2c5fc15f3044c422446ae592f6d4f8e0878a1ed92929be7b35ca5255
Instruction ID: c12d0f1debbeace51f212156454b96e2b977cae8795dbad47cd3d92ad0338f25
Opcode Fuzzy Hash: 72bebc8a2c5fc15f3044c422446ae592f6d4f8e0878a1ed92929be7b35ca5255
Instruction Fuzzy Hash: B121EDB1E047589FEB58DF678C506AEBBB7AFC9300F04C0BAC518AA264EB3405468F51

Function 09F86648 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b30170e4e6eb7b2dd8a6016cdbeeec039baa6e872679798987801a11110e4cc
Instruction ID: fb31f9e19ce6d695b9db26157f2d6ccf20ba6dbd1f8fee25a8f3f0d7bae1d81d
Opcode Fuzzy Hash: 4b30170e4e6eb7b2dd8a6016cdbeeec039baa6e872679798987801a11110e4cc
Instruction Fuzzy Hash: 51218BB1E046189BEB58DF6BC85479EFAF7AFC9300F04C0B9D519AA264DB3405468F51

Function 12900239 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447481114.0000000012900000.00000040.00000800.00020000.00000000.sdmp, Offset: 12900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12900000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359aa683ac1aa8a427644aaaaa43cf25e59c7b93cff64de5f5f5be6fd165b232
Instruction ID: 9af9329a1fc8525ab4cae67d4c8721902fcaf3f4aad7514abec707e990e9c77b
Opcode Fuzzy Hash: 359aa683ac1aa8a427644aaaaa43cf25e59c7b93cff64de5f5f5be6fd165b232
Instruction Fuzzy Hash: A3E01A36D4D158CBCB109F98E8545E9B77CEB4B220F0421AA9508A3211D7304A98CA05

Function 09F8DD70 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 326
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F8E03F

Strings

qMOW, xrefs: 09F8DDB3
qMOW, xrefs: 09F8DDE2

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: CreateProcess
String ID: qMOW$qMOW
API String ID: 963392458-233828072
Opcode ID: 390b48ca89884acb7bded93c9f8d059f73d06c94eca2df5ddfe8a74f66b6d997
Instruction ID: eb9ff562fc8ab34a930aac8a186d15c6ee7bcc9b6fdba4ef9b0c2df9e48cbd68
Opcode Fuzzy Hash: 390b48ca89884acb7bded93c9f8d059f73d06c94eca2df5ddfe8a74f66b6d997
Instruction Fuzzy Hash: 0BC11871D0022D8FDB64EFA4C841BEEBBB1BF49300F0095A9E459B7290DB749A85CF95

Function 09F8DD78 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F8E03F

Strings

qMOW, xrefs: 09F8DDB3
qMOW, xrefs: 09F8DDE2

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: CreateProcess
String ID: qMOW$qMOW
API String ID: 963392458-233828072
Opcode ID: 837cfa499c67c04fca953094f31b9bd671704b2c071504035249baff7b691ec8
Instruction ID: 3c49cdfe69a81198ba2200c776563bff102556e7c04ca5f6699e2d31fca3dc22
Opcode Fuzzy Hash: 837cfa499c67c04fca953094f31b9bd671704b2c071504035249baff7b691ec8
Instruction Fuzzy Hash: E9C10871D0022D8FDB64EFA4C841BEEBBB1BF49310F0095A9E419B7290DB749A85CF95

Function 03148027 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

qMOW, xrefs: 031482FA

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: qMOW
API String ID: 0-141267435
Opcode ID: 751924646dccc47b5d3a60a4ead82284efba9401fe52e6c7ea3afd9a3c3d3b09
Instruction ID: 192242c937dd21d6ebb735dc55eaa7f987b833c7fbe62337488472d45c65cef4
Opcode Fuzzy Hash: 751924646dccc47b5d3a60a4ead82284efba9401fe52e6c7ea3afd9a3c3d3b09
Instruction Fuzzy Hash: 0CE171B7D012059FCB14CFA8D9C1AD9FBB1BF6E324B1E4156C8546F206E332A652CB91

Function 09F75E21 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 09F75F23

Strings

qMOW, xrefs: 09F75E50

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: DrawText
String ID: qMOW
API String ID: 2175133113-141267435
Opcode ID: 365dc2b5f020acca6f9f133cf1b93dde9d3eae7fc174e08e18f7805ccdc8128e
Instruction ID: dbef095f71c162521cd445085aed3837e23032cafdbf60851aea362b9513c079
Opcode Fuzzy Hash: 365dc2b5f020acca6f9f133cf1b93dde9d3eae7fc174e08e18f7805ccdc8128e
Instruction Fuzzy Hash: 545155B8D002589FDB10CFA9D984ADEFBF1BB09310F24902AE818BB361D335A945CF54

Function 09F75E28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 09F75F23

Strings

qMOW, xrefs: 09F75E50

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: DrawText
String ID: qMOW
API String ID: 2175133113-141267435
Opcode ID: b061eaba048d7ee3aa99b7bba1be5a8b31b30c927db247470201ff1a095ca659
Instruction ID: 1049dd393a79a4a57c8136b2302d5509557d2e2bbce12d243ca26a6d09be6eb0
Opcode Fuzzy Hash: b061eaba048d7ee3aa99b7bba1be5a8b31b30c927db247470201ff1a095ca659
Instruction Fuzzy Hash: 755144B9D012589FDB10CFAAD984ADEFBF5BB09310F24902AE818BB311D335A945CF54

