Edit tour

Windows Analysis Report
DHRI_kurumsal_kimlik_rehberi-2023.exe

Overview

General Information

Sample Name:	DHRI_kurumsal_kimlik_rehberi-2023.exe
Analysis ID:	1333307
MD5:	f6cbf303899397b7d28e19930d48627d
SHA1:	c3b2d0902bc0724228519030d341294db265f379
SHA256:	2eb8015d95b1f69eca4acc3d64c0ed58125431a19df865a493990025ebe5b40a
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to steal Mail credentials (via file registry)

Contains functionality to modify clipboard data

Yara detected WebBrowserPassView password recovery tool

Uses dynamic DNS services

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

DHRI_kurumsal_kimlik_rehberi-2023.exe (PID: 8680 cmdline: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe MD5: F6CBF303899397B7D28E19930D48627D)

wab.exe (PID: 8800 cmdline: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 9188 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\edvlu MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 9196 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\pxbdutmxl MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 1820 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rrgwvlxrzapp MD5: 251E51E2FEDCE8BB82763D39D631EF89)

backgroundTaskHost.exe (PID: 9188 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\paqlgkfs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1125447769.00000000005BF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1126111595.000000000555D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: DHRI_kurumsal_kimlik_rehberi-2023.exe PID: 8680	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 8800	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: wab.exe PID: 8800	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: wab.exe PID: 9188	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 3 entries

Snort Signatures

ETPRO TROJAN GuLoader Encoded Binary Request M2 - Source IP: 192.168.11.20 - Destination IP: 217.147.225.69

Timestamp:	192.168.11.20217.147.225.6949745802855192 10/27/23-16:20:25.826419
SID:	2855192
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.11.20 - Destination IP: 94.156.6.253

Timestamp:	192.168.11.2094.156.6.2534974624022032776 10/27/23-16:20:30.134330
SID:	2032776
Source Port:	49746
Destination Port:	2402
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 94.156.6.253 - Destination IP: 192.168.11.20

Timestamp:	94.156.6.253192.168.11.202402497462032777 10/27/23-16:26:57.279387
SID:	2032777
Source Port:	2402
Destination Port:	49746
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe	Virustotal: Detection: 38%			Perma Link
Source: DHRI_kurumsal_kimlik_rehberi-2023.exe	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: ourt2949aslumes9.duckdns.org

Virustotal: Detection: 13%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe

Avira: detection malicious, Label: HEUR/AGEN.1338455

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe	Virustotal: Detection: 38%			Perma Link

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_371C10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C6580 FindFirstFileExA,	1_2_371C6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00407C87
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407898

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:49745 -> 217.147.225.69:80
Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:49746 -> 94.156.6.253:2402
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:49746

Uses dynamic DNS services

Source: unknown

DNS query: name: ourt2949aslumes9.duckdns.org

Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG
Source: Joe Sandbox View	ASN Name: GRENA-ASTbilisiGeorgiaGE GRENA-ASTbilisiGeorgiaGE

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 94.156.6.253 94.156.6.253
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: global traffic

HTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49746 -> 94.156.6.253:2402

