Edit tour

Windows Analysis Report
eFatura_HSY2024000004086_Ekleri.exe

Overview

General Information

Sample name:	eFatura_HSY2024000004086_Ekleri.exe
Analysis ID:	1482932
MD5:	3d265723ffa9ee20e76cd4eb2b628771
SHA1:	206bc32e4bf59574ca23b85f8d88ebdafff07307
SHA256:	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

eFatura_HSY2024000004086_Ekleri.exe (PID: 6624 cmdline: "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe" MD5: 3D265723FFA9EE20E76CD4EB2B628771)

temp.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe" MD5: 3D265723FFA9EE20E76CD4EB2B628771)

RegSvcs.exe (PID: 5004 cmdline: "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6644 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

temp.exe (PID: 280 cmdline: "C:\Users\user\AppData\Local\directory\temp.exe" MD5: 3D265723FFA9EE20E76CD4EB2B628771)

RegSvcs.exe (PID: 6064 cmdline: "C:\Users\user\AppData\Local\directory\temp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1810719086.000000000350F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1810719086.0000000003539000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4105980496.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41285:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x412f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41381:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41413:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4147d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x414ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41585:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41615:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.1808219805.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.4105980496.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.1809261589.0000000001C60000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4216d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x421df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42269:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x422fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42365:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x423d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4246d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x424fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.1669488113.0000000003970000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.4105980496.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5004	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6064	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.4515390.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4515390.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.4515390.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4515390.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41285:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x412f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41381:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41413:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4147d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x414ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41585:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41615:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.4515390.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4515390.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.4515390.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4515390.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f485:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f4f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f581:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f613:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f67d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f6ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f785:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f815:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5940ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5940ee8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5940ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5940ee8.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f485:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f4f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f581:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f613:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f67d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f6ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f785:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f815:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3010c2e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3010c2e.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3010c2e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3010c2e.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f485:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f4f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f581:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f613:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f67d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f6ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f785:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f815:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5940000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5940000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5940000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5940000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4216d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x421df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42269:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x422fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42365:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x423d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4246d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x424fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.temp.exe.1c60000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.300fd46.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.300fd46.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.300fd46.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.300fd46.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4216d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x421df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42269:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x422fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42365:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x423d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4246d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x424fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5940ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5940ee8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5940ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5a20000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5a20000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5a20000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5940ee8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41285:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x412f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41381:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41413:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4147d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x414ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41585:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41615:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5a20000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41285:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x412f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41381:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41413:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4147d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x414ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41585:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41615:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.temp.exe.3970000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5940000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5940000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5940000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5940000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4036d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x403df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40469:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x404fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40565:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x405d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4066d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x406fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5a20000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5a20000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5a20000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5a20000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f485:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f4f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f581:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f613:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f67d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f6ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f785:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f815:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3010c2e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3010c2e.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3010c2e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3010c2e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41285:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x412f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41381:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41413:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4147d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x414ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41585:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41615:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.300fd46.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.300fd46.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.300fd46.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.300fd46.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4036d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x403df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40469:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x404fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40565:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x405d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4066d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x406fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , ProcessId: 6644, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5004, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs" , ProcessId: 6644, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\temp.exe, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T11:57:35.750000+0200
SID:	2022930
Source Port:	443
Destination Port:	62345
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T11:57:34.714091+0200
SID:	2022930
Source Port:	443
Destination Port:	62344
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T11:57:15.072194+0200
SID:	2022930
Source Port:	443
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Multi AV Scanner detection for domain / URL

Source: zqamcx.com	Virustotal: Detection: 8%			Perma Link
Source: http://zqamcx.com	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\temp.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\directory\temp.exe	Virustotal: Detection: 64%			Perma Link

Multi AV Scanner detection for submitted file

Source: eFatura_HSY2024000004086_Ekleri.exe	ReversingLabs: Detection: 68%
Source: eFatura_HSY2024000004086_Ekleri.exe	Virustotal: Detection: 64%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\temp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eFatura_HSY2024000004086_Ekleri.exe

Joe Sandbox ML: detected

Source: eFatura_HSY2024000004086_Ekleri.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105868673.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: temp.exe, 00000001.00000003.1666241496.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000001.00000003.1667115715.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1800748949.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1805029850.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: temp.exe, 00000001.00000003.1666241496.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000001.00000003.1667115715.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1800748949.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1805029850.0000000003D10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FADBBE
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB68EE FindFirstFileW,FindClose,	0_2_00FB68EE
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FB698F
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD076
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD3A9
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB9642
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB979D
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FB9B2B
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FB5C97
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0046DBBE
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004768EE FindFirstFileW,FindClose,	1_2_004768EE
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0047698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0047698F
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0046D076
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0046D3A9
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00479642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00479642
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0047979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0047979D
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00479B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00479B2B
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00475C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00475C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 78.110.166.82:587

Source: Joe Sandbox View

IP Address: 78.110.166.82 78.110.166.82

Source: Joe Sandbox View

ASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 78.110.166.82:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FBCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00FBCE44

Source: global traffic	DNS traffic detected: DNS query: zqamcx.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0#
Source: RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4100493771.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4100493771.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zqamcx.com
Source: RegSvcs.exe, 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, O9KGcRw9bkp.cs

.Net Code: KAZ

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_06A5E608 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06A5EB20,00000000,00000000

2_2_06A5E608

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FBEAFF

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00FBED6A
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0047ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_0047ED6A

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

0_2_00FBEAFF

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FAAA57

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FD9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00FD9576
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00499576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_00499576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.temp.exe.1c60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.temp.exe.3970000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1808219805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.1809261589.0000000001C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1669488113.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: eFatura_HSY2024000004086_Ekleri.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: eFatura_HSY2024000004086_Ekleri.exe, 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59d793ba-3
Source: eFatura_HSY2024000004086_Ekleri.exe, 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_80df3361-9
Source: eFatura_HSY2024000004086_Ekleri.exe, 00000000.00000003.1643899443.0000000003F51000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6550ceda-5
Source: eFatura_HSY2024000004086_Ekleri.exe, 00000000.00000003.1643899443.0000000003F51000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_598d182a-d
Source: temp.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: temp.exe, 00000001.00000000.1644588465.00000000004C2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34ae4009-6
Source: temp.exe, 00000001.00000000.1644588465.00000000004C2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a9cf97d8-f
Source: temp.exe, 00000004.00000000.1784350727.00000000004C2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d824567c-7
Source: temp.exe, 00000004.00000000.1784350727.00000000004C2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_acdbcd99-2
Source: eFatura_HSY2024000004086_Ekleri.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_905594e2-6
Source: eFatura_HSY2024000004086_Ekleri.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_888ba20b-8
Source: temp.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e4bd8fbb-f
Source: temp.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7c0edcef-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FAD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FAD5EB

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FA1201

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00FAE8F6
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_0046E8F6

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F48060	0_2_00F48060
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB2046	0_2_00FB2046
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FA8298	0_2_00FA8298
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F7E4FF	0_2_00F7E4FF
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F7676B	0_2_00F7676B
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FD4873	0_2_00FD4873
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F4CAF0	0_2_00F4CAF0
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F6CAA0	0_2_00F6CAA0
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F5CC39	0_2_00F5CC39
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F76DD9	0_2_00F76DD9
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F491C0	0_2_00F491C0
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F5B119	0_2_00F5B119
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F61394	0_2_00F61394
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F61706	0_2_00F61706
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F6781B	0_2_00F6781B
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F619B0	0_2_00F619B0
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F5997D	0_2_00F5997D
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F47920	0_2_00F47920
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F67A4A	0_2_00F67A4A
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F67CA7	0_2_00F67CA7
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F61C77	0_2_00F61C77
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F79EEE	0_2_00F79EEE
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FCBE44	0_2_00FCBE44
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F61F32	0_2_00F61F32
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_015D3610	0_2_015D3610
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0040BF40	1_2_0040BF40
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00472046	1_2_00472046
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00408060	1_2_00408060
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00468298	1_2_00468298
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0043E4FF	1_2_0043E4FF
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0043676B	1_2_0043676B
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00494873	1_2_00494873
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0040CAF0	1_2_0040CAF0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0042CAA0	1_2_0042CAA0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0041CC39	1_2_0041CC39
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00436DD9	1_2_00436DD9
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0041B119	1_2_0041B119
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004091C0	1_2_004091C0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00421394	1_2_00421394
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00421706	1_2_00421706
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0042781B	1_2_0042781B
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0041997D	1_2_0041997D
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00407920	1_2_00407920
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004219B0	1_2_004219B0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00427A4A	1_2_00427A4A
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00421C77	1_2_00421C77
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00427CA7	1_2_00427CA7
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0048BE44	1_2_0048BE44
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00439EEE	1_2_00439EEE
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00421F32	1_2_00421F32
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_010D3610	1_2_010D3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0318CBF8	2_2_0318CBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0318D810	2_2_0318D810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0318CF40	2_2_0318CF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03181030	2_2_03181030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03181021	2_2_03181021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A1AE18	2_2_06A1AE18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A1E660	2_2_06A1E660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A1DF20	2_2_06A1DF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A182C8	2_2_06A182C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A15048	2_2_06A15048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A10006	2_2_06A10006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A10040	2_2_06A10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A543C8	2_2_06A543C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A506B8	2_2_06A506B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A5D2A8	2_2_06A5D2A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A50040	2_2_06A50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_07189F3C	2_2_07189F3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0718C7B0	2_2_0718C7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_071887E0	2_2_071887E0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 4_2_01393610	4_2_01393610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028CCE88	5_2_028CCE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028CDAA0	5_2_028CDAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028C0FD0	5_2_028C0FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028C1030	5_2_028C1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028CD1D0	5_2_028CD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053BBC28	5_2_053BBC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B5448	5_2_053B5448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053BF4E0	5_2_053BF4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053BDF20	5_2_053BDF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B8790	5_2_053B8790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053BE64F	5_2_053BE64F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053BAEBD	5_2_053BAEBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B0006	5_2_053B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B0040	5_2_053B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062A43B8	5_2_062A43B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062A0DB8	5_2_062A0DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062A06B8	5_2_062A06B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062A7570	5_2_062A7570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062AD2B8	5_2_062AD2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062A0040	5_2_062A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_069D8A30	5_2_069D8A30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: String function: 00F5F9F2 appears 31 times
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: String function: 00F60A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: String function: 0041F9F2 appears 31 times
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: String function: 00420A30 appears 46 times

Source: eFatura_HSY2024000004086_Ekleri.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.temp.exe.1c60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.temp.exe.3970000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1808219805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.1809261589.0000000001C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1669488113.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, EgTglEucnUn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, EgTglEucnUn.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/1

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FB37B5 GetLastError,FormatMessageW,

0_2_00FB37B5

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FA10BF AdjustTokenPrivileges,CloseHandle,	0_2_00FA10BF
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00FA16C3
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004610BF AdjustTokenPrivileges,CloseHandle,	1_2_004610BF
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_004616C3

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FB51CD

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FCA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FCA67C

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FB648E

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F442A2

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

File created: C:\Users\user\AppData\Local\Temp\aut91A7.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs"

Source: eFatura_HSY2024000004086_Ekleri.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eFatura_HSY2024000004086_Ekleri.exe	ReversingLabs: Detection: 68%
Source: eFatura_HSY2024000004086_Ekleri.exe	Virustotal: Detection: 64%

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

File read: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Process created: C:\Users\user\AppData\Local\directory\temp.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\temp.exe "C:\Users\user\AppData\Local\directory\temp.exe"
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\temp.exe"
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Process created: C:\Users\user\AppData\Local\directory\temp.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\temp.exe "C:\Users\user\AppData\Local\directory\temp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\temp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: eFatura_HSY2024000004086_Ekleri.exe

Static file information: File size 1389568 > 1048576

Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eFatura_HSY2024000004086_Ekleri.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105868673.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: temp.exe, 00000001.00000003.1666241496.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000001.00000003.1667115715.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1800748949.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1805029850.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: temp.exe, 00000001.00000003.1666241496.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000001.00000003.1667115715.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1800748949.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, temp.exe, 00000004.00000003.1805029850.0000000003D10000.00000004.00001000.00020000.00000000.sdmp

Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eFatura_HSY2024000004086_Ekleri.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F60A76 push ecx; ret	0_2_00F60A89
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00420A76 push ecx; ret	1_2_00420A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040BB97 push dword ptr [ecx-75h]; iretd	2_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0318574A push B8000000h; retn 0000h	2_2_0318574F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03184F4D push esi; ret	2_2_03184F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A142B1 pushad ; iretd	2_2_06A14335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A1431F pushad ; iretd	2_2_06A14335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A5D448 push esp; retf	2_2_06A5D449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028C4F4D push esi; ret	5_2_028C4F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_028C574A push B8000000h; retn 0000h	5_2_028C574F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B471F pushad ; retf	5_2_053B4735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_053B46B1 pushad ; retf	5_2_053B4735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_062AD458 push esp; retf	5_2_062AD459

Source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Ygr0cUW7x3u2R', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Ygr0cUW7x3u2R', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Ygr0cUW7x3u2R', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Ygr0cUW7x3u2R', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

File created: C:\Users\user\AppData\Local\directory\temp.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\temp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\temp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\temp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F5F98E
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FD1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00FD1C41
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0041F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_0041F98E
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00491C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00491C41

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98386
Source: C:\Users\user\AppData\Local\directory\temp.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\temp.exe	API/Special instruction interceptor: Address: 10D3234
Source: C:\Users\user\AppData\Local\directory\temp.exe	API/Special instruction interceptor: Address: 1393234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999756	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999750	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2098	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2396	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7444	Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\directory\temp.exe	API coverage: 4.5 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FADBBE
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB68EE FindFirstFileW,FindClose,	0_2_00FB68EE
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FB698F
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD076
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD3A9
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB9642
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB979D
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FB9B2B
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FB5C97
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0046DBBE
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004768EE FindFirstFileW,FindClose,	1_2_004768EE
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0047698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0047698F
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0046D076
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0046D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0046D3A9
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00479642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00479642
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0047979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0047979D
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00479B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00479B2B
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00475C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00475C97

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99754	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99621	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99509	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97716	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97543	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97425	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999756	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98681	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98356	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 11999750	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmdcV

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FBEAA2 BlockInput,

0_2_00FBEAA2

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F72622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F64CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F64CE8
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_015D3500 mov eax, dword ptr fs:[00000030h]	0_2_015D3500
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_015D34A0 mov eax, dword ptr fs:[00000030h]	0_2_015D34A0
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_015D1E70 mov eax, dword ptr fs:[00000030h]	0_2_015D1E70
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00424CE8 mov eax, dword ptr fs:[00000030h]	1_2_00424CE8
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_010D3500 mov eax, dword ptr fs:[00000030h]	1_2_010D3500
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_010D34A0 mov eax, dword ptr fs:[00000030h]	1_2_010D34A0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_010D1E70 mov eax, dword ptr fs:[00000030h]	1_2_010D1E70
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 4_2_013934A0 mov eax, dword ptr fs:[00000030h]	4_2_013934A0
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 4_2_01393500 mov eax, dword ptr fs:[00000030h]	4_2_01393500
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 4_2_01391E70 mov eax, dword ptr fs:[00000030h]	4_2_01391E70

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FA0B62

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F72622
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F6083F
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F609D5 SetUnhandledExceptionFilter,	0_2_00F609D5
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00F60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F60C21
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00432622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00432622
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_0042083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042083F
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_004209D5 SetUnhandledExceptionFilter,	1_2_004209D5
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00420C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00420C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\temp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1024008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B68008			Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

0_2_00FA1201

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F82BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F82BA5