Function 0314E564 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0314FEC9

Strings

qMOW, xrefs: 0314FE16

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: Create
String ID: qMOW
API String ID: 2289755597-141267435
Opcode ID: e0cfeadd0fee7f122c2f19f2eb42c276b19a76b392df8a5c7e4725db82d4bd9c
Instruction ID: 0d7e5b8d94ac2e7d12734db113e634bde3836e1084eb41bd8ac3f9d439d74866
Opcode Fuzzy Hash: e0cfeadd0fee7f122c2f19f2eb42c276b19a76b392df8a5c7e4725db82d4bd9c
Instruction Fuzzy Hash: 2D51E2B1D00719DFDB20DFA5C844B9EBBF5AF49700F1080AAD509BB251DB716A89CF91

Function 09F8D9E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F8DAC3

Strings

qMOW, xrefs: 09F8DA12

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MemoryProcessWrite
String ID: qMOW
API String ID: 3559483778-141267435
Opcode ID: 946a97ce862f2aeff1886be416dadb66a8f418ae8b7dfd094c5026a6f3da2ebc
Instruction ID: a3da629242686d4ef6205ee7e1284d322633996f2f2abb44f42c16e30a4831a6
Opcode Fuzzy Hash: 946a97ce862f2aeff1886be416dadb66a8f418ae8b7dfd094c5026a6f3da2ebc
Instruction Fuzzy Hash: DE41A9B4D012589FCF00DFA9D980ADEBBF5BF49310F24942AE818B7250D775AA45CF64

Function 09F8D9F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F8DAC3

Strings

qMOW, xrefs: 09F8DA12

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MemoryProcessWrite
String ID: qMOW
API String ID: 3559483778-141267435
Opcode ID: a2657dafcae03c339a1cdb796548f2e2437b5ab42c9ab2ff120d0d2b64c5500a
Instruction ID: ebaccab9c13372479e54270b16d72fefaf180af1d4075e6658e71146ce56bcc8
Opcode Fuzzy Hash: a2657dafcae03c339a1cdb796548f2e2437b5ab42c9ab2ff120d0d2b64c5500a
Instruction Fuzzy Hash: E341A8B4D012589FCF00DFA9D980AEEBBF5BB49310F24942AE818B7250D735AA45CB64

Function 09F8DB40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F8DBFA

Strings

qMOW, xrefs: 09F8DB6A

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MemoryProcessRead
String ID: qMOW
API String ID: 1726664587-141267435
Opcode ID: b9c5bfef8df6a46b5c38bd9eb61495b48c59ed6043dcfdfa6c2f7db11a44a318
Instruction ID: 83ab7639cd0402f89727d0f50fbce441d2578ddef98826659490335fbaff44ba
Opcode Fuzzy Hash: b9c5bfef8df6a46b5c38bd9eb61495b48c59ed6043dcfdfa6c2f7db11a44a318
Instruction Fuzzy Hash: 3341B9B9D002589FCF10CFA9D884AEEFBB5BF49310F14A42AE815B7250C775A945CF64

Function 09F8DB48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F8DBFA

Strings

qMOW, xrefs: 09F8DB6A

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MemoryProcessRead
String ID: qMOW
API String ID: 1726664587-141267435
Opcode ID: 4b9acb193e1a9c34f798c074f29f763fcc49bda036342114ae5ca30d0302854c
Instruction ID: 6bd370c782b83a9aa92e01d9120d25cd2a3221cd2da2888092167839ff607133
Opcode Fuzzy Hash: 4b9acb193e1a9c34f798c074f29f763fcc49bda036342114ae5ca30d0302854c
Instruction Fuzzy Hash: 7041B8B9D002589FCF10DFAAD884AEEFBB5BF49310F14942AE814B7250C775A945CF68

Function 09F8D8C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F8D97A

Strings

qMOW, xrefs: 09F8D8EA

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: AllocVirtual
String ID: qMOW
API String ID: 4275171209-141267435
Opcode ID: 1cf511738d8221a816a8953365c1ccc95a2d7e82a5f20cf20af2fd5ab7088811
Instruction ID: 74c8004b24a06df6781e597aaf9e803d25e5b1ed32b5786c9323779d35681136
Opcode Fuzzy Hash: 1cf511738d8221a816a8953365c1ccc95a2d7e82a5f20cf20af2fd5ab7088811
Instruction Fuzzy Hash: 4B3198B8D042589FCF10DFA9D880A9EFBB5BF49310F10942AE818B7250D735A901CF54

Function 09F8D8D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F8D97A

Strings

qMOW, xrefs: 09F8D8EA

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: AllocVirtual
String ID: qMOW
API String ID: 4275171209-141267435
Opcode ID: 7c1515b67b008c37deada2cc0d3f0579661c93503aaf750c8f1d872778e6cf15
Instruction ID: 4ccec52a6fdcccf0928130c9c8ff0c9900cd9d8f2487b32e8a43fd3165ba46df
Opcode Fuzzy Hash: 7c1515b67b008c37deada2cc0d3f0579661c93503aaf750c8f1d872778e6cf15
Instruction Fuzzy Hash: BE3187B9D002589FCF10DFA9D880AAEFBB5BF49310F10A42AE815B7350D735A905CF54

