Edit tour

Windows Analysis Report
Yeni Sat#U0131nalma Sipari#U015fi.exe

Overview

General Information

Sample name:	Yeni Sat#U0131nalma Sipari#U015fi.exe renamed because original name is a hash value
Original sample name:	Yeni Satnalma Siparii.exe
Analysis ID:	1636087
MD5:	4c53f0c4feefdb2c41621afbfc08d46d
SHA1:	f9abd3c8a1c2e45688db0066ba97bbcb846b8899
SHA256:	e1a0b0280374abcbbd243e3d9b749b9e976354ed259076e238c45cf821e1e35b
Tags:	exeuser-lowmal3
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Yeni Sat#U0131nalma Sipari#U015fi.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe" MD5: 4C53F0C4FEEFDB2C41621AFBFC08D46D)

powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8024 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7764 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7892 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7904 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

gxgApjCrJAD.exe (PID: 7992 cmdline: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe MD5: 4C53F0C4FEEFDB2C41621AFBFC08D46D)

schtasks.exe (PID: 8116 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6000 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1260972234.0000000003C40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2453914307.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2453416235.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x73e2f:$a1: get_encryptedPassword 0x8ac4f:$a1: get_encryptedPassword 0xa186f:$a1: get_encryptedPassword 0x74157:$a2: get_encryptedUsername 0x8af77:$a2: get_encryptedUsername 0xa1b97:$a2: get_encryptedUsername 0x73bca:$a3: get_timePasswordChanged 0x8a9ea:$a3: get_timePasswordChanged 0xa160a:$a3: get_timePasswordChanged 0x73ceb:$a4: get_passwordField 0x8ab0b:$a4: get_passwordField 0xa172b:$a4: get_passwordField 0x73e45:$a5: set_encryptedPassword 0x8ac65:$a5: set_encryptedPassword 0xa1885:$a5: set_encryptedPassword 0x757a1:$a7: get_logins 0x8c5c1:$a7: get_logins 0xa31e1:$a7: get_logins 0x75452:$a8: GetOutlookPasswords 0x8c272:$a8: GetOutlookPasswords 0xa2e92:$a8: GetOutlookPasswords
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2669d:$a1: get_encryptedPassword 0x269b6:$a2: get_encryptedUsername 0x2644c:$a3: get_timePasswordChanged 0x2656d:$a4: get_passwordField 0x266b3:$a5: set_encryptedPassword 0x27fb6:$a7: get_logins 0x27c67:$a8: GetOutlookPasswords 0x27a59:$a9: StartKeylogger 0x27f06:$a10: KeyLoggerEventArgs 0x27ab6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7904	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7904	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7904	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7904	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x43bed:$a1: get_encryptedPassword 0x43f06:$a2: get_encryptedUsername 0x4399c:$a3: get_timePasswordChanged 0x43abd:$a4: get_passwordField 0x43c03:$a5: set_encryptedPassword 0x45506:$a7: get_logins 0x451b7:$a8: GetOutlookPasswords 0x44fa9:$a9: StartKeylogger 0x45456:$a10: KeyLoggerEventArgs 0x45006:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gxgApjCrJAD.exe PID: 7992	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gxgApjCrJAD.exe PID: 7992	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6000	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12397:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11895:$a3: \Google\Chrome\User Data\Default\Login Data 0x11ba3:$a4: \Orbitum\User Data\Default\Login Data 0x1299b:$a5: \Kometa\User Data\Default\Login Data
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12397:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11895:$a3: \Google\Chrome\User Data\Default\Login Data 0x11ba3:$a4: \Orbitum\User Data\Default\Login Data 0x1299b:$a5: \Kometa\User Data\Default\Login Data
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25dff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26127:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25b9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25cbb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x25e15:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27771:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27422:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27214:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x276c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27271:$a11: KeyLoggerEventArgsEventHandler
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25fff:$a1: get_encryptedPassword 0x3cc1f:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26327:$a2: get_encryptedUsername 0x3cf47:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25d9a:$a3: get_timePasswordChanged 0x3c9ba:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ebb:$a4: get_passwordField 0x3cadb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26015:$a5: set_encryptedPassword 0x3cc35:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27971:$a7: get_logins 0x3e591:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27622:$a8: GetOutlookPasswords 0x3e242:$a8: GetOutlookPasswords
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe", ParentImage: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe, ParentProcessId: 7588, ParentProcessName: Yeni Sat#U0131nalma Sipari#U015fi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", ProcessId: 7736, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe, ParentImage: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe, ParentProcessId: 7992, ParentProcessName: gxgApjCrJAD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", ProcessId: 8116, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe", ParentImage: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe, ParentProcessId: 7588, ParentProcessName: Yeni Sat#U0131nalma Sipari#U015fi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", ProcessId: 7764, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe", ParentImage: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe, ParentProcessId: 7588, ParentProcessName: Yeni Sat#U0131nalma Sipari#U015fi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe", ProcessId: 7736, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe", ParentImage: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe, ParentProcessId: 7588, ParentProcessName: Yeni Sat#U0131nalma Sipari#U015fi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp", ProcessId: 7764, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T11:40:15.633619+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49695	193.122.130.0	80	TCP
2025-03-12T11:40:15.711764+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49697	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Virustotal: Detection: 50%			Perma Link