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253

Source: wab.exe, 00000001.00000002.5979330195.0000000037190000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, 00000004.00000003.1189832373.0000000004800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
Source: wab.exe, 00000004.00000003.1189832373.0000000004800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
Source: wab.exe, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000004.00000003.1193890837.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193835218.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1196417414.00000000047F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginM equals www.facebook.com (Facebook)
Source: wab.exe, 00000004.00000003.1193890837.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193835218.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1196417414.00000000047F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginM equals www.yahoo.com (Yahoo)
Source: wab.exe, 00000004.00000002.1196709713.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: n":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookma equals www.facebook.com (Facebook)
Source: wab.exe, 00000004.00000003.1190030376.00000000047F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: u"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profileANg3Zw2QouYXcOw3P8MgEYmqBohsyHX3A0QYKqCpqgaYKnCaImmJqgaoKr2eaJ8Qu6JvhC8IXgC8EXskfsUsie4Rd8IfhC8IXgC8EXgi8EXwi+EHxhm5eAX/CF4Gudt8rtxcmWHtzKEYrlqfPwGMw8n+fDLltVh7rgekAiRnsBdgY/P4Itiocfnljxe+W2ga1bwbr1j/CS/34+f3++b1IqgQeX2IdvZPSDce7EDIYgeJVNpXPeTKuHZ5yVD9wJ0DceUugUaQm3qtju0YTnB5MKDsADH+gwWG2vonWTUqaj9QFb2Dy/bF7sY6I1n2DJHmpa7A/qg4yb4S6NqPJ9AtKm/5KR8b3rp9+LtsdJcYYVbLtPZTteneEulyXk/54QMpAYEW3NtmiWweguM1wR+XqhTdqDDDBykftettEI9cW4grTMwqcc equals www.facebook.com (Facebook)
Source: wab.exe, 00000004.00000003.1189969126.0000000004806000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profile{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20","background_apps":false,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_last_name":"Shapira","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_force_signout_state":0,"edge_kids_mode":false,"edge_muid":"243215E5327669D43677068133B66811","edge_previously_signin_user_name":"","edge_signed_in_default_name":33554433,"edge_test_on_premises":false,"edge_wam_aad_for_app_account_type":0,"edge_was_previously_signin":false,"force_signin_profile_locked":false,"gaia_given_name":"","gaia_id
Source: wab.exe, 00000001.00000002.5979154797.0000000037100000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 00000001.00000002.5979154797.0000000037100000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: wab.exe, wab.exe, 00000001.00000002.5949539890.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1153623965.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1197885709.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382301994.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1140668469.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1197627968.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5950608330.0000000000B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpsD
Source: wab.exe, 00000001.00000002.5949539890.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5965888002.0000000006BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin
Source: wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin9/Lx
Source: wab.exe, 00000001.00000002.5965888002.0000000006BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.binSkorFiltathirchimie.com/IogvoayYhe139.bin
Source: wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bini(
Source: DHRI_kurumsal_kimlik_rehberi-2023.exe, Retarded.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wab.exe, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.1159360015.000000000348D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000006.00000002.1158852090.0000000000C7C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/
Source: wab.exe, 00000006.00000002.1159360015.000000000348D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: wab.exe, 00000001.00000002.5979330195.0000000037190000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 00000001.00000002.5979330195.0000000037190000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000004.00000002.1195537784.00000000005C3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.double
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doublecli
Source: wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activ
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1189969126.000000000480A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1189366332.000000000480A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1190099898.000000000480A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1189044645.000000000480A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1178960196.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1189832373.000000000480A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181939539.0000000004801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
Source: wab.exe, 00000004.00000003.1179503387.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179415642.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181596502.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180117633.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179673515.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180065246.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179846071.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179767675.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179921984.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180010165.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.med
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.medi
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/check
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checks
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: wab.exe, 00000004.00000003.1177800976.0000000004FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eb2.3lif
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eb2.3lift.com/sync
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1177800976.0000000004FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eb2.3lift.com/sync?
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get.a
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get3.adobe
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get3.adobe.co
Source: wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagea
Source: wab.exe, 00000004.00000003.1181596502.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: wab.exe, 00000004.00000003.1193890837.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179503387.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180824622.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193835218.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180698751.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180762642.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180592747.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180117633.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180656495.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179673515.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180065246.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179846071.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179767675.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179921984.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180010165.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180941360.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180881677.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ib.adnxs.com/async_usersync_file
Source: wab.exe, 00000004.00000002.1195537784.00000000005C3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: wab.exe, 00000004.00000003.1193463144.0000000004804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsign
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1194243922.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1194414325.00000000047EE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179010846.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180065246.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179846071.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193945905.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193998375.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1178960196.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179767675.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179921984.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180010165.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180941360.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1177800976.0000000004FE1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180881677.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
Source: wab.exe, 00000004.00000003.1180656495.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1178960196.00000000047FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
Source: wab.exe, 00000004.00000003.1177855988.0000000004800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
Source: wab.exe, 00000004.00000003.1193463144.0000000004804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.offi
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeap
Source: wab.exe, 00000004.00000003.1179253746.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179503387.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179092234.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1178881545.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1177608543.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180824622.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179415642.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179175840.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193835218.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180698751.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180762642.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180592747.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180117633.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179673515.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1194243922.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1194414325.00000000047EE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179010846.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180065246.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179846071.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193945905.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179010846.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180065246.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179846071.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1178960196.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179767675.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1179921984.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180010165.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180941360.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1180881677.0000000004FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
Source: wab.exe, 00000004.00000003.1177608543.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: wab.exe, 00000004.00000003.1192222584.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192004868.0000000004803000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192041280.0000000004803000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193463144.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192662040.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1196559113.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.g
Source: wab.exe, 00000004.00000003.1191404293.0000000004806000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tpc.g
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
Source: wab.exe, 00000004.00000003.1192222584.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192004868.0000000004803000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192041280.0000000004803000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1193463144.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1192662040.0000000004804000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1196559113.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.adobe.
Source: wab.exe, wab.exe, 00000006.00000002.1158713515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/https://
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/pa
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/pagead/drt/ui
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/?ocid=ie
Source: wab.exe, 00000004.00000003.1177608543.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: wab.exe, 00000004.00000003.1177608543.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/https://
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
Source: wab.exe, 00000004.00000003.1188749590.00000000047FC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1188822284.00000000047FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp
Source: wab.exe, 00000004.00000003.1181692997.00000000047F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1