Function 09F8D368 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09F8D41F

Strings

qMOW, xrefs: 09F8D38F

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: ContextThreadWow64
String ID: qMOW
API String ID: 983334009-141267435
Opcode ID: de50ed3a55779d517a765ff8f3923321e7435696985da4486ab906b9d258086d
Instruction ID: 4fdef5a9e3aad3a810fd3b797460da6621a8800d61b64511089ef487d754488a
Opcode Fuzzy Hash: de50ed3a55779d517a765ff8f3923321e7435696985da4486ab906b9d258086d
Instruction Fuzzy Hash: 9F41CAB4D012589FDB14DFA9D885AEEFBF1BF48310F24802AE819B7290C738A945CF54

Function 09F8D370 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09F8D41F

Strings

qMOW, xrefs: 09F8D38F

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: ContextThreadWow64
String ID: qMOW
API String ID: 983334009-141267435
Opcode ID: bae8674e3a31d47e6abbad40b23a409ab5ef44a95ef97be2902c5ee66307c6d8
Instruction ID: b35e4574bda27e6bfb99935fb426bf050b52731d09cc03dc866466850754f7af
Opcode Fuzzy Hash: bae8674e3a31d47e6abbad40b23a409ab5ef44a95ef97be2902c5ee66307c6d8
Instruction Fuzzy Hash: B231CCB4D012589FDB14DFAAD884AEEFBF1BF48310F24802AE415B7280C738A945CF54

Function 031482D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0314837F

Strings

qMOW, xrefs: 031482FA

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: ProtectVirtual
String ID: qMOW
API String ID: 544645111-141267435
Opcode ID: 167b058222b4b17e2245519621740c7849f00a1aa5c019e4a9e1e4f6f29665d3
Instruction ID: d96a8ba3a461fd442c4c96abfeaed7377af045e5986031ac45a984747d9b36aa
Opcode Fuzzy Hash: 167b058222b4b17e2245519621740c7849f00a1aa5c019e4a9e1e4f6f29665d3
Instruction Fuzzy Hash: 1E3197B9D002589FCB10CFAAD880ADEFBF1BB49310F24902AE818B7310D775A945CF64

Function 12901308 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 129013AB

Strings

qMOW, xrefs: 1290132D

Memory Dump Source

Source File: 00000000.00000002.1447481114.0000000012900000.00000040.00000800.00020000.00000000.sdmp, Offset: 12900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12900000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MessagePost
String ID: qMOW
API String ID: 410705778-141267435
Opcode ID: d63dc7e0f44cb87b84c1edcfae4e67cd79309dd026f5973097411621bd7061a5
Instruction ID: cbe320f6fdd8ffef3109e65af062aab31b9ee328eb5461c420a2acf447c6d8e6
Opcode Fuzzy Hash: d63dc7e0f44cb87b84c1edcfae4e67cd79309dd026f5973097411621bd7061a5
Instruction Fuzzy Hash: 653158B9D012589FCB14CFA9D580ADEFBF5BB49310F14901AE815B7320D375A945CF54

Function 12901310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 129013AB

Strings

qMOW, xrefs: 1290132D

Memory Dump Source

Source File: 00000000.00000002.1447481114.0000000012900000.00000040.00000800.00020000.00000000.sdmp, Offset: 12900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12900000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: MessagePost
String ID: qMOW
API String ID: 410705778-141267435
Opcode ID: 56a653fa7c92e1131c44601bbc222c3b72c256f92e004e60ba0b15fad341eb52
Instruction ID: 58dbe70d003942e17e2f6af0820a48f1acced9df2edabf46b9a322d83de76de4
Opcode Fuzzy Hash: 56a653fa7c92e1131c44601bbc222c3b72c256f92e004e60ba0b15fad341eb52
Instruction Fuzzy Hash: B13146B9D05258AFCF10CFA9D580ADEFBF5AB49310F24901AE818B7310D775A945CF64

Function 03149D1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0314B31A

Strings

qMOW, xrefs: 0314B2A2

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: DebugOutputString
String ID: qMOW
API String ID: 1166629820-141267435
Opcode ID: 6aae90e162d3eca8d5022821c6b1763b9741e68db0ecd1d5783fd05101da28d1
Instruction ID: 4daf058a137b457bfc96c1f999cac3851f055b4ebe445f558145b6bb3f97fffe
Opcode Fuzzy Hash: 6aae90e162d3eca8d5022821c6b1763b9741e68db0ecd1d5783fd05101da28d1
Instruction Fuzzy Hash: 6931CAB4D042499FCB14CFAAD984ADEFBF5AF48310F14902AE858B7320D774A945CFA4

Function 09F8D279 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F8D2FE

Strings

qMOW, xrefs: 09F8D29A

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: ResumeThread
String ID: qMOW
API String ID: 947044025-141267435
Opcode ID: b4a29786da490ae10f302d6523f572a4a5d4863321271b225cf40386cc498f36
Instruction ID: ba245068b8031bfde421c0c495256b52b41586eb005a1dc2248743f412dcb807
Opcode Fuzzy Hash: b4a29786da490ae10f302d6523f572a4a5d4863321271b225cf40386cc498f36
Instruction Fuzzy Hash: FA31C9B4D012599FDF14DFAAD880AAEFBF5AF49310F14942AE815B7340CB35A901CF94

Function 09F8D280 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F8D2FE

Strings

qMOW, xrefs: 09F8D29A

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: ResumeThread
String ID: qMOW
API String ID: 947044025-141267435
Opcode ID: f939ede6f7951fa12f85af8dcf5595b559f81d4df901d9ac0e4a0a22b3cc6126
Instruction ID: cb03c21333ebe3474bd05f658df7051cb0481cd9e14b04939b3124aad0682a05
Opcode Fuzzy Hash: f939ede6f7951fa12f85af8dcf5595b559f81d4df901d9ac0e4a0a22b3cc6126
Instruction Fuzzy Hash: 8931A7B4D012199FDF14DFAAD880AAEFBB5AF49310F14942AE815B7340CB35A901CFA4