Multi AV Scanner detection for submitted file

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Virustotal: Detection: 50%			Perma Link
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49699 version: TLS 1.0

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01495782h	8_2_01495366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 014951B9h	8_2_01494F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01495782h	8_2_014956AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E65782h	13_2_00E65358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E651B9h	13_2_00E64F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E65782h	13_2_00E656AF

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49695 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49697 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49699 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1228522356.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, gxgApjCrJAD.exe, 00000009.00000002.1258345107.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	String found in binary or memory: https://www.google.com/?Please

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_08D50040	1_2_08D50040
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B44210	1_2_02B44210
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B480D9	1_2_02B480D9
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_05213860	1_2_05213860
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_05213850	1_2_05213850
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_0582AA18	1_2_0582AA18
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_058255F0	1_2_058255F0
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_05825568	1_2_05825568
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_058277BF	1_2_058277BF
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_058277D0	1_2_058277D0
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_05829F38	1_2_05829F38
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_05824838	1_2_05824838
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_071B6424	1_2_071B6424
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_071B6F88	1_2_071B6F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149C168	8_2_0149C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149A7F2	8_2_0149A7F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_014919B8	8_2_014919B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149CAB0	8_2_0149CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01492DD1	8_2_01492DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01494F08	8_2_01494F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01497E68	8_2_01497E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149B9E0	8_2_0149B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149CA82	8_2_0149CA82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0149CA91	8_2_0149CA91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01497E63	8_2_01497E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01494EF8	8_2_01494EF8
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_00F84210	9_2_00F84210
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_00F880DA	9_2_00F880DA
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05103860	9_2_05103860
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_0510385B	9_2_0510385B
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05769B50	9_2_05769B50
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_0576AA18	9_2_0576AA18
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05765568	9_2_05765568
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_057655F0	9_2_057655F0
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_057677D0	9_2_057677D0
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_057677BF	9_2_057677BF
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05765230	9_2_05765230
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05767F20	9_2_05767F20
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05764838	9_2_05764838
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_05768A30	9_2_05768A30
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_07476424	9_2_07476424
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_07476F88	9_2_07476F88
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074BD678	9_2_074BD678
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B63DF	9_2_074B63DF
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B63F0	9_2_074B63F0
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B5141	9_2_074B5141
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B5150	9_2_074B5150
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B6F50	9_2_074B6F50
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074BBE6A	9_2_074BBE6A
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B4D18	9_2_074B4D18
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_074B48E0	9_2_074B48E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6C168	13_2_00E6C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6A7F2	13_2_00E6A7F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E627B9	13_2_00E627B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6CAB0	13_2_00E6CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E62DD1	13_2_00E62DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E67E68	13_2_00E67E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E64F08	13_2_00E64F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6B9E0	13_2_00E6B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6B9DC	13_2_00E6B9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6CAAE	13_2_00E6CAAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E64EF8	13_2_00E64EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E67E66	13_2_00E67E66

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: invalid certificate

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Binary or memory string: OriginalFilename vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000000.1204211042.0000000000872000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamefqDW.exe0 vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1226668558.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1228522356.0000000002D65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1228522356.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1233628566.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1228522356.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1235371398.0000000008CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Yeni Sat#U0131nalma Sipari#U015fi.exe
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Binary or memory string: OriginalFilenamefqDW.exe0 vs Yeni Sat#U0131nalma Sipari#U015fi.exe