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FAB226 SendInput,keybd_event,

0_2_00FAB226

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FC22DA

Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\temp.exe "C:\Users\user\AppData\Local\directory\temp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\temp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\temp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

0_2_00FA0B62

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA1663

Source: eFatura_HSY2024000004086_Ekleri.exe, temp.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: eFatura_HSY2024000004086_Ekleri.exe, temp.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F60698 cpuid

0_2_00F60698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00FB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FB8195

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F9D27A GetUserNameW,

0_2_00F9D27A

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F7BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F7BB6F

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Code function: 0_2_00F442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F442DE

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1810719086.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1810719086.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6064, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: temp.exe	Binary or memory string: WIN_81
Source: temp.exe	Binary or memory string: WIN_XP
Source: temp.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: temp.exe	Binary or memory string: WIN_XPe
Source: temp.exe	Binary or memory string: WIN_VISTA
Source: temp.exe	Binary or memory string: WIN_7
Source: temp.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6064, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1810719086.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1810719086.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4105980496.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6064, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4515390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5940000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3010c2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.300fd46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00FC1204
Source: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe	Code function: 0_2_00FC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00FC1806
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00481204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_00481204
Source: C:\Users\user\AppData\Local\directory\temp.exe	Code function: 1_2_00481806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00481806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	321 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	321 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	441 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eFatura_HSY2024000004086_Ekleri.exe	68%	ReversingLabs	Win32.Spyware.Redline
eFatura_HSY2024000004086_Ekleri.exe	65%	Virustotal		Browse
eFatura_HSY2024000004086_Ekleri.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\temp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\temp.exe	68%	ReversingLabs	Win32.Spyware.Redline
C:\Users\user\AppData\Local\directory\temp.exe	65%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
zqamcx.com	9%	Virustotal		Browse
18.31.95.13.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
http://zqamcx.com	0%	Avira URL Cloud	safe
http://r11.i.lencr.org/0#	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
http://zqamcx.com	9%	Virustotal		Browse
http://r11.i.lencr.org/0#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
zqamcx.com	78.110.166.82	true	true	9%, Virustotal, Browse	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://zqamcx.com	RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://r11.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0#	RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4100493771.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.1808637946.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.0000000003517000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1810719086.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000150F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1808637946.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1817591311.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4100493771.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005982000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.0000000005998000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4105980496.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.microsoft.co	RegSvcs.exe, 00000005.00000002.4109863129.00000000059D2000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.110.166.82	zqamcx.com	United Kingdom		42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482932
Start date and time:	2024-07-26 11:56:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eFatura_HSY2024000004086_Ekleri.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 54 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:56:58	API Interceptor	14136514x Sleep call for process: RegSvcs.exe modified
10:57:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.110.166.82	COB756883.vbs	Get hash	malicious	CobaltStrike	Browse	windowsupdatesolutions.com/ServerCOB.txt
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zqamcx.com	hesaphareketi-01.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	RFQ_SOF_2024_43345.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	IMG_160750_311608.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker, PureLog Stealer	Browse	78.110.166.82
	FATURA.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Request_For_Quote_060624.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	New Inquiry.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Sy3CL61n0uDC55M.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKSERVERS-ASUKDedicatedServersHostingandCo-Location	hesaphareketi-01.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	LisectAVT_2403002A_136.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	LisectAVT_2403002A_88.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	LisectAVT_2403002C_7.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	RFQ_SOF_2024_43345.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	s4WsI8Qcm4.elf	Get hash	malicious	Mirai, Moobot	Browse	78.157.201.108
	IMG_160750_311608.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker, PureLog Stealer	Browse	78.110.166.82
	oTfjRHJdWzffhcnPGd.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	SZwdzMMRBU.elf	Get hash	malicious	Unknown	Browse	78.157.201.103
	FATURA.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

Process:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
File Type:	data
Category:	dropped
Size (bytes):	264814
Entropy (8bit):	7.975503217606326
Encrypted:	false
SSDEEP:	6144:TdmjX7XC5hbUs6iRThMzwqnKmKer1K292Tw9gN/3oaZaH5s:5uXC5hbt6ivMzWmKq1K292Two/ods
MD5:	1FBF5D98268DB9157D8BBAA194E681D0
SHA1:	91FA671E61E8391AEA443D4AD8C7234EC8A99FF6
SHA-256:	F0CABABE51208AB31D5659ACC717371C6011B2F25D7041BF2B21570B14902C2C
SHA-512:	3418D3116B604F20085FBA3F4A3AD10C6EC4B83EADD729A10BB99DBCB624D54EFFFC08256B8EC99E3C78D7B086EECACE7807E21E8DECDB1DA362FA48ECE01C74
Malicious:	false
Reputation:	low
Preview:	EA06..$..B..E:.X....F.N.V..D.......K...:..E....U.S..[.J.`.0:.zG..Nd2.T.....Y...5...T)5.O .D.6K.jO/.....L..3.6.....f.)N.....f.l.Mh..e...jae....h..I&..k2.X.A\|...P..k&....Y..L.x.P\|rk\|~.....t..no3.P.......t.mf.7.T&..U:....VL...&..?...b/6.....e:.R.P.,.kS.Ub.2..9.:M:.X....=".^.Zd...`...p....tx.).Mi..e0.S...iT.......%..Nx&.}<....%.i..Q/..(1..T&.......,FgR.\|.sW.`.....X......(....x"..d.u/..>...B...H....$....FgS...P....\....Mj.{@.G...X.........\.N&.}..'$.P...O.N.Vi..rm..Wi..}c7...?xL>.....y..x....RkQ-..N.......A...t....@.U./...2...zm8.Q..O.:.....~D.....<.}....}.y....R..z.~w7..6...SV..r.Lu.cN.u.......c.....8.b..m7.S..:.;O.....jg#IO...Z....{M%..2.Q....N.D..9.$....s......m.U...vnv.....@c..!..m'.Np2H.......sy.BkH.~3..L.......~...M..M.2!l....N...@\|.wI%&eK....k.W.4..(>.n.mr..\|9.fc...g.8=........ ....f.-..io....E.....8.....8.qe.+...W.M..m.,.P.\.tI..R..B-..^..G.R.a...W.(6&...C..&.}<.....&oP..hp^~L.y.pb..._...d.i......b...CR.m3.xE...U..Z...H.....C

C:\Users\user\AppData\Local\Temp\aut91F6.tmp

Download File

Process:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
File Type:	data
Category:	dropped
Size (bytes):	9726
Entropy (8bit):	7.6381238619372205
Encrypted:	false
SSDEEP:	192:ZueSuy+g40wWlmvN3tKRGKPCDo92vRdOrz1weU5VYaGIEe:ZwbLwWls3yGiP2ZdAzdkpGI/
MD5:	BF4E57B93D5AE23DED949F65E594B76E
SHA1:	007179288C79D5698EA77416C718A0D7847177ED
SHA-256:	CD740426E65E480DC76C680E75AA8B49CA2515E63D92270A2F510263E9FB6D35
SHA-512:	25A614D27E5186C68DE5124FCD942A2168BCD7D25D18CD351E942C1D449246F603C38C2FD184834691FB18EAB4A7F3C732AAE63547CA5B1E86D83DB90DEE3BE3
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\aut96D7.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\temp.exe
File Type:	data
Category:	dropped
Size (bytes):	264814
Entropy (8bit):	7.975503217606326
Encrypted:	false
SSDEEP:	6144:TdmjX7XC5hbUs6iRThMzwqnKmKer1K292Tw9gN/3oaZaH5s:5uXC5hbt6ivMzWmKq1K292Two/ods
MD5:	1FBF5D98268DB9157D8BBAA194E681D0
SHA1:	91FA671E61E8391AEA443D4AD8C7234EC8A99FF6
SHA-256:	F0CABABE51208AB31D5659ACC717371C6011B2F25D7041BF2B21570B14902C2C
SHA-512:	3418D3116B604F20085FBA3F4A3AD10C6EC4B83EADD729A10BB99DBCB624D54EFFFC08256B8EC99E3C78D7B086EECACE7807E21E8DECDB1DA362FA48ECE01C74
Malicious:	false
Reputation:	low
Preview:	EA06..$..B..E:.X....F.N.V..D.......K...:..E....U.S..[.J.`.0:.zG..Nd2.T.....Y...5...T)5.O .D.6K.jO/.....L..3.6.....f.)N.....f.l.Mh..e...jae....h..I&..k2.X.A\|...P..k&....Y..L.x.P\|rk\|~.....t..no3.P.......t.mf.7.T&..U:....VL...&..?...b/6.....e:.R.P.,.kS.Ub.2..9.:M:.X....=".^.Zd...`...p....tx.).Mi..e0.S...iT.......%..Nx&.}<....%.i..Q/..(1..T&.......,FgR.\|.sW.`.....X......(....x"..d.u/..>...B...H....$....FgS...P....\....Mj.{@.G...X.........\.N&.}..'$.P...O.N.Vi..rm..Wi..}c7...?xL>.....y..x....RkQ-..N.......A...t....@.U./...2...zm8.Q..O.:.....~D.....<.}....}.y....R..z.~w7..6...SV..r.Lu.cN.u.......c.....8.b..m7.S..:.;O.....jg#IO...Z....{M%..2.Q....N.D..9.$....s......m.U...vnv.....@c..!..m'.Np2H.......sy.BkH.~3..L.......~...M..M.2!l....N...@\|.wI%&eK....k.W.4..(>.n.mr..\|9.fc...g.8=........ ....f.-..io....E.....8.....8.qe.+...W.M..m.,.P.\.tI..R..B-..^..G.R.a...W.(6&...C..&.}<.....&oP..hp^~L.y.pb..._...d.i......b...CR.m3.xE...U..Z...H.....C

C:\Users\user\AppData\Local\Temp\aut9801.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\temp.exe
File Type:	data
Category:	dropped
Size (bytes):	9726
Entropy (8bit):	7.6381238619372205
Encrypted:	false
SSDEEP:	192:ZueSuy+g40wWlmvN3tKRGKPCDo92vRdOrz1weU5VYaGIEe:ZwbLwWls3yGiP2ZdAzdkpGI/
MD5:	BF4E57B93D5AE23DED949F65E594B76E
SHA1:	007179288C79D5698EA77416C718A0D7847177ED
SHA-256:	CD740426E65E480DC76C680E75AA8B49CA2515E63D92270A2F510263E9FB6D35
SHA-512:	25A614D27E5186C68DE5124FCD942A2168BCD7D25D18CD351E942C1D449246F603C38C2FD184834691FB18EAB4A7F3C732AAE63547CA5B1E86D83DB90DEE3BE3
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\autCCAC.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\temp.exe
File Type:	data
Category:	dropped
Size (bytes):	264814
Entropy (8bit):	7.975503217606326
Encrypted:	false
SSDEEP:	6144:TdmjX7XC5hbUs6iRThMzwqnKmKer1K292Tw9gN/3oaZaH5s:5uXC5hbt6ivMzWmKq1K292Two/ods
MD5:	1FBF5D98268DB9157D8BBAA194E681D0
SHA1:	91FA671E61E8391AEA443D4AD8C7234EC8A99FF6
SHA-256:	F0CABABE51208AB31D5659ACC717371C6011B2F25D7041BF2B21570B14902C2C
SHA-512:	3418D3116B604F20085FBA3F4A3AD10C6EC4B83EADD729A10BB99DBCB624D54EFFFC08256B8EC99E3C78D7B086EECACE7807E21E8DECDB1DA362FA48ECE01C74
Malicious:	false
Reputation:	low
Preview:	EA06..$..B..E:.X....F.N.V..D.......K...:..E....U.S..[.J.`.0:.zG..Nd2.T.....Y...5...T)5.O .D.6K.jO/.....L..3.6.....f.)N.....f.l.Mh..e...jae....h..I&..k2.X.A\|...P..k&....Y..L.x.P\|rk\|~.....t..no3.P.......t.mf.7.T&..U:....VL...&..?...b/6.....e:.R.P.,.kS.Ub.2..9.:M:.X....=".^.Zd...`...p....tx.).Mi..e0.S...iT.......%..Nx&.}<....%.i..Q/..(1..T&.......,FgR.\|.sW.`.....X......(....x"..d.u/..>...B...H....$....FgS...P....\....Mj.{@.G...X.........\.N&.}..'$.P...O.N.Vi..rm..Wi..}c7...?xL>.....y..x....RkQ-..N.......A...t....@.U./...2...zm8.Q..O.:.....~D.....<.}....}.y....R..z.~w7..6...SV..r.Lu.cN.u.......c.....8.b..m7.S..:.;O.....jg#IO...Z....{M%..2.Q....N.D..9.$....s......m.U...vnv.....@c..!..m'.Np2H.......sy.BkH.~3..L.......~...M..M.2!l....N...@\|.wI%&eK....k.W.4..(>.n.mr..\|9.fc...g.8=........ ....f.-..io....E.....8.....8.qe.+...W.M..m.,.P.\.tI..R..B-..^..G.R.a...W.(6&...C..&.}<.....&oP..hp^~L.y.pb..._...d.i......b...CR.m3.xE...U..Z...H.....C

C:\Users\user\AppData\Local\Temp\autCD3A.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\temp.exe
File Type:	data
Category:	dropped
Size (bytes):	9726
Entropy (8bit):	7.6381238619372205
Encrypted:	false
SSDEEP:	192:ZueSuy+g40wWlmvN3tKRGKPCDo92vRdOrz1weU5VYaGIEe:ZwbLwWls3yGiP2ZdAzdkpGI/
MD5:	BF4E57B93D5AE23DED949F65E594B76E
SHA1:	007179288C79D5698EA77416C718A0D7847177ED
SHA-256:	CD740426E65E480DC76C680E75AA8B49CA2515E63D92270A2F510263E9FB6D35
SHA-512:	25A614D27E5186C68DE5124FCD942A2168BCD7D25D18CD351E942C1D449246F603C38C2FD184834691FB18EAB4A7F3C732AAE63547CA5B1E86D83DB90DEE3BE3
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\fricandeaux

Download File

Process:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
File Type:	data
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	7.860452766197305
Encrypted:	false
SSDEEP:	6144:mwxDZi3zdQRsUfNgukFa9jXO+SHwSQRIrAuDz+Bgu9H:mwy3J1Ufqng9gH7/+BgY
MD5:	825DBE7E3135430FD7A98D108D54724D
SHA1:	3B565708CBBBB21B87788AB64FD58469AF5A7B3F
SHA-256:	0685F98A927474AC8DD3DA0D773A54625774EA8A8EF3810B5F5C413AFBB4CA58
SHA-512:	6E2E649D53D9D62D9AA8319F25240F57C31154E45005AA797A75B7D1B3D7062627977B90C31B277A08CA96C7D724F5C0A703AB5A42AAC6D2DE02D5E227062BB5
Malicious:	false
Reputation:	low
Preview:	z..HHNNXS67P.KN.XW67P7H.NNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW6.P7HEQ.VW.>...J..y.^^#.89!)6[.3V&%!:x5S."B&k' x.ydpZ'/+`UZ<.P7HKNNX?&.}.9.0b).H.!.6ym1&hG..<..0e).H.!.6.?.&e.Y.+9.0\|{>H.!.6ym5&zG..e!(&b).H7P7HKNNXW67P7HKN&o.S7P7H..NX.73PC.K.NXW67P7H.NmY\7>P7.JNN.U67P7Hd.NXW&7P7.JNNX.67@7HKLNXR67P7HKNKXW67P7HK>JXW27P.sINLXW.7P'HK^NXW6'P7XKNNXW6'P7HKNNXW67P.]IN.XW6705H.LLXW67P7HKNNXW67P7HKNNXW67P..JNRXW67P7HKNNXW67P7HKNNXW67P7H.CLX.67P7HKNNXW67.6H.ONXW67P7HKNNXW67P7HKNNXW67P.<.6:XW6/.6HK^NXW.6P7LKNNXW67P7HKNNXw670.://:9W6.=7HK.OXWX7P7.JNNXW67P7HKNNX.67..,:/XW6.`7HKnLXW 7P7BINNXW67P7HKNNX.67..:8<-XW6.R5HK.LXW25P7hINNXW67P7HKNNX.67.7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW67P7HKNNXW6