Function 03149D44 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0314B3F6

Strings

qMOW, xrefs: 0314B395

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID: CloseHandle
String ID: qMOW
API String ID: 2962429428-141267435
Opcode ID: 990cc9693893cb830adf72817b3ac830360edc0b4eb5e40d52a92d39c539de41
Instruction ID: 05d9f160ee1f8e61c099cf4caba31ac9e93ad5a61623957798079237c49cd1b2
Opcode Fuzzy Hash: 990cc9693893cb830adf72817b3ac830360edc0b4eb5e40d52a92d39c539de41
Instruction Fuzzy Hash: 8A31BBB4D04259DFCB10CFAAD484AEEFBF4AB49310F14906AE915B3350D374A945CFA4

Function 02F6D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433487717.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44ce6b572e1833ff0a5436212800867581bddf88b1747778f49ba311153f2ca
Instruction ID: c471561f2b81ac2abbff89f93efa10f4999ccacc973b2a57ca6f27f5c95f9b6e
Opcode Fuzzy Hash: d44ce6b572e1833ff0a5436212800867581bddf88b1747778f49ba311153f2ca
Instruction Fuzzy Hash: BE212572704344DFDB04DF14D9C8B26BF65FB88368F248169EA090B756C336D856CBA2

Function 02F7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433557986.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f7d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c6d2822711ddf70f05e42a1baaa4098f4c9cb0646c12ef89c92e039c609f1e
Instruction ID: 2fab6c6c16f8b576f3e17309f168e8dbbb8f7590a145c19364e5043ae4763a7f
Opcode Fuzzy Hash: 28c6d2822711ddf70f05e42a1baaa4098f4c9cb0646c12ef89c92e039c609f1e
Instruction Fuzzy Hash: FA212571A04304DFEB04DF10D9C0B15BB61FF98314F60C56EDA494B242C336D407CA61

Function 02F7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433557986.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f7d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f58b43b9c47ce7f34f3429a7331d653aa304533ed8ad922d2454ff9fb4df77
Instruction ID: 7739a8eb5348223e9860926edc3e1615e50af9486d9c3939eb0f9ef2c694f3c2
Opcode Fuzzy Hash: 38f58b43b9c47ce7f34f3429a7331d653aa304533ed8ad922d2454ff9fb4df77
Instruction Fuzzy Hash: 70212276604300DFDB14DF10D984B16BB61FF84B14F60C56EDA0A0B28AC33AD407CA62

Function 02F7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433557986.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f7d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e1b85e749dfc12af746d45dfb84d6c0ec3a9d2dfa2edecc93b7e95bacc402d
Instruction ID: 06e9b281ad3e3b04dfb9a1b367b2d5bf4a807cc0b2ad9f4b693a6ee4e00dfe8a
Opcode Fuzzy Hash: 45e1b85e749dfc12af746d45dfb84d6c0ec3a9d2dfa2edecc93b7e95bacc402d
Instruction Fuzzy Hash: 4B2150755093808FCB12CF24D994715BF71EF46614F28C5EBD9498B6A7C33A980ACB62

Function 02F6D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433487717.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: f9cc00e40df7c676e78ea490e1f8429ef9f592f93935d34a61ec4d281b41fe5b
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 1811D376A04284CFCB15CF14D5C4B26BF72FB88328F24C6A9D9094B756C33AD856CBA1

Function 02F7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433557986.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f7d000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: d1afacf6a4086be652668608c89d1924624f2e1609dfc737c4683d5a693cb7e4
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: C111BB75904280DFCB05CF10C9C0B15BBA2FF84224F28C6AED9494B296C33AD41ACB61

Non-executed Functions

Function 03145890 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

\-'K, xrefs: 03145A7F
0e&, xrefs: 031459EB
0e&, xrefs: 031459E4
0e&, xrefs: 03145A02

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: 0e&$0e&$0e&$\-'K
API String ID: 0-2311737308
Opcode ID: 6682106d2c4f7fb66dc4193b78479affa8983933445cd2cf5e5711123a8da674
Instruction ID: 9db165a92eec088148df9bd7bac3c0121e980c954f980c76f3ddfae21547ca65
Opcode Fuzzy Hash: 6682106d2c4f7fb66dc4193b78479affa8983933445cd2cf5e5711123a8da674
Instruction Fuzzy Hash: AA61E274E1521ADFCB08CFAAC5949DEFBF2FB89210F24942AE415B7214D7309A42CB64

Function 03145880 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

\-'K, xrefs: 03145A7F
0e&, xrefs: 031459EB
0e&, xrefs: 031459E4
0e&, xrefs: 03145A02

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: 0e&$0e&$0e&$\-'K
API String ID: 0-2311737308
Opcode ID: 931d50f0ce5e4d10c8d38802f694a4a39380ca9d45bed7e986084bb1da092f09
Instruction ID: 048cbf66cc1a5a921ff02f51297e002408753bd8a0f13fc384aa87ca0807bc2c
Opcode Fuzzy Hash: 931d50f0ce5e4d10c8d38802f694a4a39380ca9d45bed7e986084bb1da092f09
Instruction Fuzzy Hash: 2961E374E1521A8FCB08CFAAC9949EEFBF2FF89210F24942AD415F7254D7309A41CB64