Source: unknown

DNS traffic detected: queries for: gudanidevelopment.ge

Source: global traffic	HTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	4_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	4_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	5_2_00406B9A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	5_2_00406C3D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	6_2_004072B5

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_704D1B5F	0_2_704D1B5F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371D7194	1_2_371D7194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371CB5C1	1_2_371CB5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00406E8F	4_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044B040	4_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0043610D	4_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00447310	4_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044A490	4_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0040755A	4_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0043C560	4_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044B610	4_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044D6C0	4_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_004476F0	4_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044B870	4_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044081D	4_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00414957	4_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_004079EE	4_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00407AEB	4_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044AA80	4_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00412AA9	4_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00404B74	4_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00404B03	4_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044BBD8	4_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00404BE5	4_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00404C76	4_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00415CFE	4_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00416D72	4_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00446D30	4_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00446D8B	4_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0040D044	5_2_0040D044
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00405038	5_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004050A9	5_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0040511A	5_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004051AB	5_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004382F3	5_2_004382F3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00430575	5_2_00430575
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0043B671	5_2_0043B671
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0041F6CD	5_2_0041F6CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004119CF	5_2_004119CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00439B11	5_2_00439B11
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00438E54	5_2_00438E54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00412F67	5_2_00412F67
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0043CF18	5_2_0043CF18
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004050C2	6_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004014AB	6_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00405133	6_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004051A4	6_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00401246	6_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_0040CA46	6_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00405235	6_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004032C8	6_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00401689	6_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00402F60	6_2_00402F60

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00412968 appears 78 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00421A32 appears 43 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044407A appears 37 times

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	4_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00401806 NtdllDefWindowProc_W,	4_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_004018C0 NtdllDefWindowProc_W,	4_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004016FC NtdllDefWindowProc_A,	5_2_004016FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004017B6 NtdllDefWindowProc_A,	5_2_004017B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00402CAC NtdllDefWindowProc_A,	6_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00402D66 NtdllDefWindowProc_A,	6_2_00402D66

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe	Static PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
Source: Retarded.exe.1.dr	Static PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe	Virustotal: Detection: 38%
Source: DHRI_kurumsal_kimlik_rehberi-2023.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

File read: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Jump to behavior

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_5-33003

Source: unknown	Process created: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\edvlu
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\pxbdutmxl
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rrgwvlxrzapp
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\edvlu	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\pxbdutmxl	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rrgwvlxrzapp	Jump to behavior

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040338F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,		6_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\json[1].json

Jump to behavior

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

File created: C:\Users\user\AppData\Local\Temp\nso5D68.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@10/30@3/3

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: wab.exe, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 00000005.00000002.1155967863.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 00000001.00000002.5979154797.0000000037100000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, wab.exe, 00000004.00000002.1195160399.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 4_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

4_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 4_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

4_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 4_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

4_2_0040B58D

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: DHRI_kurumsal_kimlik_rehberi-2023.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1126111595.000000000555D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1125447769.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHRI_kurumsal_kimlik_rehberi-2023.exe PID: 8680, type: MEMORYSTR

