Loading ...

Play interactive tourEdit tour

Analysis Report Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe

Overview

General Information

Sample Name:Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
MD5:7c3a40464f8860d06f2cae80ec905339
SHA1:f924411a57bc8fb7ad057d5ffacbe3ad7b4b8674
SHA256:f8bafa64755f10484342423a2069ab6f9f817065b1f6bd45db2032677c64b7ad

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1473091082.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe PID: 4112JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe PID: 4916JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeVirustotal: Detection: 33%Perma Link
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeReversingLabs: Detection: 50%

        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 4x nop then push dword ptr [ebp+68h]0_2_02080608
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 4x nop then push dword ptr [ebp+68h]0_2_02080482
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 6x nop then clc 0_2_02082AD3
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 6x nop then cld 0_2_02082AD3
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 5x nop then clc 0_2_020809D0
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 4x nop then push dword ptr [ebp+68h]2_2_00560482
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 4x nop then push dword ptr [ebp+68h]2_2_00560608
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 6x nop then clc 2_2_00562AD3
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 6x nop then cld 2_2_00562AD3
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 5x nop then clc 2_2_005609D0

        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_0056346D InternetReadFile,2_2_0056346D
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473065945.000000000019A000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1RFEcyvZjGsxKyjr
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473091082.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1RFEcyvZjGsxKyjruUfoykVIq8Z2h7v7s

        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000000.00000002.1077852418.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_020830AC NtProtectVirtualMemory,0_2_020830AC
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_0208014C EnumWindows,NtSetInformationThread,TerminateProcess,0_2_0208014C
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_0208117C NtWriteVirtualMemory,0_2_0208117C
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02080182 NtSetInformationThread,TerminateProcess,0_2_02080182
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_005630AC NtProtectVirtualMemory,2_2_005630AC
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_0056014C EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,2_2_0056014C
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_005602D5 NtProtectVirtualMemory,2_2_005602D5
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_00560182 NtSetInformationThread,2_2_00560182
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000000.00000002.1078449898.0000000002050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000000.00000002.1076528454.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTrugetsmaapigerhrsunittrus.exe vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1475717784.000000001F0C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473637114.00000000023E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000000.1075943852.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTrugetsmaapigerhrsunittrus.exe vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeBinary or memory string: OriginalFilenameTrugetsmaapigerhrsunittrus.exe vs Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe
        Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@3/0@0/0
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeVirustotal: Detection: 33%
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeReversingLabs: Detection: 50%
        Source: unknownProcess created: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe 'C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe 'C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe'
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess created: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe 'C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe' Jump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000002.00000002.1473091082.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe PID: 4112, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe PID: 4916, type: MEMORY
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_004036C2 push esi; iretd 0_2_004036FC
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_00401EDB push ecx; retf 0_2_00401EDC
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_004052F0 push dword ptr [eax-28h]; iretd 0_2_004052F8

        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeFile created: \quote power tk - perkins (tr & esc) stok durumu 04.06.2020 (power tk - perkins (tr & esc).exeJump to behavior

        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02082A9B 0_2_02082A9B
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_00562A9B 2_2_00562A9B
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeRDTSC instruction interceptor: First address: 0000000002082AA1 second address: 0000000002082AC1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 clc 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 clc 0x0000001a jc 00007FDE3C288B12h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeRDTSC instruction interceptor: First address: 0000000002082AC1 second address: 0000000002082AA1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FDE3C4DA8DDh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007FDE3C4DA903h 0x0000001b push ecx 0x0000001c call 00007FDE3C4DA92Eh 0x00000021 fnop 0x00000023 nop 0x00000024 lfence 0x00000027 rdtsc
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeRDTSC instruction interceptor: First address: 0000000000562AA1 second address: 0000000000562AC1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 clc 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 clc 0x0000001a jc 00007FDE3C288B12h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeRDTSC instruction interceptor: First address: 0000000000562AC1 second address: 0000000000562AA1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FDE3C4DA8DDh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007FDE3C4DA903h 0x0000001b push ecx 0x0000001c call 00007FDE3C4DA92Eh 0x00000021 fnop 0x00000023 nop 0x00000024 lfence 0x00000027 rdtsc
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02082A9B rdtsc 0_2_02082A9B
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeWindow / User API: threadDelayed 370Jump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe TID: 3640Thread sleep count: 370 > 30Jump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe TID: 3640Thread sleep time: -3700000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeLast function: Thread delayed
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_0208014C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_0208014C
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02082A9B rdtsc 0_2_02082A9B
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02081F49 LdrInitializeThunk,0_2_02081F49
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02082A04 mov eax, dword ptr fs:[00000030h]0_2_02082A04
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_0208269B mov eax, dword ptr fs:[00000030h]0_2_0208269B
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02082CBD mov eax, dword ptr fs:[00000030h]0_2_02082CBD
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_020816FF mov eax, dword ptr fs:[00000030h]0_2_020816FF
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_02080F12 mov eax, dword ptr fs:[00000030h]0_2_02080F12
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 0_2_020809D0 mov eax, dword ptr fs:[00000030h]0_2_020809D0
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_00562A04 mov eax, dword ptr fs:[00000030h]2_2_00562A04
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_005616FF mov eax, dword ptr fs:[00000030h]2_2_005616FF
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_0056269B mov eax, dword ptr fs:[00000030h]2_2_0056269B
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_00562CBD mov eax, dword ptr fs:[00000030h]2_2_00562CBD
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_00560F12 mov eax, dword ptr fs:[00000030h]2_2_00560F12
        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeCode function: 2_2_005609D0 mov eax, dword ptr fs:[00000030h]2_2_005609D0

        Source: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exeProcess created: C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe 'C:\Users\user\Desktop\Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe' Jump to behavior
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473485996.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473485996.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473485996.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC).exe, 00000002.00000002.1473485996.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection12Virtualization/Sandbox Evasion11Input Capture1Virtualization/Sandbox Evasion11Remote File Copy1Input Capture1Data CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSecurity Software Discovery411Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery21Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.