Function 031444C8 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

}'|k, xrefs: 031445B4
}'|k, xrefs: 031445A6

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: }'|k$}'|k
API String ID: 0-2488349039
Opcode ID: 047b3053cd2d0821a1ed63d2753896b1637c6af852da034b982d4225b19da157
Instruction ID: 1df6dc9c71d13cd4f06519ec574cc7120b61534a8e1f4f5494ea91e08bc70d9f
Opcode Fuzzy Hash: 047b3053cd2d0821a1ed63d2753896b1637c6af852da034b982d4225b19da157
Instruction Fuzzy Hash: 2671E274E01209DFCB48CF9AD584A9EFBF1FF88311F14956AE415AB224DB30AA41CF54

Function 031444B9 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

}'|k, xrefs: 031445B4

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: }'|k
API String ID: 0-3707336978
Opcode ID: cda6c757355afeff5e3b0d826b81c08fac499ec197e3b3416c70a31e04fbe790
Instruction ID: 6b7509eb9d772ec86608dcf48a729740d0965285a0b6ffa70fae9eac61d63399
Opcode Fuzzy Hash: cda6c757355afeff5e3b0d826b81c08fac499ec197e3b3416c70a31e04fbe790
Instruction Fuzzy Hash: 9C71E274E052099FCB48CFAAD58499EFBF1FF88310F14956AE415AB224DB30AA41CF54

Function 03149350 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

jPo@, xrefs: 031493CA

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: jPo@
API String ID: 0-2379927603
Opcode ID: b0f8e1f6d520e78f8fc28702c27154617741ab2cf9231f11857ff24cc087564f
Instruction ID: 2683f4b918797f6a166a953cd9c3b3467e1b483ded4c03e2425ead0b6ab6e547
Opcode Fuzzy Hash: b0f8e1f6d520e78f8fc28702c27154617741ab2cf9231f11857ff24cc087564f
Instruction Fuzzy Hash: 43717F70E002299BDB14CFAAC6805AEFBB6FF89305F24C169D819B7345D7309942CFA1

Function 03149337 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

jPo@, xrefs: 031493CA

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: jPo@
API String ID: 0-2379927603
Opcode ID: 9696d2f78cae0a0f278a5873611025970c9f1f24dfb45b842fdb1c7cbff42a99
Instruction ID: 06fb53a45e0c1ffa92ed5050705c497f6b7d3b2a6f9e6ce2aa631c889c41ad01
Opcode Fuzzy Hash: 9696d2f78cae0a0f278a5873611025970c9f1f24dfb45b842fdb1c7cbff42a99
Instruction Fuzzy Hash: 38719170E002598BDB14CFAAC5805AEFBB2FF89301F24C16AD809A7345D7309D42CF61

Function 03145CC0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

qMOW, xrefs: 03147FD8

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: qMOW
API String ID: 0-141267435
Opcode ID: 5d701291f91a3d9d486550706a9fe5b63c6506cbc5f8398b8cdfbadf3b2b4961
Instruction ID: 02bd8849e602753020523bb786366e82ba876f8327ac9453426357cf5a711300
Opcode Fuzzy Hash: 5d701291f91a3d9d486550706a9fe5b63c6506cbc5f8398b8cdfbadf3b2b4961
Instruction Fuzzy Hash: D4417F71E006188BDB58CF6B8D4479AFBF3AFC9300F14C1BA851CA6265EB3049468F51

Function 03145688 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

0\-;, xrefs: 0314574C

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: 0\-;
API String ID: 0-635978658
Opcode ID: a65c45c915c1cf98c65ed2473947f39c7dc64f62385cbee73844f9e1b28e093d
Instruction ID: 17802b500d03ffa1793a474f5fd042f7390595d0bbabb058e26670edb246bb1d
Opcode Fuzzy Hash: a65c45c915c1cf98c65ed2473947f39c7dc64f62385cbee73844f9e1b28e093d
Instruction Fuzzy Hash: 9D41E5B4D0520ADBCB08CFA9C5805EEFBF2BB99311F64D56AC419BB214E7349A41CF64

Function 03145678 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

0\-;, xrefs: 0314574C

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID: 0\-;
API String ID: 0-635978658
Opcode ID: aae42ea14380d0d3422b80c27fa7fdac21c463ffa75ce7ced2ef159e712b8004
Instruction ID: 1019cb82410c017afb453de3e12fad48d97bb80b479af3077930d5cac3ec4673
Opcode Fuzzy Hash: aae42ea14380d0d3422b80c27fa7fdac21c463ffa75ce7ced2ef159e712b8004
Instruction Fuzzy Hash: 064124B4E0520ADBDB08CFA9C5805EEFBF2FB99311F64C56AC414BB254D7349A81CB64

Function 09F75648 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542b59d60949f7f0157f636b2c5b76ec923a6d497d032aea088340db1d284118
Instruction ID: 2a7de8590fe969922a2aa601b02f3df75b852728ee23bcd560c19bdf8551ffca
Opcode Fuzzy Hash: 542b59d60949f7f0157f636b2c5b76ec923a6d497d032aea088340db1d284118
Instruction Fuzzy Hash: 27325170E103189FEB54EF69C8547AEBBB2FF88340F1485AAD409AB345DB349D45CBA1

Function 09F8C9D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52259e7dfae52a3a9de559651ce484f685cd63b8fcdf75b2f342d95f701e19dc
Instruction ID: 634064a2f9233c6f66b205c4543a0e7d21ed14fd4628f49a6a566efe99366001
Opcode Fuzzy Hash: 52259e7dfae52a3a9de559651ce484f685cd63b8fcdf75b2f342d95f701e19dc
Instruction Fuzzy Hash: 44E10774E006198FDB14DFA9C580AAEFBB2FF89305F248169E454AB355D730AD42CFA0