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C2806 push ecx; ret	1_2_371C2819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044693D push ecx; ret	4_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044DB70 push eax; ret	4_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0044DB70 push eax; ret	4_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00451D54 push eax; ret	4_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00444355 push ecx; ret	5_2_00444365
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004446D0 push eax; ret	5_2_004446E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_004446D0 push eax; ret	5_2_0044470C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_0044AC84 push eax; ret	5_2_0044AC91
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00414060 push eax; ret	6_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00414060 push eax; ret	6_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00414039 push ecx; ret	6_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_004164EB push 0000006Ah; retf	6_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00416553 push 0000006Ah; retf	6_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00416555 push 0000006Ah; retf	6_2_004165C4

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_704D1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_704D1B5F

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File created: C:\Users\user\AppData\Local\Temp\Atriocoelomic\Retarded.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	File created: C:\Users\user\AppData\Local\Temp\nsa5F2F.tmp\System.dll			Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Anfgtendes	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 5_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_004047C6

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9144	Thread sleep count: 3608 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9156	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9156	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9160	Thread sleep count: 5358 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9160	Thread sleep time: -16074000s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3608 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

4_2_0040DD85

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3608	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5358	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: foregroundWindowGot 1743	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API coverage: 9.7 %

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 4_2_00418981 memset,GetSystemInfo,

4_2_00418981

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_371C10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C6580 FindFirstFileExA,	1_2_371C6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00407C87
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407898

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	API call chain: ExitProcess graph end node	graph_0-4324
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	API call chain: ExitProcess graph end node	graph_0-4321
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API call chain: ExitProcess graph end node	graph_5-33897

Source: wab.exe, 00000001.00000002.5949539890.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj{^y

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_371C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_371C2639

Source: C:\Program Files (x86)\Windows Mail\wab.exe

4_2_0040DD85

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

Code function: 0_2_704D1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_704D1B5F

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_371C724E GetProcessHeap,

1_2_371C724E

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_371C4AB4 mov eax, dword ptr fs:[00000030h]

1_2_371C4AB4

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_371C2B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_371C2639
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_371C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_371C60E2

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F70000			Jump to behavior
Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 846008			Jump to behavior

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\edvlu	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\pxbdutmxl	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rrgwvlxrzapp	Jump to behavior

Source: wab.exe, wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.ge#)Yy
Source: wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wab.exe, 00000001.00000002.5949539890.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerinutes }
Source: wab.exe, 00000001.00000003.1197885709.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2023/10/27 16:20:29 Program Manager]
Source: wab.exe, 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerGZMy
Source: wab.exe, 00000001.00000002.5949539890.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 00000001.00000002.5950608330.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1382395875.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.5949539890.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagereZ+y_
Source: wab.exe, 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6Z\yo

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\93fffb702eca4e37b606bf30419ce140_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\ca2cd4307a534aa3a7b05d1057f769f8_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\0f3da0446cf043f8ab3902f2b986d480_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\c0a8d0766ff9488c9eac5df41c8a7963_1 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1698416486 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698416486 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\b0454d15817320de552684d74d882dab2ca2413a50bd2d5f8e192b571acd9acc VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\2d8f1ee0594b0733d60f87f18c356edcbafb60793cbbf85ee5b53c05b94b98f9 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\fe8047200d76309026e80bfa5727d99b7c89496fc0bc9fa6a0172bca48506afa VolumeInformation	Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\468083e795ff2e01e87d13d0a2c9fc398387f9033bfecf175932435e4c980362 VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_371C2933 cpuid

1_2_371C2933

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_371C2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_371C2264

Source: C:\Users\user\Desktop\DHRI_kurumsal_kimlik_rehberi-2023.exe

0_2_0040338F

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 5_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

5_2_00408043

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	5_2_004033E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	5_2_00402DA5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	5_2_00402DA5

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 9188, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000003.1382395875.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.5950608330.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 8800, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	212 Process Injection	1 DLL Side-Loading	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	1 Credentials In Files	28 System Information Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Virtualization/Sandbox Evasion	LSA Secrets	131 Security Software Discovery	SSH	11 Clipboard Data	Data Transfer Size Limits	112 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	212 Process Injection	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHRI_kurumsal_kimlik_rehberi-2023.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DHRI_kurumsal_kimlik_rehberi-2023.exe