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gxgApjCrJAD.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, I06Cj801T0iUl1Jpn9.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, I06Cj801T0iUl1Jpn9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, I06Cj801T0iUl1Jpn9.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, A8q7W93gTw4Lrp8mXJ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, A8q7W93gTw4Lrp8mXJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@2/2

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB34E.tmp

Jump to behavior

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.2453914307.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2455719685.0000000003B1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002C03000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Virustotal: Detection: 50%
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File read: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, I06Cj801T0iUl1Jpn9.cs

.Net Code: iCNNS6r0lU System.Reflection.Assembly.Load(byte[])

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: 0xAA7E0CA5 [Sun Aug 22 08:04:53 2060 UTC]

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B446BF push edx; retf	1_2_02B446C2
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B446B8 push edx; retf	1_2_02B446BA
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B446BB push edx; retf	1_2_02B446BE
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B44658 push edx; retf	1_2_02B4465A
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B447B0 push esi; retf	1_2_02B447B2
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B44779 push esi; retf	1_2_02B4477A
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_02B4477B push esi; retf	1_2_02B44782
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_0521CD20 push eax; retf	1_2_0521CD21
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 1_2_0521D3D2 push eax; iretd	1_2_0521D3D9
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_0510C013 push eax; ret	9_2_0510C019
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_0510D3D3 push eax; iretd	9_2_0510D3D9
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Code function: 9_2_0510CD20 push eax; retf	9_2_0510CD21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00E6F273 push ebp; retf	13_2_00E6F281

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: section name: .text entropy: 7.671228743931358
Source: gxgApjCrJAD.exe.1.dr	Static PE information: section name: .text entropy: 7.671228743931358