C:\Users\user\AppData\Local\Temp\nonsubmerged

Download File

Process:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.579675876429132
Encrypted:	false
SSDEEP:	768:Jx6TBScFCo3T3iCev73mntQUA+n++nmkE/8s62HzimL5sCWC:yTBScFCo3T3iPv73mntQUA+n++nmkE/L
MD5:	4270FD4C6618EF505DAC04C5B0780556
SHA1:	051B8BB4BD2D1EC2992CC4D70FF3DB001F6F4B26
SHA-256:	A34F32566AF0446C12801750A78637DE9B873BA8C008294958D4B942DF5BC8AB
SHA-512:	DC45019F805B238985B7F935B245EC49FB440F2A4E2B9250227BAA5E8F4ADB39AF85186D83F2E2D6566DA802E4BF9573658230F008DA39AA232EE8A38331CC66
Malicious:	false
Reputation:	low
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\directory\temp.exe

Download File

Process:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1389568
Entropy (8bit):	6.781172110653669
Encrypted:	false
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8a4AppoT+kc78Imj+PJ:rTvC/MTQYxsWR7a4AfkfIS+P
MD5:	3D265723FFA9EE20E76CD4EB2B628771
SHA1:	206BC32E4BF59574CA23B85F8D88EBDAFFF07307
SHA-256:	4D649A9C22C200AE71DC6B4FB2F7840DFA2ED78E607F4CE78F5C1AD73073F34F
SHA-512:	C71ADF07DF2EB29DB2A3A172F7F2B6708D1727E2682B8605FE7A0AE64588E72E8A5F67321E2D45D8CD60FAC95CD0B1177CA4121FDC91D77AAD126C4D2A3D3612
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 65%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....a.f..........".................w.............@.......................................@...@.......@.....................d...\|....@...........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\temp.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.417513871698152
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1Al1AynriIM8lfQVn:DsO+vNloRKQ1A1NmA2n
MD5:	54904861C14FAFEF5B588F86FE97735D
SHA1:	5308FC92E8A37925694FDDDCC4B7144F01936BE4
SHA-256:	0A7F21D4BA90BF9678D1072FC8C7BB75822E0DB382199F0D15710AE0A8BC6A2F
SHA-512:	C87ED7970DAE8179BAC3FFA87126ECF1EA507F2736B116EDC24EBD928E8C30D04D7D541AA6BA931A3A92A0A6B41494597F27225F6D778FDEA2FB5D879653539A
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.t.e.m.p...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.781172110653669
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eFatura_HSY2024000004086_Ekleri.exe
File size:	1'389'568 bytes
MD5:	3d265723ffa9ee20e76cd4eb2b628771
SHA1:	206bc32e4bf59574ca23b85f8d88ebdafff07307
SHA256:	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f
SHA512:	c71adf07df2eb29db2a3a172f7f2b6708d1727e2682b8605fe7a0ae64588e72e8a5f67321e2d45d8cd60fac95cd0b1177ca4121fdc91d77aad126c4d2a3d3612
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8a4AppoT+kc78Imj+PJ:rTvC/MTQYxsWR7a4AfkfIS+P
TLSH:	E155B00373818067FF5B92334B6AE655477D6E2A4133A91F139C397ABE701B2123E663
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A061F0 [Wed Jul 24 02:07:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F324081FF63h
jmp 00007F324081F86Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F324081FA4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F324081FA1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F324082260Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3240822658h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3240822641h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x7c908	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x151000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x7c908	0x7ca00	24bc755d9bcfb623cf31842d15ab1143	False	0.6282166812938816	data	6.4884041588176435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x151000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	English	Great Britain	0.13495903981710802
RT_MENU	0x107bf8	0x50	data	English	Great Britain	0.9
RT_STRING	0x107c48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1081dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x108868	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x108cf8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1092f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x109950	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x109db8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x109f10	0x464dc	data			1.000333375005209
RT_GROUP_ICON	0x1503ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x150400	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x150414	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x150428	0x14	data	English	Great Britain	1.25
RT_VERSION	0x15043c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x150518	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T11:57:35.750000+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62345	20.12.23.50	192.168.2.4
2024-07-26T11:57:34.714091+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62344	20.12.23.50	192.168.2.4
2024-07-26T11:57:15.072194+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49732	13.85.23.86	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 11:56:59.626600027 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:56:59.631606102 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:56:59.631690025 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.331404924 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.332640886 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.337582111 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.505664110 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.505856991 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.510804892 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.683774948 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.692467928 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.697422028 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.875744104 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.875796080 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.875833988 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:00.875941038 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.908598900 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:00.913676977 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.082901001 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.097642899 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.102773905 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.270997047 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.274280071 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.281250000 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.449570894 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.449932098 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.456547976 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.639619112 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.640146017 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.645534992 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.813263893 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.813702106 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.818907022 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.989777088 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:01.990088940 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:01.995598078 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.164124966 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.165112019 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.165112972 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.165112972 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.165112972 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.180367947 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.180399895 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.180552959 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.379723072 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.434962034 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.513071060 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.518647909 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.687602043 CEST	587	49730	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.692636013 CEST	49730	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.693655968 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:02.699150085 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:02.699404001 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.261642933 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.261862993 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.266976118 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.428940058 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.429157972 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.434365034 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.596851110 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.597460032 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.603904963 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.776783943 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.776849031 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.776887894 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.776926041 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.782865047 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.788222075 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.951579094 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:03.953449011 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:03.959084988 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.120444059 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.121010065 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:04.126789093 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.288206100 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.288589001 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:04.293865919 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.470527887 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.471100092 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:04.476825953 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.637722015 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.638149023 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:04.643459082 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.816303968 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.816870928 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:04.822424889 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:04.985634089 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.028722048 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051089048 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051187038 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051233053 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051282883 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051444054 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051538944 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051603079 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051637888 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.051671028 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:05.056586981 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056623936 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056653023 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056679964 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056708097 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056772947 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056828022 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056857109 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056885004 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056935072 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056962013 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.056988955 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.242963076 CEST	587	49731	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:05.294209003 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:13.786746025 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:13.792421103 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:13.792540073 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.058707952 CEST	49731	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.364183903 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.364562988 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.369616032 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.533400059 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.533819914 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.538805008 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.704030991 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.707496881 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.712531090 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.883119106 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.883169889 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.883207083 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:14.883269072 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.885435104 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:14.890417099 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.055490971 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.078429937 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.083349943 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.246516943 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.246969938 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.251914978 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.417510986 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.417901993 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.422841072 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.589529037 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.589812040 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.594954014 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.758904934 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.759318113 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.764394999 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.931408882 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:15.931775093 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:15.936935902 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.100148916 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.100980997 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.101063013 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.101102114 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.101133108 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.106586933 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.107958078 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.302135944 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.356724024 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.365571022 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.370714903 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.534111977 CEST	587	49733	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.538850069 CEST	49733	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.539932013 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:16.545296907 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:16.545392990 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.125840902 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.126044989 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.131133080 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.296452045 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.296607018 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.301546097 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.472472906 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.473380089 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.478542089 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.650721073 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.650777102 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.650818110 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.650839090 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.696938992 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.742587090 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.744636059 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.749633074 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.916331053 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:17.919676065 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:17.924860001 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.091173887 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.091422081 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.097070932 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.262465954 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.262705088 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.268076897 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.446811914 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.447027922 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.451983929 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.618110895 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.618360996 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.623327971 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.794143915 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.794430971 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.799379110 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.964709044 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.965239048 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965390921 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965439081 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965439081 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965552092 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965552092 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965552092 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965590954 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.965590954 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:57:18.970144987 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970287085 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970316887 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970350981 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970452070 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970593929 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:18.970622063 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:19.227555990 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:57:19.278604984 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:58:53.810353994 CEST	49738	587	192.168.2.4	78.110.166.82
Jul 26, 2024 11:58:53.815608025 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:58:53.982748032 CEST	587	49738	78.110.166.82	192.168.2.4
Jul 26, 2024 11:58:53.984532118 CEST	49738	587	192.168.2.4	78.110.166.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 11:56:59.563147068 CEST	58252	53	192.168.2.4	1.1.1.1
Jul 26, 2024 11:56:59.620613098 CEST	53	58252	1.1.1.1	192.168.2.4
Jul 26, 2024 11:57:30.020786047 CEST	53	63822	162.159.36.2	192.168.2.4
Jul 26, 2024 11:57:30.547246933 CEST	54491	53	192.168.2.4	1.1.1.1
Jul 26, 2024 11:57:30.560698986 CEST	53	54491	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 11:56:59.563147068 CEST	192.168.2.4	1.1.1.1	0x42c1	Standard query (0)	zqamcx.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 11:57:30.547246933 CEST	192.168.2.4	1.1.1.1	0xdcab	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 11:56:59.620613098 CEST	1.1.1.1	192.168.2.4	0x42c1	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false
Jul 26, 2024 11:57:30.560698986 CEST	1.1.1.1	192.168.2.4	0xdcab	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 26, 2024 11:57:00.331404924 CEST	587	49730	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 10:57:00 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 11:57:00.332640886 CEST	49730	587	192.168.2.4	78.110.166.82	EHLO 473627
Jul 26, 2024 11:57:00.505664110 CEST	587	49730	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 473627 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 11:57:00.505856991 CEST	49730	587	192.168.2.4	78.110.166.82	STARTTLS
Jul 26, 2024 11:57:00.683774948 CEST	587	49730	78.110.166.82	192.168.2.4	220 TLS go ahead
Jul 26, 2024 11:57:03.261642933 CEST	587	49731	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 10:57:03 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 11:57:03.261862993 CEST	49731	587	192.168.2.4	78.110.166.82	EHLO 473627
Jul 26, 2024 11:57:03.428940058 CEST	587	49731	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 473627 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 11:57:03.429157972 CEST	49731	587	192.168.2.4	78.110.166.82	STARTTLS
Jul 26, 2024 11:57:03.596851110 CEST	587	49731	78.110.166.82	192.168.2.4	220 TLS go ahead
Jul 26, 2024 11:57:14.364183903 CEST	587	49733	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 10:57:14 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 11:57:14.364562988 CEST	49733	587	192.168.2.4	78.110.166.82	EHLO 473627
Jul 26, 2024 11:57:14.533400059 CEST	587	49733	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 473627 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 11:57:14.533819914 CEST	49733	587	192.168.2.4	78.110.166.82	STARTTLS
Jul 26, 2024 11:57:14.704030991 CEST	587	49733	78.110.166.82	192.168.2.4	220 TLS go ahead
Jul 26, 2024 11:57:17.125840902 CEST	587	49738	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 10:57:16 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 11:57:17.126044989 CEST	49738	587	192.168.2.4	78.110.166.82	EHLO 473627
Jul 26, 2024 11:57:17.296452045 CEST	587	49738	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 473627 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 11:57:17.296607018 CEST	49738	587	192.168.2.4	78.110.166.82	STARTTLS
Jul 26, 2024 11:57:17.472472906 CEST	587	49738	78.110.166.82	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	05:56:54
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Imagebase:	0xf40000
File size:	1'389'568 bytes
MD5 hash:	3D265723FFA9EE20E76CD4EB2B628771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:56:55
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\temp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Imagebase:	0x400000
File size:	1'389'568 bytes
MD5 hash:	3D265723FFA9EE20E76CD4EB2B628771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.1669488113.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:56:57
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe"
Imagebase:	0xf30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1810719086.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1810719086.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1816688277.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1808219805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1809643330.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1814390220.00000000044C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1815192163.0000000005940000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1810719086.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:57:09
Start date:	26/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs"
Imagebase:	0x7ff718f40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:57:09
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\temp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\temp.exe"
Imagebase:	0x400000
File size:	1'389'568 bytes
MD5 hash:	3D265723FFA9EE20E76CD4EB2B628771
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1809261589.0000000001C60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:57:10
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\temp.exe"
Imagebase:	0x8c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4105980496.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4105980496.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4105980496.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	50

Executed Functions

Function 00F442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F4430D

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

GetCurrentProcess.KERNEL32(?,00FDCB64,00000000,?,?), ref: 00F44422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F44429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F44454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F44466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F44474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F4447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F444A0

Strings

GetNativeSystemInfo, xrefs: 00F44460
|O, xrefs: 00F836F8
kernel32.dll, xrefs: 00F4444F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3eab2f802f75b05aab0b81b177b8ddc868b6c72125f2d90263474d7772b0aa1e
Instruction ID: 14630d77ec1a4b64a012bad7885a74c53993b67a21a0dd8b5698340102c32e4a
Opcode Fuzzy Hash: 3eab2f802f75b05aab0b81b177b8ddc868b6c72125f2d90263474d7772b0aa1e
Instruction Fuzzy Hash: 69A1B472D0E2D0CFCB39D7B974443D97FA56B26710B08C49ADAC1A3A1DD23E4504EBA6

Function 00F442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F450AA,?,?,00000000,00000000), ref: 00F442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F450AA,?,?,00000000,00000000), ref: 00F442C9
LoadResource.KERNEL32(?,00000000,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20), ref: 00F835BE
SizeofResource.KERNEL32(?,00000000,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20), ref: 00F835D3
LockResource.KERNEL32(00F450AA,?,?,00F450AA,?,?,00000000,00000000,?,?,?,?,?,?,00F44F20,?), ref: 00F835E6

Strings

SCRIPT, xrefs: 00F442BF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fe9827511fa045c2ccf0b36986e500e8b35bdd9fb3785011b402064a32526db5
Instruction ID: ddeac63ebe8e6ab888f3b0f1d77a976cca031e0dc745ddc9f0d31ef7a6d71be2
Opcode Fuzzy Hash: fe9827511fa045c2ccf0b36986e500e8b35bdd9fb3785011b402064a32526db5
Instruction Fuzzy Hash: 6611A070201705BFDB219B65DC48F277BBAEBC5B51F14416EF80296290DBB1E900E670

Function 00F82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F42B6B

Part of subcall function 00F43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01011418,?,00F42E7F,?,?,?,00000000), ref: 00F43A78

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01002224), ref: 00F82C10
ShellExecuteW.SHELL32(00000000,?,?,01002224), ref: 00F82C17

Strings

runas, xrefs: 00F82C0B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: dccae00757335fc0130ece0185765433d9f3bd45c57ca24b4cac6df7f8bddce9
Instruction ID: c1bfc26a655c4e8e7d548508dff09e0175b1bf12f3b02c610c0319b73f299c37
Opcode Fuzzy Hash: dccae00757335fc0130ece0185765433d9f3bd45c57ca24b4cac6df7f8bddce9
Instruction Fuzzy Hash: 3711DF326483056AD718FF70DC459BEBFA4ABD1710F84042DBA82020A2CF798A49F752