Function 09F8AE78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df1907e0cc5e59d1388468f420478575343b244b6587cf297b71fd77196475b
Instruction ID: 6bf774dcc2c848afc33d51a72850993d22e3d7676876c0fbdb72af977cff8f27
Opcode Fuzzy Hash: 4df1907e0cc5e59d1388468f420478575343b244b6587cf297b71fd77196475b
Instruction Fuzzy Hash: 7AE10A74E106198FDB14DFA9C580AAEFBB2FF89305F248169E414AB355D731AD42CF60

Function 09F8B2B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d9263b94d8a36a96a7a30e64c34fb24ed64702e74825d49b3b10f5f2d6bcf
Instruction ID: 23521e6caf6b7a38ce3aeab0c05889d9ebaf02cb2c05149dc0755125c3ce9cb8
Opcode Fuzzy Hash: e75d9263b94d8a36a96a7a30e64c34fb24ed64702e74825d49b3b10f5f2d6bcf
Instruction Fuzzy Hash: A5E10974E006198FDB14DFA9C580AAEFBB2FF89305F24816AE414AB355D735AD42CF60

Function 09F8C5A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84715b88c6518a1966b7afde89ae09e5ede4aba5f12f960846660d2e98e1742
Instruction ID: d39956db0c076b826e4bb6147e8c842606df0485e1438444e515ab2640e42e8f
Opcode Fuzzy Hash: a84715b88c6518a1966b7afde89ae09e5ede4aba5f12f960846660d2e98e1742
Instruction Fuzzy Hash: FCE10A74E002198FDB14DFA9C580AAEFBB2FF89305F248169E454AB355D730AD42CFA0

Function 09F8D498 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d430da23ebd3d07be9ce326404663cf3c287667181acf459be4e0984df48895
Instruction ID: dda851f3da8450e814b75df704b171a72e69fe837b716267201b2a64e368d69b
Opcode Fuzzy Hash: 7d430da23ebd3d07be9ce326404663cf3c287667181acf459be4e0984df48895
Instruction Fuzzy Hash: CDE1E974E002198FDB14DFA9C580AAEFBB2FF89315F248169D418AB395D730AD42CF61

Function 09F779F0 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6282a7d80ebc6409dd11b96dd256cad4eded2559490c8fc89976bcfda8f2b895
Instruction ID: f9db213fc1d39433a7879f1ddfbf0f8ede90daf603d87553857e5b3f14698b1f
Opcode Fuzzy Hash: 6282a7d80ebc6409dd11b96dd256cad4eded2559490c8fc89976bcfda8f2b895
Instruction Fuzzy Hash: ABC14931E103189FDB15DFA5C88079EFBB2BF88310F14C5AAE449AB255DB74A985CF90

Function 09F7563F Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de282fa78a8f6a495f8f84ec4f777cb1224b02bada76a49355866ec2d77eb7a7
Instruction ID: bbf2d8dd101d5829472f5a0694e07fdd92ca712931ec7da02e03191c36c9ce48
Opcode Fuzzy Hash: de282fa78a8f6a495f8f84ec4f777cb1224b02bada76a49355866ec2d77eb7a7
Instruction Fuzzy Hash: A8C13931E103189FDB15DFA5C88479EFBB2BF88310F14C5AAE449AB255DB74A984CF90

Function 09F8072F Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e9926335cb86038e5990f576a5aafef07695fec4114a2008c620b3f10046ef
Instruction ID: d44e6f62d2b4ab4b07ac051c8d894fd8728ecaf838c7307cfc9fced467f79e14
Opcode Fuzzy Hash: 49e9926335cb86038e5990f576a5aafef07695fec4114a2008c620b3f10046ef
Instruction Fuzzy Hash: 42B16275E006588FDB58DF6AC944ADDBBF2BF88301F14C1EAD909AB364DB305A858F50

Function 09F7C3AC Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c877b7036f1a4b766edfa1addd98a2c8554705a7424b1ee7279ebcde3f9b15dd
Instruction ID: 15b6ab07d700ab4406f0f8b610cd8853ebeba9ffe5741279868dd60a3a4ed473
Opcode Fuzzy Hash: c877b7036f1a4b766edfa1addd98a2c8554705a7424b1ee7279ebcde3f9b15dd
Instruction Fuzzy Hash: 4F91F671E106198FCB54CF69C980A9DF7F1BF89304F6492AAE419EB351EB70A981CF40

Function 09F7D5B1 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445035094.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f70000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c5cb0947dce2d274da993144c932e03687dd8cf3f6ccd903e9cdc4a872cd5f
Instruction ID: 1bf23437af290e80b2c043101cc4c12d2b6d938fdba03ffd5179d00fdba33d67
Opcode Fuzzy Hash: 77c5cb0947dce2d274da993144c932e03687dd8cf3f6ccd903e9cdc4a872cd5f
Instruction Fuzzy Hash: 6291F671E106198FCB54CF69C980A9DF7B1BF88304F6492AAE419EB351EB70A981CF40

Function 09F82C68 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae8125256ec622c424868facf7170ef8de4128bcc4a90b69ed472afca0e1765
Instruction ID: 4bed5cfeec5b0e292efcfac6b79a0b541b06d0fe116485e1276f42356ab6bec2
Opcode Fuzzy Hash: 1ae8125256ec622c424868facf7170ef8de4128bcc4a90b69ed472afca0e1765
Instruction Fuzzy Hash: EA611672D09208CFDF54DFA9D444AEEBBB6FF8A390F109029E429A7211DB346946CF50