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, SETF0O9COFAPBrNcyX.cs	High entropy of concatenated method names: 'atUDpY6K48', 'd6sDxGBAdR', 'SpiD9CeV5Z', 'NjjDZlE6Tw', 'qqPDX12aSR', 'TaODlcIVFa', 'S7LDLtWZ9b', 'WSlDn10F4N', 'E5LDiRJ0kJ', 'aZ0DmDp8PO'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, uEIOxGmFaBlyXUfJN7.cs	High entropy of concatenated method names: 'PLfvjVXRi2', 'wMYvbNnYQI', 'Fkvve3W7Yf', 'CRIedw32vq', 'Kn6ez1hqS1', 'w4fvFFHqRt', 'ChSvClqSLh', 'f4UvWqEOFB', 'UCovojxe5R', 'eldvNiZVfL'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, zsnYV6VjMBDgyeBxSl.cs	High entropy of concatenated method names: 'iTB71myvuA', 'SdI7XGQY8b', 'HdV7ld9kdN', 'Y8w7LF1wGr', 'Y357n2glNG', 'b9X7ip6kE9', 'lL97mi4TGV', 'Wka7tSDjqb', 'CNP7RgCTCB', 'PL97pmrLch'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, Ajx79RI3DlM2uJTtF0.cs	High entropy of concatenated method names: 't5F4BigoZg', 'mt74TbBINh', 'ToString', 'JKc4j6SAf4', 'HeY4Goh1NI', 'roH4b4t3Mi', 'lQQ4kj8Qua', 'Uk74exIkYb', 'XBj4vggUt5', 'xSb40w8NLi'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, swOfURWM0Z9Hko6THr.cs	High entropy of concatenated method names: 'W7uSHWwEe', 'rurPpYk68', 'mnHqkkZIf', 'G2O8C29Uf', 'uVywsqIiP', 'Y4C2ZwMNb', 'tSkNpoQQ6utEOqPf3m', 'wNsGWr1h6ufowPtY1j', 'YcwQPG5SK', 'sSyJuj2aA'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, GQCdwLbNROYm32YIfE.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zrOWVg7bVH', 'njPWdZLPjL', 'ag7WztiKNR', 'W9GoFsplBK', 'LZUoC8BB5V', 'HImoW333SA', 'GAcooEeBlI', 'btFCCpXS4iDmHvFrqP0'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, A8q7W93gTw4Lrp8mXJ.cs	High entropy of concatenated method names: 'nv1G9voScV', 'BW2GZKnckW', 'QSWGyl514g', 'D4dGI8P3G9', 'pa7GUPXlSB', 'ItbGEcjbVN', 'vKkGASEJYW', 'Pg0GHfA84M', 'DfjGVL4ReI', 'JFHGde2BiB'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, pmcpqFEwaIJkPabuBL.cs	High entropy of concatenated method names: 'Ajv4HQf8vm', 'lIu4dgy8my', 'OO3QF92C05', 'WX5QChWlp4', 'Yhd4rysh8i', 'FLn4xn5uSS', 'SAQ4Y1w95w', 'LyJ49M4R7j', 'r0n4ZLD6eH', 'vdb4yKXqQR'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, IupnCeCFfAuCq2SJODB.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BRdJrqafgM', 'DV1JxmVDnS', 'kg7JYTAjGr', 'TxtJ9uHVYh', 'gEPJZmvslS', 'BpxJyKEjvR', 'tSQJIaeZlc'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, DPxvZ0GQR5FnRaAiOZ.cs	High entropy of concatenated method names: 'Dispose', 'Y8rCVHwNJQ', 'JsYWXjoUvq', 'g4ENqLSAK0', 'a9jCdOxKQl', 'mA6CzYNcFK', 'ProcessDialogKey', 'SvSWFsnYV6', 'fMBWCDgyeB', 'PSlWWZi1LE'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, GcJpG7RSMo1AF3rJkq.cs	High entropy of concatenated method names: 'gMEvuN4ojD', 'A0UvhE7e0h', 'RpDvSo5sEG', 'LwgvPO5XKg', 'KDqvc2sIpM', 'ooKvq14uSA', 'buDv8sTckC', 'eNyv3Ssi0u', 'w7Lvw55S0D', 'UVAv2S6Cj8'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, LHLs7wYtd30ACwJpHZ.cs	High entropy of concatenated method names: 'aUJM3K7sPp', 'qQWMwoAkPH', 'q7eM1bS42R', 