Function 00FADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F85222), ref: 00FADBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FADBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00FADBEE
FindClose.KERNEL32(00000000), ref: 00FADBFA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction ID: acc7ca44ab39bb7fc557dd691eb8cb4a79fdd730709a2690f123791c41f57830
Opcode Fuzzy Hash: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction Fuzzy Hash: FAF0A0718119295782206B78AC0D8AA376E9E02335B904713F876C24E0EBB45D54F6D5

Function 00F4D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F4D807
timeGetTime.WINMM ref: 00F4DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4DB28
TranslateMessage.USER32(?), ref: 00F4DB7B
DispatchMessageW.USER32(?), ref: 00F4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4DB9F
Sleep.KERNEL32(0000000A), ref: 00F4DBB1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: af67790b01d5a0feae4192c62a4a28347029c1682fcdad0f540bda68d0920c15
Instruction ID: e41e4fe621a5378d6e75ded7cc0740b62f82047b39667d9864c86dc36aa478c6
Opcode Fuzzy Hash: af67790b01d5a0feae4192c62a4a28347029c1682fcdad0f540bda68d0920c15
Instruction Fuzzy Hash: C0420731A04342EFEB38CF24C884B6ABBE1FF85314F14455EE99587291D779E844EB82

Function 00F42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F42D07
RegisterClassExW.USER32(00000030), ref: 00F42D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42D42
InitCommonControlsEx.COMCTL32(?), ref: 00F42D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42D6F
LoadIconW.USER32(000000A9), ref: 00F42D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42D94

Strings

+, xrefs: 00F42CF0
TaskbarCreated, xrefs: 00F42D37
AutoIt v3 GUI, xrefs: 00F42D23
0, xrefs: 00F42CE9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: bc6fe9b46870570ace6ddfea63f0069d9326b995ea123261da0bc14149c21db1
Instruction ID: 26f480534a016b680239f3948e77422de1fa66d19b074e69df12a1f20b8db450
Opcode Fuzzy Hash: bc6fe9b46870570ace6ddfea63f0069d9326b995ea123261da0bc14149c21db1
Instruction Fuzzy Hash: 1A21E3B190220DAFDB10DFA4E849BDDBBBAFB08700F00811AF661A7294D7BA4544DF91

Function 00F8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F80704,?,?,00000000,?,00F80704,00000000,0000000C), ref: 00F803B7

GetLastError.KERNEL32 ref: 00F8076F
__dosmaperr.LIBCMT ref: 00F80776
GetFileType.KERNELBASE(00000000), ref: 00F80782
GetLastError.KERNEL32 ref: 00F8078C
__dosmaperr.LIBCMT ref: 00F80795
CloseHandle.KERNEL32(00000000), ref: 00F807B5
CloseHandle.KERNEL32(?), ref: 00F808FF
GetLastError.KERNEL32 ref: 00F80931
__dosmaperr.LIBCMT ref: 00F80938

Strings

H, xrefs: 00F808BD

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cb8940390dc66c953c226a9c4411643683cb47f082af3e68ad624fcfaf66e974
Instruction ID: 31cc49fb1425f4d087f99ef952f44560fab08f21a9a3d5120968919bde54d772
Opcode Fuzzy Hash: cb8940390dc66c953c226a9c4411643683cb47f082af3e68ad624fcfaf66e974
Instruction Fuzzy Hash: 8BA13732A001088FDF19EF78DC56BEE3BA1AB06320F14015DF8559B391DB399D5AEB91

Function 00F4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01011418,?,00F42E7F,?,?,?,00000000), ref: 00F43A78

Part of subcall function 00F43357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F43379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F4356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F8318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F831CE
RegCloseKey.ADVAPI32(?), ref: 00F83210
_wcslen.LIBCMT ref: 00F83277
_wcslen.LIBCMT ref: 00F83286

Strings

Include, xrefs: 00F83184, 00F831C5
\, xrefs: 00F8328C
Software\AutoIt v3\AutoIt, xrefs: 00F43560
\Include\, xrefs: 00F43527

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3ab44875a0e8df056c2e2143521cf8598689a8a7c62cfb21f0d29d24472aa107
Instruction ID: c619d02b1abb6af08341a80dbb28108bba09ee72f8b6b27b5fd6793808d93cc0
Opcode Fuzzy Hash: 3ab44875a0e8df056c2e2143521cf8598689a8a7c62cfb21f0d29d24472aa107
Instruction Fuzzy Hash: 8071E2714043019FC324EF29DC829ABBBE8FF85750F50442EF984D3265EB799A48EB52

Function 00F42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F42B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F42B9D
LoadIconW.USER32(00000063), ref: 00F42BB3
LoadIconW.USER32(000000A4), ref: 00F42BC5
LoadIconW.USER32(000000A2), ref: 00F42BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F42BEF
RegisterClassExW.USER32(?), ref: 00F42C40

Part of subcall function 00F42CD4: GetSysColorBrush.USER32(0000000F), ref: 00F42D07
Part of subcall function 00F42CD4: RegisterClassExW.USER32(00000030), ref: 00F42D31
Part of subcall function 00F42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42D42
Part of subcall function 00F42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F42D5F
Part of subcall function 00F42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42D6F
Part of subcall function 00F42CD4: LoadIconW.USER32(000000A9), ref: 00F42D85
Part of subcall function 00F42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42D94

Strings

#, xrefs: 00F42C16
0, xrefs: 00F42C0F
AutoIt v3, xrefs: 00F42C2F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2a8e9eda2acd0cfb29f402380fecaca6c7a618b6d9300f0e93367094ff9af451
Instruction ID: eaf99bb1a787bb583df26aea5110284062c5bcf8b3bbf1f29ca217747e8774f9
Opcode Fuzzy Hash: 2a8e9eda2acd0cfb29f402380fecaca6c7a618b6d9300f0e93367094ff9af451
Instruction Fuzzy Hash: 74212C70E02318ABDB249FB5EC55B9DBFB6FB48B50F04801AF640A6698D7BE1540DF90

Function 00F43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F4316A,?,?), ref: 00F431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F4316A,?,?), ref: 00F43204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F43227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F4316A,?,?), ref: 00F43232
CreatePopupMenu.USER32 ref: 00F43246
PostQuitMessage.USER32(00000000), ref: 00F43267

Strings

TaskbarCreated, xrefs: 00F4322D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 591a053dc341ed91c68c9abd471f3ddd2451de14e0beeee3876a08a4257c0e97
Instruction ID: 9f0cf0e1094c82c9b0df1efbe4c77e4067c34f6102db69fe15ecc96d5b9eff6b
Opcode Fuzzy Hash: 591a053dc341ed91c68c9abd471f3ddd2451de14e0beeee3876a08a4257c0e97
Instruction Fuzzy Hash: 7F412A32A40205A7DF282B78DC49BB93F16F745314F044115FE52C6199DBBD9B40F7A1

Function 00F78D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2345a5943047c9869c4c3a7bb7ad84c258737e29b24d7a127e61bc5801c908a
Instruction ID: 20fab4ffc2b8d11818c26a01e2c49793db2816c01c31ab60f8a7d6a052b0b5d7
Opcode Fuzzy Hash: a2345a5943047c9869c4c3a7bb7ad84c258737e29b24d7a127e61bc5801c908a
Instruction Fuzzy Hash: 5DC1F675D082499FCF11DFB8D845BADBBB0AF09320F04815AF558A7392C7798942EB62

Function 015D0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015D0965

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 49b25ed0d159ed6907b9f34c708658c3528bc514071f4bc60e2af1545ecc6cc8
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 8151E975A50209FBEB30DFA4CC49FDE77B8BF48701F108A54F609AA2C0DAB496458B60

Function 00F42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F42C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F42CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41CAD,?), ref: 00F42CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41CAD,?), ref: 00F42CCF

Strings

AutoIt v3, xrefs: 00F42C89, 00F42C8E, 00F42C8F
edit, xrefs: 00F42CAC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 07f97bca76fe0f59b67447f7abfd38f7655422245ecbdb46dd1dab74bcba211a
Instruction ID: fbd790184b5c74c88189b3b4e00c0e437cfaf97a076835d77655cf24eb7d5422
Opcode Fuzzy Hash: 07f97bca76fe0f59b67447f7abfd38f7655422245ecbdb46dd1dab74bcba211a
Instruction Fuzzy Hash: EAF03A755402947AEB300733AC08E777EBED7C6F50B00811AFA00A3298C27A0840EBB1

Function 00FB2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2C05
DeleteFileW.KERNEL32(?), ref: 00FB2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2CC0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d3d06a52d387edbae17700af14cce8c60c5f16c55a7eb9347921d34396f600d6
Instruction ID: 00d59028011cb3efe5d947afda8a6fdd9d8ec4a1f9f650a0ba915307c0a8fc02
Opcode Fuzzy Hash: d3d06a52d387edbae17700af14cce8c60c5f16c55a7eb9347921d34396f600d6
Instruction Fuzzy Hash: 84B16F72E0011DABDF11EFA5CC85EDEBB7DEF48350F1040A6FA09E6151EA349A449F61

Function 015D23B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 015D22A0: Sleep.KERNELBASE(000001F4), ref: 015D22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015D24CB

Strings

7P7HKNNXW6, xrefs: 015D254B, 015D254E

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateFileSleep
String ID: 7P7HKNNXW6
API String ID: 2694422964-1113834416
Opcode ID: 6e3c0a1bb81811991db72e9da7212011ccb7019bc87c8d2035a48db22381ed7a
Instruction ID: eb6d14e43f20d31421ce0e697cdeac97120a20a7d06d170928b5e54b27eb7e2b
Opcode Fuzzy Hash: 6e3c0a1bb81811991db72e9da7212011ccb7019bc87c8d2035a48db22381ed7a
Instruction Fuzzy Hash: 31519235D14249EBEF21DBA8C855BEEB779BF44300F004598E609BB2C0DA791B45CBA5

Function 00F43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F43B0F,SwapMouseButtons,00000004,?), ref: 00F43B83

Strings

Control Panel\Mouse, xrefs: 00F43B3E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction ID: adcf170065dcfbad44a75d8e93ae4130ba374d9773e8371b9d1861694a3e945d
Opcode Fuzzy Hash: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction Fuzzy Hash: E9112AB5511208FFDB218FA5DC48AAEBBB8EF44754B10855AA805D7110D2319E44A7A0

Function 00F4DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F932B7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 090464dca1174d03c0e5b7b78e8f6bd82df408aeeb8cf2c47948064b1efd8a9f
Instruction ID: b3066ffc63d7c981021a447bd3589bb008491cfe2ae243d95a946d88698c8a3d
Opcode Fuzzy Hash: 090464dca1174d03c0e5b7b78e8f6bd82df408aeeb8cf2c47948064b1efd8a9f
Instruction Fuzzy Hash: 17C28A75E00205CFDB24CF58C881AADBBB1BF08320F248169ED56AB395D379ED45EB91

Function 00F43923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F833A2

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F43A04

Strings

Line: , xrefs: 00F833EB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1aba3de47c8f7380d749b69863dd7e23ce3fb1498490590d9acbdf5a78053706
Instruction ID: e64fb147b09b01f56db155d79f4c3f31140d89102da58714a08bd718d3a1d5d8
Opcode Fuzzy Hash: 1aba3de47c8f7380d749b69863dd7e23ce3fb1498490590d9acbdf5a78053706
Instruction Fuzzy Hash: AF31D471808304AAD725EB20DC45BEBBBD8AF41720F10452EF9D983195EB789749D7C3

Function 00F42DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F82C8C

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00F42DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F42DC4

Strings

X, xrefs: 00F82C5A
`e, xrefs: 00F82C85

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-1218242589
Opcode ID: 767cd969f03e45213234631ff025c2efa993aff1998d2f6227f0a6dcaa8ee9c7
Instruction ID: f7da965bfae1dd7524a58ed5ba38384372d312c340eea460530e24ccfaa671fb
Opcode Fuzzy Hash: 767cd969f03e45213234631ff025c2efa993aff1998d2f6227f0a6dcaa8ee9c7
Instruction Fuzzy Hash: E221F371A002589BDB41EF94CC05BEE7BFDAF49314F008019E905F7281DBB85A49DFA1

Function 00F5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F60668

Part of subcall function 00F632A4: RaiseException.KERNEL32(?,?,?,00F6068A,?,01011444,?,?,?,?,?,?,00F6068A,00F41129,01008738,00F41129), ref: 00F63304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F60685

Strings

Unknown exception, xrefs: 00F60692

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6710b467349f9b505ebd0d14f66626a28cef6c66c2d2bd9759cfabd4f3f6a95c
Instruction ID: dd679571e1c008ff306e464526bd0ae69ce740b3eb9bdf8c770a8ea308dc4aa0
Opcode Fuzzy Hash: 6710b467349f9b505ebd0d14f66626a28cef6c66c2d2bd9759cfabd4f3f6a95c
Instruction Fuzzy Hash: 45F02234C0020D738B00BAA4DC46C9E777C6E00320B708075BA1486592EF36EA29F9C0

Function 015D1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015D1045
ExitProcess.KERNEL32(00000000), ref: 015D1064

Strings

D, xrefs: 015D1011

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: fbe38e34dbe906963412467e8ba23e5fc6cbe4ac8ad7c99728e070da337aa2b4
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: 41F0EC7164024DABDB60EFE4CC49FEE777CBF44701F408508FB0A9E180DA7896088B61

Function 00FB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FB302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FB3044

Strings

aut, xrefs: 00FB3038

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3fee4758380c5905f716aecb2a16d044a21bf7050ca442e33ce0abf0b01d8c3a
Instruction ID: 0c84de8c25d52040d7f2433b778fd338bedc24f4d3332f4e22c30a575c52aacb
Opcode Fuzzy Hash: 3fee4758380c5905f716aecb2a16d044a21bf7050ca442e33ce0abf0b01d8c3a
Instruction Fuzzy Hash: D3D05E725013286BDA20A7A5AC0EFCB3B6CDB05761F0002A2B695D6091DAB09984CAE0

Function 00FC7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FC82F5
TerminateProcess.KERNEL32(00000000), ref: 00FC82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00FC84DD

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: d5923a20868274966174ae281c41abb37e15208c3dcdc057cb316f48a056d333
Instruction ID: 40d9d3a85279c7c12c22c01effdf68d34a46bd9f7cc2437c6d34b4e85a83b7fe
Opcode Fuzzy Hash: d5923a20868274966174ae281c41abb37e15208c3dcdc057cb316f48a056d333
Instruction Fuzzy Hash: 03127C71A083429FC714DF28C585B6ABBE1BF84364F04895DE8898B352CB35ED46DF92

Function 00F75AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9df5a714542ed52d9a181bdb30d08b5a976d20738fd2d325605f258af8cd28f
Instruction ID: 58b3925e294311c3773c65b53c72ca23be119021cd02a60a1f8caeaa35efc0af
Opcode Fuzzy Hash: e9df5a714542ed52d9a181bdb30d08b5a976d20738fd2d325605f258af8cd28f
Instruction Fuzzy Hash: FE51C071D006099BDB119FB8DC45FBE7BB4AF45B20F14805BF408A7291D7B99901AB62

Function 00F410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F41BF4
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F41BFC
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F41C07
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F41C12
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F41C1A
Part of subcall function 00F41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F41C22

Part of subcall function 00F41B4A: RegisterWindowMessageW.USER32(00000004,?,00F412C4), ref: 00F41BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F4136A
OleInitialize.OLE32 ref: 00F41388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F824AB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 57b628b232393496ef77dbbec8b7080ea361939d33b595c54f8899e1ed1d9f22
Instruction ID: 121ad25a822267d8d7c9de01b7ff72ec6a18089f153e48b97b7282cc53623987
Opcode Fuzzy Hash: 57b628b232393496ef77dbbec8b7080ea361939d33b595c54f8899e1ed1d9f22
Instruction Fuzzy Hash: D671BBB4912301CFC7ACEF79E8556553EE1FB48344358822AEA8AC7349EB3E4445DF85