Function 031486C0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4268c231c333e21c5855a62e6c15e7f0c77f14f9b6f3edf8ddd7b83b0dd3c449
Instruction ID: e928f4e4d858ff9bff977fe0af5a867f41c114dba54c749da3f11ee702ef847d
Opcode Fuzzy Hash: 4268c231c333e21c5855a62e6c15e7f0c77f14f9b6f3edf8ddd7b83b0dd3c449
Instruction Fuzzy Hash: 7471F974E042299FDB14CFA9D990AAEFBB2FF88300F1491A9D809A7315D7319D41CF51

Function 09F80439 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750dd7b392ec1aa180781b7361deecea19bfbd8ed6d091f38d3ac5cd18384928
Instruction ID: 0abb0aa4729e4033b61d34da526e7193b50b13dffbe18330cadce170182f060a
Opcode Fuzzy Hash: 750dd7b392ec1aa180781b7361deecea19bfbd8ed6d091f38d3ac5cd18384928
Instruction Fuzzy Hash: 56612971E00648CFDB08DF6AE85069ABBF3FFC8310F14C12AD406AB264EB7559169F52

Function 031486B0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdd5b32cb4f628e4fcdeed8119e07665bbf25f4bdea75532844c1bfdc972aee
Instruction ID: fc57b2b4d251bf6dd7d8504548fe17f200f7bdcc24e312f2a6216c04dc276f88
Opcode Fuzzy Hash: 7bdd5b32cb4f628e4fcdeed8119e07665bbf25f4bdea75532844c1bfdc972aee
Instruction Fuzzy Hash: 1B710674E042299FDB14CFA9C990AAEFBB2FF88300F1491A9D809A7355D7319D81CF61

Function 09F80448 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4ca6b8c940acd3f65d10a2eeb25776b2aae59a7bc3c64214bf937709d11616
Instruction ID: 65170d6c926b918ed96c157e2d0a738d35a9cd52fc633fead1c6983d985f0f2a
Opcode Fuzzy Hash: de4ca6b8c940acd3f65d10a2eeb25776b2aae59a7bc3c64214bf937709d11616
Instruction Fuzzy Hash: 3A610971E00648CFDB48DF6AE85069ABBF3FFC8310F14C12AD405AB264EB7559169F92

Function 09F8AE69 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445094076.0000000009F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f80000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a531cda9b124be87fb21c5de1d7fc76ebf1e812a5ff510e3c3ded0bf9f0691f9
Instruction ID: d974b45c50473b07112b8771d3f30031b177bc2d58f03905594444c07e144f43
Opcode Fuzzy Hash: a531cda9b124be87fb21c5de1d7fc76ebf1e812a5ff510e3c3ded0bf9f0691f9
Instruction Fuzzy Hash: A55105B4E102198FDB14DFA9C5815AEBBF2FF89305F24816AD418AB316D7319D42CFA1

Function 03145AE0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce47a0624d022d9fe6f98752992f97d67a4fe59bfb9cb9b4b9ce54ec835b74eb
Instruction ID: 374bcb29134510cbdd94a07ad1cd86fe288ac8f5e95f58b6de9b303ece060377
Opcode Fuzzy Hash: ce47a0624d022d9fe6f98752992f97d67a4fe59bfb9cb9b4b9ce54ec835b74eb
Instruction Fuzzy Hash: F141E7B0E0460A9BCB48CFA9C5815AEFBF3FB89300F64C569D406B7244D7349A45CBA4

Function 031408D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b9daf97da701f8704efad62405c92839c84728f70d44bed3b87e094b669d63
Instruction ID: a2a608b0f66ed8c588b04cfb897ee3023b9eecac0936ef4353ed4a22f34647f4
Opcode Fuzzy Hash: d3b9daf97da701f8704efad62405c92839c84728f70d44bed3b87e094b669d63
Instruction Fuzzy Hash: 9531EAB1E016189BEB58CFABD85079EFBF7BFC9200F04C0BAD518A6254EB304A558F51

Function 03148CD4 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f3813726c7fcbe821f6c968d1c9d635b547aabdfbcbe62b6af50b177bffe8d
Instruction ID: bce8f39954fc6c7511faa9e23eb6a94f3168df9f6d9b8bbe4ee8374c520c3009
Opcode Fuzzy Hash: 47f3813726c7fcbe821f6c968d1c9d635b547aabdfbcbe62b6af50b177bffe8d
Instruction Fuzzy Hash: 31314C71E016598FDB18CFBAD884A9EFBB3AFC9200F18C0AAD404AB255D7304902CF51

Function 03148D18 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434124585.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3140000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2094b84567ac3f1c17cee411e60fe632f3df4b89f7dbfe2758869646aedadd71
Instruction ID: edc386ab7ab5aa7a5925ff7ebabd9a732b3a988910bf09bea3e4c8ec5dc185fc
Opcode Fuzzy Hash: 2094b84567ac3f1c17cee411e60fe632f3df4b89f7dbfe2758869646aedadd71
Instruction Fuzzy Hash: 9A2106B1E116199BDB18CFAAD9406EEFBF7BFC9210F14C13AD408A7254EB304A018B51

Analysis Process: fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exePID: 7696, Parent PID: 7472COMMON