'JaZMXS1cMS', 'yymMLhvj5G', 'rtRMnDc01x', 'kUjMm74j1y', 'IcFMtyAaEO', 'BD6Mpyiytp', 'w0aMrRDkdt'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, QMaJWryZUsnWddeXmQ.cs	High entropy of concatenated method names: 'ToString', 'HHdOrXuLoM', 'Fh4OXEW0Cp', 'fbMOllPkYu', 'W6EOLtaEYv', 'B3AOnppv8t', 'ftDOikEyUD', 'kFlOmrbnk5', 'R71Ot4UXy8', 'XEQOR5Etwa'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, KhXIhM1HYWeu6kFrAS.cs	High entropy of concatenated method names: 'xCjegVTZFx', 'baceGYiP43', 'SEMekhHCmW', 'KrJevNr0Xn', 'REie0e9yyk', 'zmRkUNwSbg', 'IgpkE9YydE', 'p5OkAjOHKf', 'gmbkHBKLsg', 'NUXkVX0uwk'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, EFUkGgCC9IhKHlLsGMX.cs	High entropy of concatenated method names: 'ILVJdx1ItE', 'EVfJziFm7m', 'gSZ6FZrFTs', 'gGC6CpSQEv', 'eGX6WRm9k7', 'Gfa6obZxN7', 'Gf36NtQVmZ', 'gTb6goJrIb', 'jrl6jE0wVY', 'DCJ6GKRJxG'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, pBKrdZNJTnOLamtrMB.cs	High entropy of concatenated method names: 'yEPCv8q7W9', 'eTwC04Lrp8', 'KelCBYJZWI', 'WvrCTa8iMO', 'HAZCDQlihX', 'ThMCOHYWeu', 'IYhwMOfoZmvTw214M1', 'TSZogGy7lB1BDZ8F3L', 'w6kCCdjCCV', 'pqhCogajEr'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, IcI33mwelYJZWIAvra.cs	High entropy of concatenated method names: 'HrxbPyj25e', 'h6YbqJ2NKF', 'kUwb3aUIg6', 'vlrbwqrtfw', 'deubDLJJIp', 'jlubORZMK4', 'arGb443jCi', 'pB6bQt11DE', 'lMTb7Gqm0r', 'C4nbJQT8hu'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, eGUrCeCNShdmjJil4tj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Liuf7YZQYa', 'zOcfJ3HlqG', 'wRjf6oWnlr', 'r4Wffub2kc', 'DQefsLTa4O', 'aBYfKRfrcx', 't5uf5aMAC7'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, M8bnsGArOd8rHwNJQC.cs	High entropy of concatenated method names: 'ha17DJmnVG', 'O4S74remPK', 'lQk77FNJVs', 'WrV76l5Ej6', 'xx37sEB204', 'b6575HSevf', 'Dispose', 'HV0Qj5ZZsD', 'M0vQGMGKIZ', 'YsGQbquFuF'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, DiMOu52EVJEE8lAZQl.cs	High entropy of concatenated method names: 'ACGkckptXV', 'QEQk8YOoCS', 'lo0blZ9IyJ', 'dwUbLtL2yi', 'qg4bnw1BPU', 'CZEbioswvF', 'HDNbmqCnyJ', 'oxZbtxYBtw', 'yj7bRDr5ba', 'EpQbpwwCXO'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, I06Cj801T0iUl1Jpn9.cs	High entropy of concatenated method names: 'g1iogHw1OW', 'GLVojsF7AI', 'wxHoG9DFje', 'KmMobYKx9m', 'p02okC8PI2', 'm3VoeGfTYb', 'MW7ovBqjFI', 'BCRo0rJHmA', 'aHjoagICe4', 'omAoBWLCQy'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, IVCQfmzniCviK5lnjx.cs	High entropy of concatenated method names: 'flsJqDT2ER', 'hn4J3rVgfx', 'pRyJwWJXYo', 'XTvJ1fcJou', 'HfOJXcMtek', 'leUJLtfdVs', 'j6PJngOwvd', 'v5rJ5pR3MO', 'MaPJu8TJKx', 'VWVJhkjBI5'
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.8cf0000.5.raw.unpack, Ri1LEDd7kRCO1Kuns1.cs	High entropy of concatenated method names: 'uRiJbVdbnR', 'Up0JkmnZsV', 'zFxJeU9xo1', 'vAdJvSOlZK', 'jeqJ7X96IW', 'PaZJ0ij1rx', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gxgApjCrJAD.exe PID: 7992, type: MEMORYSTR

