Analysis Overview
SHA256
264fcdd1f17d6ed94c647959aaba3360ee153c48298b4470effab52749d4a850
Threat Level: Known bad
The file 25092024_0844_23092024_Swift E-Posta Bildirimi_2024-09-23_T11511900.bz was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 08:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 08:44
Reported
2024-09-25 08:49
Platform
win7-20240903-en
Max time kernel
292s
Max time network
245s
Command Line
Signatures
VIPKeylogger
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe
"C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lFICHHVpiKsD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lFICHHVpiKsD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp898.tmp"
C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe
"C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | quicklyserv.com | udp |
| TR | 45.143.99.52:21 | quicklyserv.com | tcp |
| TR | 45.143.99.52:56582 | quicklyserv.com | tcp |
| US | 8.8.8.8:53 | mail.sevkat.com.tr | udp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:51159 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:52270 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:54346 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:62934 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
Files
memory/1620-0-0x00000000749EE000-0x00000000749EF000-memory.dmp
memory/1620-1-0x0000000001140000-0x00000000011F8000-memory.dmp
memory/1620-2-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/1620-3-0x0000000000350000-0x0000000000362000-memory.dmp
memory/1620-4-0x00000000749EE000-0x00000000749EF000-memory.dmp
memory/1620-5-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/1620-6-0x0000000005040000-0x00000000050D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DH79UDN9E60TV9D4BOC3.temp
| MD5 | 79e09ea4896b226b8c670bf039b1e075 |
| SHA1 | 0c10ee89609893e020b384b8b5c8cdfe51b9dad3 |
| SHA256 | e235a79856c71604ccd0ce3a910a468918a298428d8211d76aa9da24b1c0f402 |
| SHA512 | f2e17976a1b3086c7522f7f1297ed40e7bede035b1ef7a3ba1fdca106e2a87c20a73a5555a4ac51307a07d1c1c04a8babc1afd8b51c05ac95e659d02d3c8c9b0 |
C:\Users\Admin\AppData\Local\Temp\tmp898.tmp
| MD5 | f7270d8a84530a5eccbe0fb1c44e1a38 |
| SHA1 | f1838719ed2ce24871d53c2fe68fc558c769592a |
| SHA256 | 98c4b140c0dde8f8be07b4436ba70c5c645e91ff84ed80a0bda7d09fe4984470 |
| SHA512 | 47b1cb7e55541010cc20db90fceeb45845e2557865bd7b049660a4b89721f1972294566907d7be2c07fba079c74c9fc9276b0b370f0ff60218afbcb01711664e |
memory/2688-19-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-28-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-29-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2688-30-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-25-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-23-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2688-21-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1620-31-0x00000000749E0000-0x00000000750CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 08:44
Reported
2024-09-25 08:49
Platform
win10v2004-20240802-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
VIPKeylogger
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3944 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe
"C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lFICHHVpiKsD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lFICHHVpiKsD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADEE.tmp"
C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe
"C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe
"C:\Users\Admin\AppData\Local\Temp\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | quicklyserv.com | udp |
| TR | 45.143.99.52:21 | quicklyserv.com | tcp |
| TR | 45.143.99.52:61736 | quicklyserv.com | tcp |
| US | 8.8.8.8:53 | mail.sevkat.com.tr | udp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| US | 8.8.8.8:53 | 52.99.143.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| TR | 45.143.99.52:59938 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:54634 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:62735 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:53453 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:55839 | quicklyserv.com | tcp |
| TR | 188.132.158.64:587 | mail.sevkat.com.tr | tcp |
| TR | 45.143.99.52:21 | quicklyserv.com | tcp |
| TR | 45.143.99.52:63853 | quicklyserv.com | tcp |
Files
memory/3944-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
memory/3944-1-0x00000000005A0000-0x0000000000658000-memory.dmp
memory/3944-2-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/3944-3-0x0000000005030000-0x00000000050C2000-memory.dmp
memory/3944-4-0x0000000005020000-0x000000000502A000-memory.dmp
memory/3944-5-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/3944-6-0x0000000005300000-0x0000000005312000-memory.dmp
memory/3944-7-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
memory/3944-8-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/3944-9-0x0000000008CE0000-0x0000000008D74000-memory.dmp
memory/3944-10-0x000000000B540000-0x000000000B5DC000-memory.dmp
memory/2432-15-0x00000000050C0000-0x00000000050F6000-memory.dmp
memory/2432-16-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2432-17-0x0000000005730000-0x0000000005D58000-memory.dmp
memory/2432-18-0x0000000074B70000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpADEE.tmp
| MD5 | fbfc0f6ef83ad563042730ffd5c42a88 |
| SHA1 | 4e16ebf253492362f082a93d7fecfdd5d5164160 |
| SHA256 | ff0796d00c440ecff66ae7431ec488abf3b54ba429963d0bbfb1c2e7a6ac15da |
| SHA512 | c86390c6ddc2484bc720c98d3f7c29f83eae1085de1d209131285afc1669ed63935e4cd8592bcd53a08f962e65fcedc47db98cf441a816259d53eb63d1e940df |
memory/780-23-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2764-29-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jp1qjctx.vmt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2432-22-0x0000000005FF0000-0x0000000006056000-memory.dmp
memory/2432-21-0x0000000005ED0000-0x0000000005F36000-memory.dmp
memory/2432-20-0x0000000005670000-0x0000000005692000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift E-Posta Bildirimi_2024-09-23_T11511900.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/780-46-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/3944-47-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2432-48-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2432-37-0x0000000006060000-0x00000000063B4000-memory.dmp
memory/780-49-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2432-50-0x0000000006620000-0x000000000663E000-memory.dmp
memory/2432-51-0x00000000066D0000-0x000000000671C000-memory.dmp
memory/2432-52-0x00000000075C0000-0x00000000075F2000-memory.dmp
memory/2432-63-0x00000000075A0000-0x00000000075BE000-memory.dmp
memory/2432-53-0x0000000071210000-0x000000007125C000-memory.dmp
memory/2432-64-0x0000000007610000-0x00000000076B3000-memory.dmp
memory/780-65-0x0000000071210000-0x000000007125C000-memory.dmp
memory/2432-75-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/2432-76-0x0000000007950000-0x000000000796A000-memory.dmp
memory/2432-77-0x00000000079C0000-0x00000000079CA000-memory.dmp
memory/2432-78-0x0000000007BD0000-0x0000000007C66000-memory.dmp
memory/780-79-0x00000000074F0000-0x0000000007501000-memory.dmp
memory/780-80-0x0000000007520000-0x000000000752E000-memory.dmp
memory/2432-81-0x0000000007B90000-0x0000000007BA4000-memory.dmp
memory/780-82-0x0000000007630000-0x000000000764A000-memory.dmp
memory/2432-83-0x0000000007C70000-0x0000000007C78000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5bd58764549044966c90f27e91c0a4a2 |
| SHA1 | f2eb1e218d004ef04c2dd961e260e3a9bcd6cac4 |
| SHA256 | 27e4870d98205b3117c997c53bd27da60041f25613f4808839add1ab51b7f9fc |
| SHA512 | 1725a71806f323167e6f9b0e78c46beaa616c35b593afa4bdf5e84338d48a5168548d5c9b5772ca5e7bb60116d5e4f31fb33efe659c1aac4c3dbf5eeddb7cae7 |
memory/780-89-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2432-90-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2764-91-0x0000000006E40000-0x0000000007002000-memory.dmp
memory/2764-92-0x0000000006CD0000-0x0000000006D20000-memory.dmp
memory/2764-93-0x0000000007540000-0x0000000007A6C000-memory.dmp