Function 00F454C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F4556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F4557D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5aac498c5b277f75cae9a16f723ec83f71ff441963f3ec06422ecc190a26ebf5
Instruction ID: cde373b62e8c1d3d090c871466b0b406b9cdd4dfab5c4364917ddfc32e02cb5e
Opcode Fuzzy Hash: 5aac498c5b277f75cae9a16f723ec83f71ff441963f3ec06422ecc190a26ebf5
Instruction Fuzzy Hash: F0316F71A00609EFDB14DF28C880BADBBB6FB48714F188229ED1997241D771FD94EB90

Function 00F786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F785CC,?,01008CC8,0000000C), ref: 00F78704
GetLastError.KERNEL32(?,00F785CC,?,01008CC8,0000000C), ref: 00F7870E
__dosmaperr.LIBCMT ref: 00F78739

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 794857eef6db3907d7aee204e7086d6ccefb73f97c397074ca5e219c4f8a6ac1
Instruction ID: 671ee9647dbb591a51ef233572d24877d28a65b0c7f86e9e6536551efa7e04be
Opcode Fuzzy Hash: 794857eef6db3907d7aee204e7086d6ccefb73f97c397074ca5e219c4f8a6ac1
Instruction Fuzzy Hash: 02010C32E4552036D6646234AC4E76E77474B81BB4F25811BF81D8B1E2DDA99C83B192

Function 00FB2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00FB2CD4,?,?,?,00000004,00000001), ref: 00FB2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FB2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB3006
CloseHandle.KERNEL32(00000000,?,00FB2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB300D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 3f4af6aa08cbd6147f28d66943416791653b2315c73b59afdfa362028cf5b8a2
Instruction ID: badb811165f04cc0e8a8576f0fe0b95186a2f0d208b5497a106120342efa791b
Opcode Fuzzy Hash: 3f4af6aa08cbd6147f28d66943416791653b2315c73b59afdfa362028cf5b8a2
Instruction Fuzzy Hash: 62E0863268122577E6302765BC0DFCB3B1DDB86B75F104211F759760D086A01501A6E8

Function 00F51310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F517F6

Strings

CALL, xrefs: 00F517C6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 78d463b6b90e88a20f16d580e08ab7632343d256b51d21558dce15b10aa62c28
Instruction ID: fccd0e1300e8271cdae6ee8785ce78ced98940cb6d16c641a2e5992196a72d15
Opcode Fuzzy Hash: 78d463b6b90e88a20f16d580e08ab7632343d256b51d21558dce15b10aa62c28
Instruction Fuzzy Hash: 2922AE706083019FD714DF14C880B2ABBF1BF85315F28895DFA968B362D775E949EB82

Function 00FB6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB6F6B

Part of subcall function 00F44ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FB6F5A, 00FB6F63

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 1ca4ff4a0e2cff2b6190bc672e7ec86555c7cdfc7d2cba3b1db87faaa5cb9807
Instruction ID: 8b63ee47c0f02dd01a4224e9ecc930704a12928010026920ee57cb0811debf5f
Opcode Fuzzy Hash: 1ca4ff4a0e2cff2b6190bc672e7ec86555c7cdfc7d2cba3b1db87faaa5cb9807
Instruction Fuzzy Hash: 37B17F315083018FCB14FF25C8919AEBBE5AF95310F04895DF89697262EB34ED49EF92

Function 00FB2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FB2587

Strings

EA06, xrefs: 00FB25B9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 0b300aaf95994a8e5cfde0c7e5b099559c0f2e63885baa81c6b9728b8e451c16
Instruction ID: 7284969ee58e2d168cfb3733a49dd291f232327d949b00654778b50bf80e4093
Opcode Fuzzy Hash: 0b300aaf95994a8e5cfde0c7e5b099559c0f2e63885baa81c6b9728b8e451c16
Instruction Fuzzy Hash: 8901F5728042187EDF28C7A9CC16EEEBBF89B05301F00455AE192D6181E4B8E6089B60

Function 00F43837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43908

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 81dbe47243a8e909395e7429a923fa1d4447cc1a41147430e6a8e2126e25f7db
Instruction ID: 57f31cb68d9f8b8b66233c4c2ec40c17df4d850db9a2535b5913391dcc746f3e
Opcode Fuzzy Hash: 81dbe47243a8e909395e7429a923fa1d4447cc1a41147430e6a8e2126e25f7db
Instruction Fuzzy Hash: 883191B1A057019FD720DF34D885797BBE8FB49718F00092EFAD983240E779AA44DB92

Function 00F45745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F4949C,?,00008000), ref: 00F45773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F4949C,?,00008000), ref: 00F84052

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4d4541650597ef7ffe6da2336ed08f9402762810478e286677c1142181b873fa
Instruction ID: 82a05a6c2738ba11c575ec6a27a45973ce691df82905a7d244a0da43645f8ab6
Opcode Fuzzy Hash: 4d4541650597ef7ffe6da2336ed08f9402762810478e286677c1142181b873fa
Instruction Fuzzy Hash: 18014031545229B7E7315A2ADC0EF977F98EF02BB0F148211BE9C5A1E1C7B45854EB90

Function 00F4B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F4BB4E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 79da90776b130fd8ebe60d246296a024ec9008eb62baeda22dbd8afa3610a954
Instruction ID: bc36960ffda78bb6fe0c95636edeb3d86a4c1a3dc757b1a8e408a3742838ad25
Opcode Fuzzy Hash: 79da90776b130fd8ebe60d246296a024ec9008eb62baeda22dbd8afa3610a954
Instruction Fuzzy Hash: 44329E35E002099FDF24CF54C894BBABBB9EF44320F248059ED45AB252DB79ED81EB51

Function 015D1070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 015D08E0: GetFileAttributesW.KERNELBASE(?), ref: 015D08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 015D119F

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 051e9035626aefa099e77accf097f72e9bfde44a2f73653372ed9f9584f230c2
Instruction ID: 3184f011eff77bc539eb9d611a38b0feea956ff1a24e24589e38f9abe7e10e94
Opcode Fuzzy Hash: 051e9035626aefa099e77accf097f72e9bfde44a2f73653372ed9f9584f230c2
Instruction Fuzzy Hash: 98517731A1020996EF24EFB4C955BEF7379FF58300F0045A9A609EB180EB799B45CB95

Function 00F44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F44E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E9C
Part of subcall function 00F44E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F44EAE
Part of subcall function 00F44E90: FreeLibrary.KERNEL32(00000000,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EFD

Part of subcall function 00F44E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E62
Part of subcall function 00F44E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F44E74
Part of subcall function 00F44E59: FreeLibrary.KERNEL32(00000000,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E87

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d1d3c7e239bc90f4bb3339a33b39bff52d39ae63ca2fce2d576ac0638e6fb7a1
Instruction ID: 613d0955fff5b5ad64d9ed7b2822cefb4c4707471a1295a265147d3c304b84b8
Opcode Fuzzy Hash: d1d3c7e239bc90f4bb3339a33b39bff52d39ae63ca2fce2d576ac0638e6fb7a1
Instruction Fuzzy Hash: 3211E732600205ABDB14BB64DC12FAD7BA59F40B21F10442EF942BB1D1EE78EA49B750

Function 00F78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F78440

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 964fb2b86e3d6e090de3d399e9523f6be7f68e02fdb5f6291bfe0e1f23ffa360
Instruction ID: 2d69023622c306ac39d0aacb754deab0e42c79e2874a7b261c6a0c2123c8bea7
Opcode Fuzzy Hash: 964fb2b86e3d6e090de3d399e9523f6be7f68e02fdb5f6291bfe0e1f23ffa360
Instruction Fuzzy Hash: 7211487290410AAFCB05DF58E9449DA7BF4EF48310F10805AF808AB302DA71DA22DBA5

Function 00F49A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F4543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00F49A9C

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 41179a3d09781285d9865dd601113646248e63cae6818f290a19c28fc208ebe4
Instruction ID: 959c73e4e6402823aa8b98f4d49eeca797f73931eeba379b2c1bdd2274a2d15e
Opcode Fuzzy Hash: 41179a3d09781285d9865dd601113646248e63cae6818f290a19c28fc208ebe4
Instruction Fuzzy Hash: 67114C312087059FD720CF15C880B67BBF9EF44764F10C42EE9AB8A651C7B4E945EB60

Function 00F75000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F74C7D: RtlAllocateHeap.NTDLL(00000008,00F41129,00000000,?,00F72E29,00000001,00000364,?,?,?,00F6F2DE,00F73863,01011444,?,00F5FDF5,?), ref: 00F74CBE

_free.LIBCMT ref: 00F7506C

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d67fb5eaf2ad68b4035b35ddfb8c6a51664b8bb9089b0f6d153b055bc5b1389d
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D00126726047096BE3218E699C81A5AFBE9FB89370F25451EE19883280EA70A805D6B5

Function 00F6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 37206187bc103e4e938d89441f8c8fbb415097856bc234f17263954e0f569764
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F02837920A14AAC7313A79DC05B9A33989F52370F104716F428931D2CB79E802BAA7

Function 00F74C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F41129,00000000,?,00F72E29,00000001,00000364,?,?,?,00F6F2DE,00F73863,01011444,?,00F5FDF5,?), ref: 00F74CBE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc1b92c61dfabfce0accdd6bd81ec6de07d61bd40b50632e3b6557d16b487e6a
Instruction ID: c688b7ee1860fe8561c070bcd5ccb4c5625cced418ae5a1657fc39b0595d529e
Opcode Fuzzy Hash: bc1b92c61dfabfce0accdd6bd81ec6de07d61bd40b50632e3b6557d16b487e6a
Instruction Fuzzy Hash: 45F0B432A02234A6DB226F729C05B5A3788AF417B0B19C123B91DA6585CB35FC00B6E2

Function 00F73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction ID: 2859c685d0e1aac5db65f833166ad15ccd352d2fff28d117eb877c9bf66f9bf3
Opcode Fuzzy Hash: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction Fuzzy Hash: 35E0E533901225B6D7312A779C00F9A3749AB427B0F058123FC0C92581CB35ED01B2E3

Function 00F44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44F6D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3ebc3dc260fc503a35dfdf016ca610081fe9ba74e0d20a7424d1631a0125c1ce
Instruction ID: e72bbd7f4917d05d6004cd7bc0aa7b07332eec3cceb31b70a21e35284959f45e
Opcode Fuzzy Hash: 3ebc3dc260fc503a35dfdf016ca610081fe9ba74e0d20a7424d1631a0125c1ce
Instruction Fuzzy Hash: 25F03071505752CFDB349F64D490A12BBE4AF14339310897EE5EA93621C731A848EF50

Function 00F42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F42DC4

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 008b1128b9ccd91229734f1e56621e6c534da381b89f32efd4908ac38dce27de
Instruction ID: e827320d657921cb0f9e35302535a45557cc1f6af4e5e8d0e283039cffd3f5bb
Opcode Fuzzy Hash: 008b1128b9ccd91229734f1e56621e6c534da381b89f32efd4908ac38dce27de
Instruction Fuzzy Hash: 9DE0CD726001245BCB10A2589C05FDA77DDDFC8790F050171FD09D7248D964AD80D691

Function 00FB2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FB26B5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 8304d3010d0ba7154188fa9b4ea74d635686b3beb33122072b271ae0fa754ebc
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 9CE0DFB0609B004FCF385A28A8517F677E99F4A300F00082EF69B83212E57228429A0D

Function 00F42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43908

Part of subcall function 00F4D730: GetInputState.USER32 ref: 00F4D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F42B6B

Part of subcall function 00F430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F4314E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 57b4a8dc00799223576fcc410749bb702466cfbd14addac953a1acacbcfe3f39
Instruction ID: 2a7d92780a097ec0db23bdf8e530bd0af20481c4cd99f79df6c08937a8cb4453
Opcode Fuzzy Hash: 57b4a8dc00799223576fcc410749bb702466cfbd14addac953a1acacbcfe3f39
Instruction Fuzzy Hash: ADE0263270420803CA08BB349C124ADBF599BD1325F40063EFA8243153CE7D4545A351

Function 015D08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015D08EB

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 4ea7461da19b732509be9c039625892e7a5ae5338036c1af578d8551906c78f3
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 76E08C71A0520CEBEB30CBBC8809AAE77A8EB04320F004A54F91ACB2C1D6308A819754

Function 015D08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015D08BB

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: be2e4091b097c2aa0c2a6cb5614f9c2848a7d9be9bf0ee301435cc8b0f225d4b
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 99D0A73090620CEBCB20CFBC9C05ADE73A8EB04330F004754FD15D72C1D631995097A4

Function 00F8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F80704,?,?,00000000,?,00F80704,00000000,0000000C), ref: 00F803B7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction ID: 6455ad5c8e1f9e05a08a724c47af2d149001a7811f6eff808fb6ee5fd8f57987
Opcode Fuzzy Hash: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction Fuzzy Hash: 32D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821EB90

Function 00F41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F41CBC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7936bed9744987f5e641216f87b2ea21c998ed9ef02ddea1917a639e58435b2a
Instruction ID: 2109a1b200781b2250a680016a320f372cbe500093a10296639a14713d270f4f
Opcode Fuzzy Hash: 7936bed9744987f5e641216f87b2ea21c998ed9ef02ddea1917a639e58435b2a
Instruction Fuzzy Hash: E2C09B35280305DFF7244790BC4AF107755E348B04F148101F749555D7C7BB1450E750

Function 00FB744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00F45745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F4949C,?,00008000), ref: 00F45773

GetLastError.KERNEL32(00000002,00000000), ref: 00FB76DE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: c38a3809b7d6ef6e1a93bf9e8e91ff4930206d6c7cb500ff739f8c51a5b62b79
Instruction ID: b6af8722928b9450676c6a73a65f983f6eff2716108a0a388cefbfdbebc1cf2a
Opcode Fuzzy Hash: c38a3809b7d6ef6e1a93bf9e8e91ff4930206d6c7cb500ff739f8c51a5b62b79
Instruction Fuzzy Hash: 2A817E306087019FCB15EF29C891BA9BBE1AF89310F04455DFC865B392DB78AD45EF92

Function 00F5FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00F5FD1F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 25dfbe38a147d364a6a2eaad90f5f0865f43163dedc27b0293de227417b435fc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3D311375A001099BC718CF19D084A69FBB2FB49311B6486F5E909CF656D731EEC9EBC0

Function 015D229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015D22B1

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 1221461bd1801a93c644790581e554c50cff36467a2d151e7b600214f7aaf31b
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 0FE09A7494010EAFDB10EFA8D54969E7BB4EF04311F1005A1FD05D6681DA309A549A62

Function 015D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015D22B1

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: dcf5975c7d6176d2e7e716a26d298cdb1b85e69d0e90448c4c4994f1f2ba5740
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C0E0E67494010EDFDB00EFB8D54969E7FB4FF04301F100161FD05D2281D6309D509A72