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: A3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: 8EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: C3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: 4B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: 90A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: 7600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: A0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: B0A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7052			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2384			Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 0000000D.00000002.2451822596.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1226668558.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=+
Source: RegSvcs.exe, 00000008.00000002.2451955906.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0149C168 LdrInitializeThunk,LdrInitializeThunk,

8_2_0149C168

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D30008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B35008	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1260972234.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gxgApjCrJAD.exe PID: 7992, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2453914307.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2453416235.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6000, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1260972234.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gxgApjCrJAD.exe PID: 7992, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d83a70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Yeni Sat#U0131nalma Sipari#U015fi.exe.3d6cc50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Yeni Sat#U0131nalma Sipari#U015fi.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7904, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Yeni Sat#U0131nalma Sipari#U015fi.exe	51%	Virustotal		Browse
Yeni Sat#U0131nalma Sipari#U015fi.exe	37%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	37%	ReversingLabs
C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe	51%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000008.00000002.2453914307.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/?Please	Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1228522356.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, gxgApjCrJAD.exe, 00000009.00000002.1258345107.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Yeni Sat#U0131nalma Sipari#U015fi.exe, gxgApjCrJAD.exe.1.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2453914307.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2453416235.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636087
Start date and time:	2025-03-12 11:39:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Yeni Sat#U0131nalma Sipari#U015fi.exe renamed because original name is a hash value
Original Sample Name:	Yeni Satnalma Siparii.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 63 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:40:04	API Interceptor	1x Sleep call for process: Yeni Sat#U0131nalma Sipari#U015fi.exe modified
06:40:06	API Interceptor	12x Sleep call for process: powershell.exe modified
06:40:07	API Interceptor	1x Sleep call for process: gxgApjCrJAD.exe modified
11:40:06	Task Scheduler	Run new task: gxgApjCrJAD path: C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	Transferencia 6997900002017937.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg==
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/
	A2h6QhZIKx.exe	Get hash	malicious	Azorult	Browse	k1d5.icu/TP341/index.php
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	r_BBVA_MensajeSWIFT04-03-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	MUH030425.exe	Get hash	malicious	Azorult	Browse	k1d5.icu/TP341/index.php
	Invoice Remittance ref20250226.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	PO.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
193.122.130.0	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SHIPPING ADVICE#2025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDatosbancarios.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z101007R1DRG.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	hKYhCefzJK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	faz3VkyT7b.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
checkip.dyndns.com	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Message.eml	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	ohd-cheat.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.dkgroup.fr	Get hash	malicious	Unknown	Browse	104.17.25.14
	bootservice (2).php.html	Get hash	malicious	Unknown	Browse	172.67.72.52
	bootservice.php.html	Get hash	malicious	Unknown	Browse	172.67.72.52
	https://cdn.discordapp.com/attachments/1348969507032530946/1348970630871253032/schedul1fullgamecrack.zip?ex=67d1664d&is=67d014cd&hm=b21257265fdcc604375b8cc794d57ddf7076368e7330eb79e60ec973ef2d1600&	Get hash	malicious	Unknown	Browse	162.159.133.233
	http://rqst.qlyvasok.ru	Get hash	malicious	Unknown	Browse	172.67.218.46
	https://na4.docusign.net/Signing/EmailStart.aspx?a=98613b3e-4358-4628-9b7d-41ec67471533&acct=c0dc35b2-63fe-4f1c-a73a-e32c0fbf9ad5&er=57612189-98c9-4115-b187-cb70a302a3ee	Get hash	malicious	Unknown	Browse	104.18.86.42
	skuld.exe	Get hash	malicious	Go Stealer, Skuld Stealer	Browse	104.26.13.205
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
ORACLE-BMC-31898US	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	cbr.m68k.elf	Get hash	malicious	Mirai	Browse	144.25.156.103
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	http://account.hrblock.com	Get hash	malicious	Unknown	Browse	130.61.120.2
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	R9rwNLVzpr.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.96.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gxgApjCrJAD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:+LHyIFKL3IZ2KRH9OugYs
MD5:	9AA3EC09E507E3B6521730FDDCF550A3
SHA1:	19E688C78EB2FBE0D620C0055293DA06411512D0
SHA-256:	E50F69B84C0E4B5D2CFE80C5B7B4AF6398A862F098D06B138388F7D49ABAB0B8
SHA-512:	04B3A49C7FB0DFFF413095AB046296C779A1978D64CDAE35858435A5E41221AE6726421F1FB116EBF7E2DB314602A544F5C8AD7F0F96FCC04D694AD6C1E78E81
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etvktok5.woq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pt1chbjt.iod.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2s1di0h.5ja.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wum1ppfk.cnq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB34E.tmp

Download File

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.100124767885937
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL1xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTPv
MD5:	7F0520E6CB8279B51DB59DC81397794A
SHA1:	5ED2FFD85077518AB54D96221A974AB676AA0D5F
SHA-256:	B3C8C5D7BC0EE18168DD5FEE45A79C7CF7DCF35FB647BF80AED07C3616A224F6
SHA-512:	4EACC78ADB441831C3EAC1EDE33712645D0A4CF79916A23CB22ADED21A22EACB013C87B33EC9D3FF6BD6AF58E8A545C8364D4BEB2BD940C42CA595CF23FD722B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.100124767885937
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL1xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTPv
MD5:	7F0520E6CB8279B51DB59DC81397794A
SHA1:	5ED2FFD85077518AB54D96221A974AB676AA0D5F
SHA-256:	B3C8C5D7BC0EE18168DD5FEE45A79C7CF7DCF35FB647BF80AED07C3616A224F6
SHA-512:	4EACC78ADB441831C3EAC1EDE33712645D0A4CF79916A23CB22ADED21A22EACB013C87B33EC9D3FF6BD6AF58E8A545C8364D4BEB2BD940C42CA595CF23FD722B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe

Download File

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	593928
Entropy (8bit):	7.668781840789613
Encrypted:	false
SSDEEP:	12288:pRFBfLyJu5+8CJffMnawf0oezCzDLMNytlkYIHAQBVeWeXkR:rjeJEw3MFMo0CbRGGyVey
MD5:	4C53F0C4FEEFDB2C41621AFBFC08D46D
SHA1:	F9ABD3C8A1C2E45688DB0066BA97BBCB846B8899
SHA-256:	E1A0B0280374ABCBBD243E3D9B749B9E976354ED259076E238C45CF821E1E35B
SHA-512:	AA4E4F50AECCACF9DC37701F4E2E142EEC12FCFA451333385B973297421962241B1B3478ABA2FE6CA2E3BFBB6DF1640E429EE8F1F1DD081FDE29BB88383D4F28
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~...............0......&........... ........@.. .......................@............`.....................................O.......D"...............6... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...D".......$..................@..@.reloc....... ......................@..B........................H...........0.......`...0...`C..........................................n..(......(....X..(....X.[..0............{.....+..B...}.....(.........0...........(....}......}.....(....... .(...(.......o .....r...p".. As!...o"...........(#...o$..... .... .... ....(#...o%.....(&...o'......0..h.............. 01..YE....X...s...<.......+....;....+... ;....8#.... ....0...@;....+.. ....;....8..... ....;....+.. ....;....8....s(...%.o)....%.o.....8....s(...%.o)....%.o.....8....s(...%.o