Executed Functions

Function 018829EC Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce8a0040f127c01818a23a30b9cd607cf70e5258e839dd77355e116b53eaca5
Instruction ID: 934fd90622d964db9d13f1c5aac272dba4c29f51594cb906ff7a90100c69e683
Opcode Fuzzy Hash: 1ce8a0040f127c01818a23a30b9cd607cf70e5258e839dd77355e116b53eaca5
Instruction Fuzzy Hash: 50F1F33190B3D5CFD7639F3C885069ABFB1AF5B614B1844EEC881DB227C6354A1AC762

Function 018839F0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28cc161d0c1f52e45c5cd0b74cd2dbb8a9fc3a6618cc0df7e307d0ef0e847f1
Instruction ID: 53100ea6817c53a760e2fb181d6b828502c7724adc2b52bd72aee6c1ae9496a2
Opcode Fuzzy Hash: a28cc161d0c1f52e45c5cd0b74cd2dbb8a9fc3a6618cc0df7e307d0ef0e847f1
Instruction Fuzzy Hash: 89B1E33250B7C1DFD7679F388896626BFB0AF5721431C04DEC882CF22BC6298919C756

Function 01883E09 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0fa583f34503df4f04cb7e214b54c84411861e8f62bd52a5f0b5127989a543
Instruction ID: d2f57b40f80f9facb344faef7e0c82e207d0b10b22244d8fe1b0b7ee189fe805
Opcode Fuzzy Hash: 3f0fa583f34503df4f04cb7e214b54c84411861e8f62bd52a5f0b5127989a543
Instruction Fuzzy Hash: 9A91B335B04219DFDB58ABB5985437FBBA7BFC8700B15956EE402E7388CE3589028792

Function 01880C8F Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523f382df66524fa2aa42dc6f7fcf5498abe21d82efe295aff6b37c21fed9d77
Instruction ID: 07aac46501b4fe84550d04c857986f6a5b749575b68066dcc90c666b75b1125f
Opcode Fuzzy Hash: 523f382df66524fa2aa42dc6f7fcf5498abe21d82efe295aff6b37c21fed9d77
Instruction Fuzzy Hash: 3052EA78A01319CFDB64EF68ED98A9DBBB2FB88301F1051A5E809A7354DB345E81CF51

Function 01880CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b2297d3c034ff84248a6d9a34af001ffeb3904ed61a6a028bacfd7cd067e64
Instruction ID: 76880d178ee67feef3a3be08702ec48f13679c057227851d646f720ed81fcdea
Opcode Fuzzy Hash: f9b2297d3c034ff84248a6d9a34af001ffeb3904ed61a6a028bacfd7cd067e64
Instruction Fuzzy Hash: 7552DA78A01319CFDB64EF68ED98A9DBBB2FB88301F1051A5E809A7354DB345E81CF51

Function 01882790 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13388f5a7fc60d79411df6493b7bb4f14e9b6d408c76d051f574f0933003d40
Instruction ID: b40b5838f205d8402c3a6b05e0c088199ee1cd4c35defe76cfef43e953be44a9
Opcode Fuzzy Hash: d13388f5a7fc60d79411df6493b7bb4f14e9b6d408c76d051f574f0933003d40
Instruction Fuzzy Hash: 44313470D093498FDB01EFA8D8846ADBFF5FB4A305F0041AAC405AB265EB340A45CBA2

Function 018828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9511826106efb300cc662e9cba0b411734fc57058b4f6915267c3004dc8a19be
Instruction ID: 0122f14d966b67e0e224d9d3b818f904080483c4ad0768c770ec3acc5a9b5a71
Opcode Fuzzy Hash: 9511826106efb300cc662e9cba0b411734fc57058b4f6915267c3004dc8a19be
Instruction Fuzzy Hash: A821A475A00106DFCB15EF28D840AAE77A6EB9D3A0B10C159E809DB344DB31EE42CBD1

Function 018827F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905aceba2bb32fcb32d1be4adf043f45f34d3560d848c4fbbbd122ac1454f472
Instruction ID: f1b699373d8835e09ac15a84f6522548896371991aa6d35a42b4718be66242f4
Opcode Fuzzy Hash: 905aceba2bb32fcb32d1be4adf043f45f34d3560d848c4fbbbd122ac1454f472
Instruction Fuzzy Hash: 9621EFB4D0520ACFCB11EFA9D8845EDBBF0FF0A305F10516AD805B6224EB345A85CBA1

Function 018828A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ee50e1fe37d498307f35528a1f899e1f5b8f2e074b437c4d33383a84d61ef1
Instruction ID: 9e0e48380fd67eeb5374682aabae684d9030b0403f88f9c779d4966618ab9f21
Opcode Fuzzy Hash: d0ee50e1fe37d498307f35528a1f899e1f5b8f2e074b437c4d33383a84d61ef1
Instruction Fuzzy Hash: 14E08676E54766CFCB01E7E0EC440EEBB34AED6212B58465BC06577190EB302658C792

Function 018828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1631039929.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1880000_fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69decf3e33bf860b7044ad0ff44bbd2f2bf3158a815e25f311a9cfd660212444
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 69decf3e33bf860b7044ad0ff44bbd2f2bf3158a815e25f311a9cfd660212444
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fiyati_teklif 61_9b3f9204fc23af452eebf8d04d2286f116ccaa_dca9ff1b_feeb8f7a-e277-4a2c-ad0c-11151d4b8816\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA608.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA751.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA781.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsmlomam.xlm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmyo41tx.q0o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryu2gzrd.uey.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whdye43u.gop.ps1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe

Function 031407F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Function 03149C09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102
nativeCOMMON

Function 09F8DD70 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 326
processCOMMON

Function 09F8DD78 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321
processCOMMON