Non-executed Functions

Function 00FD9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FD961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FD969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD96C9
SendMessageW.USER32 ref: 00FD96F2
GetKeyState.USER32(00000011), ref: 00FD978B
GetKeyState.USER32(00000009), ref: 00FD9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD97AE
GetKeyState.USER32(00000010), ref: 00FD97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD97E9
SendMessageW.USER32 ref: 00FD9810
SendMessageW.USER32(?,00001030,?,00FD7E95), ref: 00FD9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FD992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FD9941
SetCapture.USER32(?), ref: 00FD994A
ClientToScreen.USER32(?,?), ref: 00FD99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FD99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD99D6
ReleaseCapture.USER32 ref: 00FD99E1
GetCursorPos.USER32(?), ref: 00FD9A19
ScreenToClient.USER32(?,?), ref: 00FD9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9A80
SendMessageW.USER32 ref: 00FD9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD9AEB
SendMessageW.USER32 ref: 00FD9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FD9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FD9B4A
GetCursorPos.USER32(?), ref: 00FD9B68
ScreenToClient.USER32(?,?), ref: 00FD9B75
GetParent.USER32(?), ref: 00FD9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9BFA
SendMessageW.USER32 ref: 00FD9C2B
ClientToScreen.USER32(?,?), ref: 00FD9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FD9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD9CDE
SendMessageW.USER32 ref: 00FD9D01
ClientToScreen.USER32(?,?), ref: 00FD9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FD9D82

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

GetWindowLongW.USER32(?,000000F0), ref: 00FD9E05

Strings

@GUI_DRAGID, xrefs: 00FD997D
F, xrefs: 00FD9D07

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 27a0a9db015d5ea62a133c32901ea9269f5fbc3bca372b7f9a122f5a18d98ec2
Instruction ID: e342726cd647734faa91a90720e841b3d13a99e7a665a099bae5bdf37ada862c
Opcode Fuzzy Hash: 27a0a9db015d5ea62a133c32901ea9269f5fbc3bca372b7f9a122f5a18d98ec2
Instruction Fuzzy Hash: DB429135609201AFD724CF64CC44BAABBE6FF48320F18061AF699973A1D7B5D850EF91

Function 00FD4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FD48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FD4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FD4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FD494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FD495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FD497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FD49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FD49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FD4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD4A7E
IsMenu.USER32(?), ref: 00FD4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FD4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FD4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FD4C82
wsprintfW.USER32 ref: 00FD4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4D5A

Strings

%d/%02d/%02d, xrefs: 00FD4CA8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8817bd33da87a3b28fde6eee07a66c2694991d945c84ed941bd727274b868bbe
Instruction ID: 7a90924d248ca8e87de8d18db6ac8cfc59924c85f7f91e325efb8e20cb9ccb5c
Opcode Fuzzy Hash: 8817bd33da87a3b28fde6eee07a66c2694991d945c84ed941bd727274b868bbe
Instruction Fuzzy Hash: 0412F431900219ABEB258F34CC49FAE7BFAEF45710F18411AF919DB2E1DB74A941EB50

Function 00F5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F5F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F9F474
IsIconic.USER32(00000000), ref: 00F9F47D
ShowWindow.USER32(00000000,00000009), ref: 00F9F48A
SetForegroundWindow.USER32(00000000), ref: 00F9F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F9F4AA
GetCurrentThreadId.KERNEL32 ref: 00F9F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F9F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F9F4DE
SetForegroundWindow.USER32(00000000), ref: 00F9F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F4F6
keybd_event.USER32(00000012,00000000), ref: 00F9F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F50B
keybd_event.USER32(00000012,00000000), ref: 00F9F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F519
keybd_event.USER32(00000012,00000000), ref: 00F9F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F528
keybd_event.USER32(00000012,00000000), ref: 00F9F52D
SetForegroundWindow.USER32(00000000), ref: 00F9F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F9F557

Strings

Shell_TrayWnd, xrefs: 00F9F46F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d4b7d59ccd38e4c2d3afb60387ea61ba1c7eaa5b983728562ca50530a4f659e4
Instruction ID: c4ba8ff6675131e0c921af686dac36469201159685fad5193a2758345376fd76
Opcode Fuzzy Hash: d4b7d59ccd38e4c2d3afb60387ea61ba1c7eaa5b983728562ca50530a4f659e4
Instruction Fuzzy Hash: 8A316D71A4021DBAFF206BB59C4AFBF7F6DEB44B50F150066FA04E61D1C6B19900FAA0

Function 00FA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
Part of subcall function 00FA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
Part of subcall function 00FA16C3: GetLastError.KERNEL32 ref: 00FA174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FA1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FA12A8
CloseHandle.KERNEL32(?), ref: 00FA12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FA12D1
GetProcessWindowStation.USER32 ref: 00FA12EA
SetProcessWindowStation.USER32(00000000), ref: 00FA12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FA1310

Part of subcall function 00FA10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA11FC), ref: 00FA10D4
Part of subcall function 00FA10BF: CloseHandle.KERNEL32(?,?,00FA11FC), ref: 00FA10E9

Strings

default, xrefs: 00FA130B
, xrefs: 00FA125A
winsta0, xrefs: 00FA12CC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cf279dea9b454218bd0375a483eca408a96d921350b4e8c099366fef62615eee
Instruction ID: 435ece3aa6e322f80d7e5e1f6c62a1c70fd5a45b25b95e4b62f1c9ed35fad063
Opcode Fuzzy Hash: cf279dea9b454218bd0375a483eca408a96d921350b4e8c099366fef62615eee
Instruction Fuzzy Hash: 7A818EB1900209ABDF21DFA8DC49BEE7BB9FF0A714F15412AF911A61A0C7349954EB60

Function 00FA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
Part of subcall function 00FA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
Part of subcall function 00FA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
Part of subcall function 00FA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0C00
GetLengthSid.ADVAPI32(?), ref: 00FA0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0C6D
GetLengthSid.ADVAPI32(?), ref: 00FA0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FA0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0CB4
CopySid.ADVAPI32(00000000), ref: 00FA0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D45
HeapFree.KERNEL32(00000000), ref: 00FA0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D55
HeapFree.KERNEL32(00000000), ref: 00FA0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0D65
HeapFree.KERNEL32(00000000), ref: 00FA0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0D78
HeapFree.KERNEL32(00000000), ref: 00FA0D7F

Part of subcall function 00FA1193: GetProcessHeap.KERNEL32(00000008,00FA0BB1,?,00000000,?,00FA0BB1,?), ref: 00FA11A1
Part of subcall function 00FA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0BB1,?), ref: 00FA11A8
Part of subcall function 00FA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0BB1,?), ref: 00FA11B7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction ID: 47b2bd3916e254f9d335712548dfd608ba3b58882dfebdc9c79ebbeba56996cf
Opcode Fuzzy Hash: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction Fuzzy Hash: 85718DB2D0121AABDF10DFA5EC48FAEBBB9BF05320F044115F914E7191DB71A905EBA0

Function 00FBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FDCC08), ref: 00FBEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FBEB37
GetClipboardData.USER32(0000000D), ref: 00FBEB43
CloseClipboard.USER32 ref: 00FBEB4F
GlobalLock.KERNEL32(00000000), ref: 00FBEB87
CloseClipboard.USER32 ref: 00FBEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00FBEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FBEBC9
GetClipboardData.USER32(00000001), ref: 00FBEBD1
GlobalLock.KERNEL32(00000000), ref: 00FBEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00FBEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FBEC38
GetClipboardData.USER32(0000000F), ref: 00FBEC44
GlobalLock.KERNEL32(00000000), ref: 00FBEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FBEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00FBECF3
CountClipboardFormats.USER32 ref: 00FBED14
CloseClipboard.USER32 ref: 00FBED59

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f81479e21c723ff0c38e683471f668a8db877c089adce0c800d47047a0ab90f5
Instruction ID: c6570a1fa8b45626724ce438ecbf471b219ce1bd32f1668fbea05980787b2827
Opcode Fuzzy Hash: f81479e21c723ff0c38e683471f668a8db877c089adce0c800d47047a0ab90f5
Instruction Fuzzy Hash: FF61D2352042069FD300EF25CC84FAABBE9AF84714F14851EF856972A2CB71DD05EFA2

Function 00FB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB69BE
FindClose.KERNEL32(00000000), ref: 00FB6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB6A75

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FB6B32
%02d, xrefs: 00FB6C00, 00FB6C0A, 00FB6C5A, 00FB6CAA, 00FB6CFA, 00FB6D4A
%03d, xrefs: 00FB6DA2
%4d, xrefs: 00FB6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00FB6B6A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 846ff483419789476961456d71b288c4735b2bacb7022be66704d71c4b3f7517
Instruction ID: 5e164ac4dd0ed7eac35b60079327e359b060e91af559967c66e731b1c9847998
Opcode Fuzzy Hash: 846ff483419789476961456d71b288c4735b2bacb7022be66704d71c4b3f7517
Instruction Fuzzy Hash: 56D14372508301AEC710EBA5CC81EAFB7ECAF88704F44491DF985D7191EB78DA48DB62

Function 00FB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB9663
GetFileAttributesW.KERNEL32(?), ref: 00FB96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FB96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FB96D3
FindClose.KERNEL32(00000000), ref: 00FB96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB974A
SetCurrentDirectoryW.KERNEL32(01006B7C), ref: 00FB9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB9772
FindClose.KERNEL32(00000000), ref: 00FB977F
FindClose.KERNEL32(00000000), ref: 00FB978F

Strings

*.*, xrefs: 00FB96F5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 25bf066a977c7555f55363a8892e1a6d9094b138794748400d2ca0c188cefd93
Instruction ID: c0f2e86ec883fa6d3f3bd1d02aa6ab7dc2b60662e92e279eb148044081a4bf1c
Opcode Fuzzy Hash: 25bf066a977c7555f55363a8892e1a6d9094b138794748400d2ca0c188cefd93
Instruction Fuzzy Hash: 6831F37290560E6ADF10AFB6DC48ADE37ED9F49321F104156FA14E21A0EB74DD80EE90

Function 00FB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FB9819
FindClose.KERNEL32(00000000), ref: 00FB9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB9890
SetCurrentDirectoryW.KERNEL32(01006B7C), ref: 00FB98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB98B8
FindClose.KERNEL32(00000000), ref: 00FB98C5
FindClose.KERNEL32(00000000), ref: 00FB98D5

Part of subcall function 00FADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FADB00

Strings

*.*, xrefs: 00FB983B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cfb803f14e0eae9ee31c1589c97767153b83fdd6cc35f31d4ffa6e9b47946ef9
Instruction ID: 4e8dff3b5e878ecf3623d4f0a4a8497e4072ff3bfb03b682b60496daf04638fd
Opcode Fuzzy Hash: cfb803f14e0eae9ee31c1589c97767153b83fdd6cc35f31d4ffa6e9b47946ef9
Instruction Fuzzy Hash: 0531163190961E6ADF10EFB6DC48ADE37BD9F06330F104156EA40A2090DB71D984FE60

Function 00FB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FB8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8395

Strings

*.*, xrefs: 00FB839B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: dc595dff80e206278da91dad34872aa990ebc7bf34d748c804f13e62211e5b23
Instruction ID: 9bd7004b6893e97eb639502d92a419f90d826473ca4a6701a6d2f26cefbec090
Opcode Fuzzy Hash: dc595dff80e206278da91dad34872aa990ebc7bf34d748c804f13e62211e5b23
Instruction Fuzzy Hash: 296167B25083059FCB10EF65C8409AEB7E8FF89320F08491AF98987251DB35E906DF92

Function 00FAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FAD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FAD1DD
MoveFileW.KERNEL32(?,?), ref: 00FAD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD237

Part of subcall function 00FAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FAD21C,?,?), ref: 00FAD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FAD253
FindClose.KERNEL32(00000000), ref: 00FAD264

Strings

\*.*, xrefs: 00FAD0CD, 00FAD0D6, 00FAD0EB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e0d5fceaf1b562fd576baed7a50c8d4b6ddbb6f17ffb24496bc2a9bc036bac7d
Instruction ID: b31e56658223a38aaac3e23508519ec34072f557cb7300a6e76187c2132ffb8e
Opcode Fuzzy Hash: e0d5fceaf1b562fd576baed7a50c8d4b6ddbb6f17ffb24496bc2a9bc036bac7d
Instruction Fuzzy Hash: 69615D71D0510D9BDF05EBE0DD92AEDBBB9AF56300F604165E80277192EB386F09EB60

Function 00FBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FBED91
EmptyClipboard.USER32 ref: 00FBED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FBEDAC
CloseClipboard.USER32 ref: 00FBEEA3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3596c4e29aaf47167dd5bc1e259ef5e97201e4383b6335cdcc69c17eabc3cdc1
Instruction ID: 40193bc2964b72c1744794234b57473d6acf274a970c54bc7119644a698f9fc9
Opcode Fuzzy Hash: 3596c4e29aaf47167dd5bc1e259ef5e97201e4383b6335cdcc69c17eabc3cdc1
Instruction Fuzzy Hash: D241C1356052119FD720DF26D888B99BBE5EF44328F15C099E8198B662C776EC41EFD0

Function 00FAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
Part of subcall function 00FA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
Part of subcall function 00FA16C3: GetLastError.KERNEL32 ref: 00FA174A

ExitWindowsEx.USER32(?,00000000), ref: 00FAE932

Strings

, xrefs: 00FAE95C
SeShutdownPrivilege, xrefs: 00FAE902
@, xrefs: 00FAE925
, xrefs: 00FAE920

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6278934512c20e9d7c8400a35ed8768dcfbf5048e0c39dcd09bab19e9d634eb4
Instruction ID: 6ff6a82323b0591606ac8b5b5d561c4efb2ddfee549e7e9db37cfae3be8fd591
Opcode Fuzzy Hash: 6278934512c20e9d7c8400a35ed8768dcfbf5048e0c39dcd09bab19e9d634eb4
Instruction Fuzzy Hash: 100126B3A10315ABEB2422B49C8ABFB725CAB1A750F154422F803E21D1D5A45C40B1E0

Function 00FC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC1276
WSAGetLastError.WSOCK32 ref: 00FC1283
bind.WSOCK32(00000000,?,00000010), ref: 00FC12BA
WSAGetLastError.WSOCK32 ref: 00FC12C5
closesocket.WSOCK32(00000000), ref: 00FC12F4
listen.WSOCK32(00000000,00000005), ref: 00FC1303
WSAGetLastError.WSOCK32 ref: 00FC130D
closesocket.WSOCK32(00000000), ref: 00FC133C

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8a2e1621df447c5a7efda7ae0c3d434501e8a86e717b3a5eeed7b3972d16af67
Instruction ID: daa350d1f3128300559925c35263bcdd7d66a78254645b22fefee8b53471278a
Opcode Fuzzy Hash: 8a2e1621df447c5a7efda7ae0c3d434501e8a86e717b3a5eeed7b3972d16af67
Instruction Fuzzy Hash: D1417C35A001429FD710DF24C589F69BBE6BF46328F18818DD8568B297C775EC81EBE0

Function 00FAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FAD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD481
FindClose.KERNEL32(00000000), ref: 00FAD498
FindClose.KERNEL32(00000000), ref: 00FAD4A1

Strings

\*.*, xrefs: 00FAD3F2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f8a0ddfbab605b0fb0004709d04010ad0914f561bbc0dfa660ecb69316eb56d1
Instruction ID: 20e1658e565eecf4286c2447bb75f519073014b5d5b885b64a7a36af25e7c456
Opcode Fuzzy Hash: f8a0ddfbab605b0fb0004709d04010ad0914f561bbc0dfa660ecb69316eb56d1
Instruction Fuzzy Hash: FC3182714093459FC304EF64CC558AF7BA8BE96314F444A1EF8D293191EB34AA09E763