C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.668781840789613
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Yeni Sat#U0131nalma Sipari#U015fi.exe
File size:	593'928 bytes
MD5:	4c53f0c4feefdb2c41621afbfc08d46d
SHA1:	f9abd3c8a1c2e45688db0066ba97bbcb846b8899
SHA256:	e1a0b0280374abcbbd243e3d9b749b9e976354ed259076e238c45cf821e1e35b
SHA512:	aa4e4f50aeccacf9dc37701f4e2e142eec12fcfa451333385b973297421962241b1b3478aba2fe6ca2e3bfbb6df1640e429ee8f1f1dd081fde29bb88383d4f28
SSDEEP:	12288:pRFBfLyJu5+8CJffMnawf0oezCzDLMNytlkYIHAQBVeWeXkR:rjeJEw3MFMo0CbRGGyVey
TLSH:	B2C4F1958A48D717D6AD4BB55575D3321376CEAFB802E396CAEC8CDB3C92B7021081CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~...............0......&........... ........@.. .......................@............`................................

File Icon


Icon Hash:	112149998941710f

Static PE Info

General

Entrypoint:	0x48d0fe
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAA7E0CA5 [Sun Aug 22 08:04:53 2060 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d0ac	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x2244	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8da00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d090	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8b104	0x8b200	6a0a266b5d8c2ddc762a84589d304cc9	False	0.8469034282345014	data	7.671228743931358	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x2244	0x2400	63e37b626438dbc8f724105c7906582b	False	0.8543836805555556	data	7.378776755870685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	d259b5e48158a84ba67dcf6533772561	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8e100	0x1bc2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9898677174218969
RT_GROUP_ICON	0x8fcd4	0x14	data	1.05
RT_VERSION	0x8fcf8	0x34c	data	0.4419431279620853
RT_MANIFEST	0x90054	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	A basic Windows Forms UI kit for simple UI creation.
CompanyName
FileDescription	CometUI
FileVersion	1.0.5.5
InternalName	fqDW.exe
LegalCopyright
LegalTrademarks
OriginalFilename	fqDW.exe
ProductName	CometUI
ProductVersion	1.0.5.5
Assembly Version	1.0.5.5

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T11:40:15.633619+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49695	193.122.130.0	80	TCP
2025-03-12T11:40:15.711764+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49697	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 11:40:07.059835911 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:07.064547062 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:07.064635992 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:07.064835072 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:07.069535971 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:09.927812099 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:09.932697058 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:09.932823896 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:09.933012009 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:09.938188076 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:13.486608028 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:13.492991924 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:13.497704983 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:13.982578039 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:13.987343073 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:13.992060900 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:15.580807924 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:15.591947079 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.591989994 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:15.592044115 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.631360054 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.631381989 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:15.633619070 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:15.670357943 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:40:15.672056913 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.672084093 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:15.672144890 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.676033974 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:15.676045895 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:15.711764097 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:40:17.442424059 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.442521095 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.451095104 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.451199055 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.461677074 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.461699963 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.462003946 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.462037086 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.462260962 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.462311029 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.508661985 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.508662939 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.592041016 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.628647089 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:17.636322975 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:17.676322937 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:18.256279945 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:18.256345987 CET	443	49700	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:18.256525040 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:18.271992922 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:18.272049904 CET	443	49699	104.21.96.1	192.168.2.6
Mar 12, 2025 11:40:18.272217989 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:18.277745008 CET	49699	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:40:18.282399893 CET	49700	443	192.168.2.6	104.21.96.1
Mar 12, 2025 11:41:20.586769104 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:41:20.586833954 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:41:20.669759035 CET	80	49697	193.122.130.0	192.168.2.6
Mar 12, 2025 11:41:20.669837952 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:41:55.587708950 CET	49695	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:41:55.594552994 CET	80	49695	193.122.130.0	192.168.2.6
Mar 12, 2025 11:41:55.685735941 CET	49697	80	192.168.2.6	193.122.130.0
Mar 12, 2025 11:41:55.691471100 CET	80	49697	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 11:40:07.046195030 CET	56381	53	192.168.2.6	1.1.1.1
Mar 12, 2025 11:40:07.053992987 CET	53	56381	1.1.1.1	192.168.2.6
Mar 12, 2025 11:40:15.582485914 CET	54565	53	192.168.2.6	1.1.1.1
Mar 12, 2025 11:40:15.591217995 CET	53	54565	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 11:40:07.046195030 CET	192.168.2.6	1.1.1.1	0xa1d7	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.582485914 CET	192.168.2.6	1.1.1.1	0x7287	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:07.053992987 CET	1.1.1.1	192.168.2.6	0xa1d7	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 11:40:15.591217995 CET	1.1.1.1	192.168.2.6	0x7287	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49695	193.122.130.0	80	7904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 11:40:07.064835072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 11:40:13.982578039 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3665264dc9025d77fa394f6ca021c050 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 11:40:13.987343073 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 11:40:15.580807924 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02bf9cb0ddc3f6869435afed5ab65290 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49697	193.122.130.0	80	6000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 11:40:09.933012009 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 11:40:13.486608028 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a71b08f22c502a5a6779896833f7d9f7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 11:40:13.492991924 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 11:40:15.670357943 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e55f9f1648e71aea895b0b6c6753407 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	104.21.96.1	443	7904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 10:40:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 10:40:18 UTC	846	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 cf-cache-status: MISS last-modified: Wed, 12 Mar 2025 10:40:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ePsitpIhkBgQM%2BmsUWUO6%2FkOA%2B1TGqyleV29mzumfcdPqjijyQOUXhs3I%2FAujnUwBK0cvvXKYpkbFUboKQxkG6UuaRaZEzwJP5DH8seNPpcdFTwAm7dxwbQeY0Iwideo75ygl06Q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f2ac2f1fcc4df1-MCI alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18910&min_rtt=15209&rtt_var=7598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=190325&cwnd=241&unsent_bytes=0&cid=c3aace8aa51c5103&ts=942&x=0"
2025-03-12 10:40:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49700	104.21.96.1	443	6000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 10:40:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 10:40:18 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 10:40:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 0 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Wed, 12 Mar 2025 10:40:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BpjzFEJxWXV72GjXr6ZTNouW8fW80cUFacWWv8WqjyZ%2B7tOkvymtH3Ex9NlwHittnAr7Z%2BCKp3DyHLCgYS7IpO4ybwlB90DxMv0%2BZQ12olsah%2Bi%2Fvbn9YzZlA0dDePPZOJbH5aut"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f2ac2f4a7fd193-MCI alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18897&min_rtt=18294&rtt_var=5683&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=158216&cwnd=249&unsent_bytes=0&cid=d39597b4c240bddb&ts=955&x=0"
2025-03-12 10:40:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	06:40:03
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Imagebase:	0x870000
File size:	593'928 bytes
MD5 hash:	4C53F0C4FEEFDB2C41621AFBFC08D46D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1230612405.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe"
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpB34E.tmp"
Imagebase:	0xfa0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x3e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:40:05
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xab0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2449719918.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2453914307.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:40:06
Start date:	12/03/2025
Path:	C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe
Imagebase:	0x770000
File size:	593'928 bytes
MD5 hash:	4C53F0C4FEEFDB2C41621AFBFC08D46D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000009.00000002.1260972234.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 37%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:40:07
Start date:	12/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff65f400000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:40:08
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxgApjCrJAD" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"
Imagebase:	0xfa0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:40:08
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:40:09
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x830000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2453416235.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Yeni Sat#U0131nalma Sipari#U015fi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Yeni Sat#U0131nalma Sipari#U015fi.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gxgApjCrJAD.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etvktok5.woq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pt1chbjt.iod.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2s1di0h.5ja.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wum1ppfk.cnq.ps1

C:\Users\user\AppData\Local\Temp\tmpB34E.tmp

C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp

C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe

C:\Users\user\AppData\Roaming\gxgApjCrJAD.exe:Zone.Identifier

Static File Info

Windows Analysis Report
Yeni Sat#U0131nalma Sipari#U015fi.exe