Function 00F7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F7E645

Strings

1#SNAN, xrefs: 00F7F844
1#INF, xrefs: 00F7F852
1#IND, xrefs: 00F7F83D
1#QNAN, xrefs: 00F7F84B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d4537d0d633daa650a0dc1dfab0001d48e2bdd75738e43a73bc924b1d29f8657
Instruction ID: f40b1c63028938ea46f501c1731770d91b3e505e2b9f7a641f2a2cdec57f1456
Opcode Fuzzy Hash: d4537d0d633daa650a0dc1dfab0001d48e2bdd75738e43a73bc924b1d29f8657
Instruction Fuzzy Hash: 02C23C72E046288FDB25CE28DD407EAB7B5EB48314F1481EBD44DE7241E778AE859F42

Function 00FB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB64DC
CoInitialize.OLE32(00000000), ref: 00FB6639
CoCreateInstance.OLE32(00FDFCF8,00000000,00000001,00FDFB68,?), ref: 00FB6650
CoUninitialize.OLE32 ref: 00FB68D4

Strings

.lnk, xrefs: 00FB64BA, 00FB6524, 00FB65E0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 297ff9b6a344fdfde9140660ccd758f618e6050ad449fc344083b6fea423ebf6
Instruction ID: 08b59f40eb1f6a9342a90aa583bd9a01418017403c88420e2419a2ae5f471630
Opcode Fuzzy Hash: 297ff9b6a344fdfde9140660ccd758f618e6050ad449fc344083b6fea423ebf6
Instruction Fuzzy Hash: 6CD159716083019FC314EF24C881DABBBE9FF98314F04495DF9958B291EB75E909DBA2

Function 00FC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FC22E8

Part of subcall function 00FBE4EC: GetWindowRect.USER32(?,?), ref: 00FBE504

GetDesktopWindow.USER32 ref: 00FC2312
GetWindowRect.USER32(00000000), ref: 00FC2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FC2355
GetCursorPos.USER32(?), ref: 00FC2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC23DF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9261b934665549b5a6fb55d214b96306ed23747917888783ec3a9052e30d7cca
Instruction ID: 09f44b722e46b851df4ac6dd1626d6db638ce41dc6a519becf913ded47561e10
Opcode Fuzzy Hash: 9261b934665549b5a6fb55d214b96306ed23747917888783ec3a9052e30d7cca
Instruction Fuzzy Hash: D131CF72505356ABD720DF24D945F9BB7AAFF88710F00091EF98597181DB34E908DBD2

Function 00FB9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FB9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FB9C8B

Part of subcall function 00FB3874: GetInputState.USER32 ref: 00FB38CB
Part of subcall function 00FB3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FB9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FB9C75

Strings

*.*, xrefs: 00FB9B5D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9bdbdb8ae596c48511f0c87141162dc1d236c8e7bd7c4a1b6ccd77867672f95b
Instruction ID: 30f0a8b69ec66311472a1fab987b66d99a44d8a84e5ab2a9e1d5b7f42543e48f
Opcode Fuzzy Hash: 9bdbdb8ae596c48511f0c87141162dc1d236c8e7bd7c4a1b6ccd77867672f95b
Instruction Fuzzy Hash: 834190B1D4820A9FDF15DFA5CC89AEE7BB4EF05310F244156E905A3191EB709E84EFA0

Function 00FAAA57 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FAAAAC
SetKeyboardState.USER32(00000080), ref: 00FAAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FAAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FAAB88

Strings

______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{, xrefs: 00FAAAEA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: ______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{
API String ID: 432972143-4086604533
Opcode ID: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction ID: 41756b710a2d7356afabc1d54492871a08de446b7cc924c377a5ed1c9233020f
Opcode Fuzzy Hash: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction Fuzzy Hash: BB311AB0E40608AEFF35CA64CC05BFA77A6AB86360F04421AF185561D1D3759989F7B2

Function 00F48060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F483FA
VUUU, xrefs: 00F4843C
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00F85D0F
ERCP, xrefs: 00F4813C
VUUU, xrefs: 00F85DF0
VUUU, xrefs: 00F483E8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: 5aaa1223934b942201cc0ccb1665b933f901dc26dcb8785921e1d1541d7ec52b
Instruction ID: 6daa629baf8fbf93f876cce0b23cc16d5fe115b08f8171d248b470334ffca4f9
Opcode Fuzzy Hash: 5aaa1223934b942201cc0ccb1665b933f901dc26dcb8785921e1d1541d7ec52b
Instruction Fuzzy Hash: 5AA28E71E0021ACBDF24DF58C8407EDBBB1BB54764F2481AAEC15A7285DB749D82EF90

Function 00F5997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F59A4E
GetSysColor.USER32(0000000F), ref: 00F59B23
SetBkColor.GDI32(?,00000000), ref: 00F59B36

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 5c386285bfed581e2898e2ae11a084cc97e904c5b15f88a737a89f2dd3adc3ea
Instruction ID: 0b08629f22fa59571016fd55c8a3023b12f9fca622be15d018913f5c83b68109
Opcode Fuzzy Hash: 5c386285bfed581e2898e2ae11a084cc97e904c5b15f88a737a89f2dd3adc3ea
Instruction Fuzzy Hash: 1EA1197151C744FEFB2CAA7C8C48F7B365EDB82361B15410AFA02C6685CAAD9D05F272

Function 00FC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
Part of subcall function 00FC304E: _wcslen.LIBCMT ref: 00FC309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FC185D
WSAGetLastError.WSOCK32 ref: 00FC1884
bind.WSOCK32(00000000,?,00000010), ref: 00FC18DB
WSAGetLastError.WSOCK32 ref: 00FC18E6
closesocket.WSOCK32(00000000), ref: 00FC1915

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c682bd50a6f9469f2c8b350de7ab2c614db8407429a6858632d72173a1866439
Instruction ID: fde5966b2d28d07d4861ddeff21ba05bcc0c48d413bef30d3feed1048a03bd14
Opcode Fuzzy Hash: c682bd50a6f9469f2c8b350de7ab2c614db8407429a6858632d72173a1866439
Instruction Fuzzy Hash: B2518171A00211AFEB10AF24C986F2A7BA5AB45718F18849CF9059F3D3C775AD41EBE1

Function 00FD1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FD1CC0
IsWindowEnabled.USER32 ref: 00FD1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FD1CDB
IsIconic.USER32 ref: 00FD1CE9
IsZoomed.USER32 ref: 00FD1CF7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 75cfdb46d666e9b7007b5443443ed9f685248a3de1ab7877a39ce050f688a533
Instruction ID: 5521d93adf3751b9ce9215e9a498fd210d148f6ae5f527ba9dfce90a6c9529fe
Opcode Fuzzy Hash: 75cfdb46d666e9b7007b5443443ed9f685248a3de1ab7877a39ce050f688a533
Instruction Fuzzy Hash: 1121D631B512116FD7208F2AC844B5A7BA7FF95325B1C805AE8498B351D775DC42EBD0

Function 00FCA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FCA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FCA6BA

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FCA79C
CloseHandle.KERNEL32(00000000), ref: 00FCA7AB

Part of subcall function 00F5CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F83303,?), ref: 00F5CE8A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 4ae30e43ef0f9e09acb163001054ddaa90f8a89634bac98771e583569f651cf2
Instruction ID: 94671397d3c2e9ae9ec86235a81825da48c8078d6b305f24f3b063120d3d9bef
Opcode Fuzzy Hash: 4ae30e43ef0f9e09acb163001054ddaa90f8a89634bac98771e583569f651cf2
Instruction Fuzzy Hash: AA514771508301AFD310EF24CC86A6BBBE8FF89754F00491DF98597292EB74E904DB92

Function 00F7BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7BB7F

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

GetTimeZoneInformation.KERNEL32 ref: 00F7BB91
WideCharToMultiByte.KERNEL32(00000000,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BC09
WideCharToMultiByte.KERNEL32(00000000,?,01011270,000000FF,?,0000003F,?,?,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BC36

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: b87ef63287073376496b6c3464a5f4da48ab1ed76182a6a47dbb7e3cc3c49681
Instruction ID: 10f798023ca0e3c5a3e86caa5c4e0d3665de138da3f81b28d4fb7b55c589ae1a
Opcode Fuzzy Hash: b87ef63287073376496b6c3464a5f4da48ab1ed76182a6a47dbb7e3cc3c49681
Instruction Fuzzy Hash: F13102B0904205EFCB15DF78CC80AA9BBB8BF46320714C25BE158D72A5C7398950EB51

Function 00FBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FBCE89
GetLastError.KERNEL32(?,00000000), ref: 00FBCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FBCEFE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 8cbb7bf030f866a98671938561c93ef8b92ddf3a5469ba799c6f7e341cf6958f
Instruction ID: e09e7feab59316deee4337c779c3bfd9f4a2bfd373bb131461281677af17b4dc
Opcode Fuzzy Hash: 8cbb7bf030f866a98671938561c93ef8b92ddf3a5469ba799c6f7e341cf6958f
Instruction Fuzzy Hash: 4C218C72900306DBEB209FA6C948BA777F9EB40364F10441EE54692151E774EE04EFA0

Function 00FA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FA82AA

Strings

|, xrefs: 00FA82DA
(, xrefs: 00FA82F0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 915b3067e25874ec2441d78c13b39355132bc3a354ed50fdff7ac8228cbea0f3
Instruction ID: 7dd17ecf8fcd2f30ccbec763b492a0ec5f3afd9d0fb97f5eb6621466c3ec9d1c
Opcode Fuzzy Hash: 915b3067e25874ec2441d78c13b39355132bc3a354ed50fdff7ac8228cbea0f3
Instruction Fuzzy Hash: 023239B5A007059FCB28CF59C481A6AB7F0FF48760B15C46EE59ADB3A1DB70E942DB40

Function 00FB5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FB5D17
FindClose.KERNEL32(?), ref: 00FB5D5F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2dedf5285a065fcbb94e66e916e6b4f3f359dad5e07dc14fb568db6aa24f9690
Instruction ID: 53bb98198d9826e26a2a89cc0cffc2eef9fa5aef2722245bfe7e799c20dd015c
Opcode Fuzzy Hash: 2dedf5285a065fcbb94e66e916e6b4f3f359dad5e07dc14fb568db6aa24f9690
Instruction Fuzzy Hash: 5151AC75A046019FC714CF29C894A96BBE4FF49324F14865EE95A8B3A1CB38FC04DF91

Function 00F72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F7271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F72724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F72731

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0269df50c724162d9634ac2e85825538ced3a55ff28d5066dd7c3052b211015d
Instruction ID: d557474a8f0ababc1bad7bd56337e4381fcc03b85c43c750d6248af23d784b51
Opcode Fuzzy Hash: 0269df50c724162d9634ac2e85825538ced3a55ff28d5066dd7c3052b211015d
Instruction Fuzzy Hash: 5F31D67491121D9BCB61DF68DD897DDB7B8AF08310F5042EAE80CA7260EB349F819F45

Function 00FB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FB5238
SetErrorMode.KERNEL32(00000000), ref: 00FB52A1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 11f6fb6e7c857eb113955dd421e8711a9b6377346dc28841d0133cf121979eac
Instruction ID: 02c50371978433a608797f0c6542e3b8bbd289e650903207baa1499297d07c92
Opcode Fuzzy Hash: 11f6fb6e7c857eb113955dd421e8711a9b6377346dc28841d0133cf121979eac
Instruction Fuzzy Hash: 51317C75A00518DFDB00DF54D884FADBBB5FF09314F088099E805AB352CB36E846DBA0

Function 00FA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F60668
Part of subcall function 00F5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F60685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA173A
GetLastError.KERNEL32 ref: 00FA174A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a705ddc5fe131a42e85444df40501448699a9105eb29ab2d2596ce4d970d78cd
Instruction ID: ba2b8130859990fc70a5da95dcd93f55d891baeff35cfd81d9edbfb7dfdefc83
Opcode Fuzzy Hash: a705ddc5fe131a42e85444df40501448699a9105eb29ab2d2596ce4d970d78cd
Instruction Fuzzy Hash: F511C1B2400309AFD718AF64DC86D6AB7B9FB04714B20852EE45697241EB70BC45DA60

Function 00FAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FAD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD650

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2225a04efee65ea55c7ee4bf1e41b359c6ab32aaf7fd2884c208ae1a5a1cb7c5
Instruction ID: 7d15e0cb9ccf236903c1cb6021a7424f38cdc5114a6eccacdd9af03ed9ab13e9
Opcode Fuzzy Hash: 2225a04efee65ea55c7ee4bf1e41b359c6ab32aaf7fd2884c208ae1a5a1cb7c5
Instruction Fuzzy Hash: 6D115EB5E05228BFDB148FA5DC45FAFBBBCEB45B60F108116F904E7290D6704A059BE1

Function 00FA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FA168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA16A1
FreeSid.ADVAPI32(?), ref: 00FA16B1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction ID: 4bf4bc4a3ee01a89163b1c446fbf4fe3817277173117f5e4a97e9130175a18ae
Opcode Fuzzy Hash: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction Fuzzy Hash: F7F0F47195130DFBDF00DFF4DC89AAEBBBDFB08604F504565E501E2181E774AA449A90

Function 00F64CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000,?,00F728E9), ref: 00F64D09
TerminateProcess.KERNEL32(00000000,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000,?,00F728E9), ref: 00F64D10
ExitProcess.KERNEL32 ref: 00F64D22

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cf9ccd97602c4055365abd349c6396fa8fd128669eb6480e774fa6337960fd79
Instruction ID: 3133ef2294daa6f8199b7e2d728d350f7952f44a82deacda00f29ce0beb75c67
Opcode Fuzzy Hash: cf9ccd97602c4055365abd349c6396fa8fd128669eb6480e774fa6337960fd79
Instruction Fuzzy Hash: 43E0B631801149ABCF11BF64DD09E583B6AEB41791F108015FC498B122CB39ED42FA80

Function 00F9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F9D28C

Strings

X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abed5275599aed51fa071810defca0ccaa72da5ac9d515060fa45dffed2f597a
Instruction ID: 3fd17cedadc2b06706f481e676a68f7f29369852089b067919fb5b163196cee3
Opcode Fuzzy Hash: abed5275599aed51fa071810defca0ccaa72da5ac9d515060fa45dffed2f597a
Instruction Fuzzy Hash: 73D0C9B580211DEACF94CBA0DC88ED9B37CBB04305F100152F506E2080D7309548AF10

Function 00F6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: abf4073c518ba1c84133384ff04df814f311dc34ce11972c530a07b0dff34383
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FC022D72E001199FDF14CFA9C8806ADFBF5FF88324F25816AD999E7380D731A9419B94

Function 00FB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB6918
FindClose.KERNEL32(00000000), ref: 00FB6961

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9ef4e14190d10a0a846095e8184cd9f92641525c07d54d36f690b43b663cb8f
Instruction ID: befa94237c2f264a636cd2575c5a96665cb6e8fdcffd5589665034d6a15db092
Opcode Fuzzy Hash: d9ef4e14190d10a0a846095e8184cd9f92641525c07d54d36f690b43b663cb8f
Instruction Fuzzy Hash: 041190316042119FD710DF2AD884A16BBE5FF85329F15C699E8698F2A2C738EC05DBD1

Function 00FB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FC4891,?,?,00000035,?), ref: 00FB37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FC4891,?,?,00000035,?), ref: 00FB37F4

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0c77fe42fcde2448f658061f3e7f7284d781ab6e8ea5ae6090acc4675e844de6
Instruction ID: c7d86c9dc65b75ed70ad98823039da29674b25c1488758ce9b24e30c2b69eac2
Opcode Fuzzy Hash: 0c77fe42fcde2448f658061f3e7f7284d781ab6e8ea5ae6090acc4675e844de6
Instruction Fuzzy Hash: 0AF0E5B17092296AE72027769C4DFEB3BAEEFC4761F000265F609D2281D9609904DBF0

Function 00FAB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FAB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00FAB270

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 398435667267332a048c44aa794a78b6816b1f4d1d775d09be57484b17b6ace2
Instruction ID: 530a17f08dd291f258de93e523723026530628951be628ce3859903b5c540e73
Opcode Fuzzy Hash: 398435667267332a048c44aa794a78b6816b1f4d1d775d09be57484b17b6ace2
Instruction Fuzzy Hash: DBF01D7180424EABDB069FA0C805BAE7BB4FF05315F04804AF955A5192C7798611EF94

Function 00FA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA11FC), ref: 00FA10D4
CloseHandle.KERNEL32(?,?,00FA11FC), ref: 00FA10E9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 249e0b2ff077d8263ece2ce0f3ae70ebc16408402835fed2c0135b248b964c34
Instruction ID: 3ea1a7225aecd00df13ae9d69812800c7a7847aa6759c98265fe66d4c3eb8f7a
Opcode Fuzzy Hash: 249e0b2ff077d8263ece2ce0f3ae70ebc16408402835fed2c0135b248b964c34
Instruction Fuzzy Hash: E6E04F72004601AFF7252B21FC0AE7377A9EB04321F10C82EF9A5804B1DB626C94EB50

Function 00F4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F90C40

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: fe2c0ff115e3a34c5be0ad9e664b2fdb2383994f41bbfa6625c8995bc35f575e
Instruction ID: e2d6e17c6332c67d978555350251b2da914b1d1a623beeae9d6173fc8092eaaa
Opcode Fuzzy Hash: fe2c0ff115e3a34c5be0ad9e664b2fdb2383994f41bbfa6625c8995bc35f575e
Instruction Fuzzy Hash: 72327A31D012189FDF54DF90C881BEDBBB5BF04314F144069ED06AB292DB79AD49EBA0

Function 00F7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F76766,?,?,00000008,?,?,00F7FEFE,00000000), ref: 00F76998

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ffd5b0825d773fa6e3270aa50f86ec3a2534cc6a4db1e0b39a208297a737deb1
Instruction ID: d34bc9b159fac71a4f5ae17488eeaf609080fb51a8ebffb7eec3cd99318aa17f
Opcode Fuzzy Hash: ffd5b0825d773fa6e3270aa50f86ec3a2534cc6a4db1e0b39a208297a737deb1
Instruction Fuzzy Hash: 09B16C32910A099FE719CF28C486B647BE0FF05364F25C659E89DCF2A2C335D981DB42

Function 00F5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F9851F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1864421e8475ad7342196ae53f90bdeaf69f7274af674a901f406cdf39f34467
Instruction ID: 035a61c4a92031711345cffef0ec4b95196ccd5b05ebacc62109771640581aa2
Opcode Fuzzy Hash: 1864421e8475ad7342196ae53f90bdeaf69f7274af674a901f406cdf39f34467
Instruction Fuzzy Hash: B0125E71D002299FDF24CF58C880BEEB7B5FF49710F14819AE949EB251DB349A85EB90

Function 00FBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FBEABD

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4f2d8e85002a7e924e5ee43c54c885cd436fbaf07ea67347a6aca121e7d28989
Instruction ID: 8bee117701ceda8367172932e1cc78d2198f1c1d689b11d2a088636b249e08c2
Opcode Fuzzy Hash: 4f2d8e85002a7e924e5ee43c54c885cd436fbaf07ea67347a6aca121e7d28989
Instruction Fuzzy Hash: 84E01A362002049FC710EF6AD804E9AFBEDAF98770F008416FC49C7391DA79E8409BA0

Function 00F609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F603EE), ref: 00F609DA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a1f12c76b4cd68f641d2d7abf4382a0436668a178710b914040c0cae4fd5df5
Instruction ID: 38d93aa7c6aeac3614379149b45d7dcff72c2a61be35375626c74b50ed1de43c
Opcode Fuzzy Hash: 5a1f12c76b4cd68f641d2d7abf4382a0436668a178710b914040c0cae4fd5df5
Instruction Fuzzy Hash:

Function 00F6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F6798B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4d1fe8a426a956e419b4484b43236329c35b9639704d4fff12655f909ac802e6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0E515972E0C7455BDB38B57888597BF63D59B0236CF280A09E882D7283C619EE46F356

Function 00F76DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5784f6ec91df2fba9dd9c1837b690c850555ccdd35f180109f1a7d08625170
Instruction ID: 35ee97987510e1f095c71b603cbb4a60ba1bf0dc3f4bfdfa52e8b829dfa1a4ba
Opcode Fuzzy Hash: ac5784f6ec91df2fba9dd9c1837b690c850555ccdd35f180109f1a7d08625170
Instruction Fuzzy Hash: 9E326422D39F454DD723A634CC62335A68DAFB73D4F15C337E81AB99A6EB28C4836101

Function 00F5CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302652e6670c68fd62b0fd7071bcb7e70f431243234a87cba26f06a7aef4475f
Instruction ID: d851841d2349186f697a3daafe5de120331ea49a0201cb3cf66adb521c458819
Opcode Fuzzy Hash: 302652e6670c68fd62b0fd7071bcb7e70f431243234a87cba26f06a7aef4475f
Instruction Fuzzy Hash: 69323D32E002858FEF25CF29C49467D7BA1EB45321F288566DA5ACB291D334DD85FBC1

Function 00F47920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13f48b8064bc1d3935cd9ce571a37d12a5a77b4b2da567fbabe7e6937739ab
Instruction ID: 113ed3f97f5e675553514884049b95d0e0cc66dae6a1e79723edb632ce0d393f
Opcode Fuzzy Hash: 7c13f48b8064bc1d3935cd9ce571a37d12a5a77b4b2da567fbabe7e6937739ab
Instruction Fuzzy Hash: 0F22C271E04609DFDF14EF64C881AEEB7B6FF44710F144529E812AB291EB3A9D14EB50

Function 00F491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc32dddfd77aa7c76b5152fe79376e2839dd76c8d434e84280d7b30e3f1eb48
Instruction ID: d91565cf09acc40bd2d8467f8e56b8dcbf10ed626a2f2141bb2122581dbdc0fd
Opcode Fuzzy Hash: fdc32dddfd77aa7c76b5152fe79376e2839dd76c8d434e84280d7b30e3f1eb48
Instruction Fuzzy Hash: F002C6B1E00205EFDB05EF54D881AAEBBB5FF44310F108169E816DB391EB75AE14EB91

Function 00F79EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588d4c0630e9b6b910d3ba2ff209b128a0fef488509de7de8f7abb0dfc0edb97
Instruction ID: fb3bda80359159adca2c6abb8290f5228755129e54e1e172445ebc7d61b6481c
Opcode Fuzzy Hash: 588d4c0630e9b6b910d3ba2ff209b128a0fef488509de7de8f7abb0dfc0edb97
Instruction Fuzzy Hash: 1EB12620D2AF844DD32396398879336B65C6FBB2C5F52D31BFC1679D22EB2285835141

Function 00F61C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8425a342cf981425ecaefe6de93ca6b5a585b6fb1602eaf7cd17d19a4ba1ed21
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 67915673A080E34ADB6D463A857417EFFE16A523B131E079ED4F2CA1C5EE14D954F620

Function 00F619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b54c0c27d69e95290fcd188addb88afea45a9e01bc383b926557cdc64a12fd80
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: E49132736090E34ADB6D467A857407EFFE16A923B231E079ED4F2CA1C1FE248564F620

Function 00F67A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4445ef52029c93c674666bc4c600799db6f2ed63728809be77b16c9ae3a77c1
Instruction ID: 9bf714c67e65a4267d06d142b95732bc02c86cf06563e64fa09c744ec4f5e070
Opcode Fuzzy Hash: f4445ef52029c93c674666bc4c600799db6f2ed63728809be77b16c9ae3a77c1
Instruction Fuzzy Hash: 4861AB31A0C30956DE34BA688DA1BBF3394DF8176CF240A1DE843CB296DA199E43F315

Function 00F67CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc885294b574d4343999cfdbffcf5ab41ff237e0203b8e0c453df08b5a349f0
Instruction ID: a93918f2eedc94e7c9fbcc5eb3d79c855a46613746ece3d6f921f5752f429b5b
Opcode Fuzzy Hash: 9cc885294b574d4343999cfdbffcf5ab41ff237e0203b8e0c453df08b5a349f0
Instruction Fuzzy Hash: 7861AC31E0870962DF38BA288D51BBF3394DF5276CF100E59E943CB281EA17AD46B311

Function 00F61706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: adeeb1eb19df6d11e6dad7abafabbf5a441b80c1f63d266529912abc1f3e15f0
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CA814373A090A349DB6D863A857443EFFE17A923B131E079DD4F2CB1C1EE249554F620

Function 015D3610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 192d9905ee9fac6fb8929a5a38a05f4356e59a1efd682de75e5fd4dc2bd7d590
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4C41C2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40

Function 00FB2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732ffd4d66af5fcaf2e4ad9c126725daa7aa301b73b7f0eb01c6e434090f309b
Instruction ID: 0da3feebc631b0d9bb73c4cca38c97ce2e508649ef7b254a4220d3fcc99df9ca
Opcode Fuzzy Hash: 732ffd4d66af5fcaf2e4ad9c126725daa7aa301b73b7f0eb01c6e434090f309b
Instruction Fuzzy Hash: 2721A8326205158BD728CE79C8126BE73D5A754320F258A2EE4A7C37C4DE3EA904DB40

Function 015D3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: d86374358eeba9178b4ead7ce399705af70c473904ae5c3ecdf2c78f0d12e0fe
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 1601A4B8A04109EFCB94DF98C5909AEF7F5FF88310F608599D819AB701E730AE41DB81

Function 015D34A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 0b4660f39bf05443c72055cd22ddb7a40618c6dac0490d5a6bc3a54b84433985
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F101E478A00209EFCB95DF98C5849AEF7F5FF88310F208599D809AB301E734AE41DB80

Function 015D1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654657799.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15d0000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00FC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2B30
DeleteObject.GDI32(00000000), ref: 00FC2B43
DestroyWindow.USER32 ref: 00FC2B52
GetDesktopWindow.USER32 ref: 00FC2B6D
GetWindowRect.USER32(00000000), ref: 00FC2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FC2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FC2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CF8
GetClientRect.USER32(00000000,?), ref: 00FC2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FC2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2DA8
GlobalFree.KERNEL32(00000000), ref: 00FC2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC38,00000000), ref: 00FC2DDB
GlobalFree.KERNEL32(00000000), ref: 00FC2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FC2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FC2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC303F

Strings

, xrefs: 00FC2FC5
static, xrefs: 00FC2D3A, 00FC2E91
DISPLAY, xrefs: 00FC2EA2
AutoIt v3, xrefs: 00FC2CF2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c23b3598d079c2d31df000f3085e5b3f74bfb7267795b5839b1bb52bf09b9b5d
Instruction ID: 9623a7a7a28271c07d85ba889e90b82067882769dac80d46e15aa785cdd8a415
Opcode Fuzzy Hash: c23b3598d079c2d31df000f3085e5b3f74bfb7267795b5839b1bb52bf09b9b5d
Instruction Fuzzy Hash: 57027E7190021AAFDB14DF64CD89FAE7BBAEF48310F048519F915AB2A5C774ED01DBA0

Function 00FD70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FD712F
GetSysColorBrush.USER32(0000000F), ref: 00FD7160
GetSysColor.USER32(0000000F), ref: 00FD716C
SetBkColor.GDI32(?,000000FF), ref: 00FD7186
SelectObject.GDI32(?,?), ref: 00FD7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD71C0
GetSysColor.USER32(00000010), ref: 00FD71C8
CreateSolidBrush.GDI32(00000000), ref: 00FD71CF
FrameRect.USER32(?,?,00000000), ref: 00FD71DE
DeleteObject.GDI32(00000000), ref: 00FD71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FD7230
FillRect.USER32(?,?,?), ref: 00FD7262
GetWindowLongW.USER32(?,000000F0), ref: 00FD7284

Part of subcall function 00FD73E8: GetSysColor.USER32(00000012), ref: 00FD7421
Part of subcall function 00FD73E8: SetTextColor.GDI32(?,?), ref: 00FD7425
Part of subcall function 00FD73E8: GetSysColorBrush.USER32(0000000F), ref: 00FD743B
Part of subcall function 00FD73E8: GetSysColor.USER32(0000000F), ref: 00FD7446
Part of subcall function 00FD73E8: GetSysColor.USER32(00000011), ref: 00FD7463
Part of subcall function 00FD73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7471
Part of subcall function 00FD73E8: SelectObject.GDI32(?,00000000), ref: 00FD7482
Part of subcall function 00FD73E8: SetBkColor.GDI32(?,00000000), ref: 00FD748B
Part of subcall function 00FD73E8: SelectObject.GDI32(?,?), ref: 00FD7498
Part of subcall function 00FD73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FD74B7
Part of subcall function 00FD73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD74CE
Part of subcall function 00FD73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FD74DB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 47fe7699456f411c525687b5ac7f3e1f252e1ccd85e33e8c540c6d4abae612f6
Instruction ID: 4036bce6629f342a18ddfe7454029ffea24289baedaea5795b299723a14ae290
Opcode Fuzzy Hash: 47fe7699456f411c525687b5ac7f3e1f252e1ccd85e33e8c540c6d4abae612f6
Instruction Fuzzy Hash: E8A1B372409316AFDB00AF60DC48B5BBBAAFF49321F140B1AF962961E1D731D944EB91

Function 00F58D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F58E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F96AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F96AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F96F43

Part of subcall function 00F58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58BE8,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58FC5

SendMessageW.USER32(?,00001053), ref: 00F96F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F96F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F96FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F96FB7

Strings

0, xrefs: 00F96DCF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f908c670a9a51435c9f87e8ac14fb8f968862ef9dfa8a9d13ff2ec4857e23a59
Instruction ID: a51c767b47d925a38c94fee76191353dc66b0dae3241515034ba1b1f209dbf6c
Opcode Fuzzy Hash: f908c670a9a51435c9f87e8ac14fb8f968862ef9dfa8a9d13ff2ec4857e23a59
Instruction Fuzzy Hash: 8112D030A01202EFEB25DF24D845BA9BBF2FB44321F144069F695DB251CB36EC56EB91

Function 00FC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FC273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FC286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FC28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FC28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FC2900
GetClientRect.USER32(00000000,?), ref: 00FC290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FC2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FC2964
GetStockObject.GDI32(00000011), ref: 00FC2974
SelectObject.GDI32(00000000,00000000), ref: 00FC2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FC2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC2991
DeleteDC.GDI32(00000000), ref: 00FC299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FC29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FC29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FC2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FC2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FC2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FC2A77
GetStockObject.GDI32(00000011), ref: 00FC2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FC2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FC2A97

Strings

static, xrefs: 00FC294F, 00FC2A71
DISPLAY, xrefs: 00FC295A
msctls_progress32, xrefs: 00FC2A13
AutoIt v3, xrefs: 00FC28F8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 14d7f90c013ccff68eea0c07d478a94078035cb57458922a4468e9d474eb1004
Instruction ID: a6b9527c23f6b9f38767b4fb13aeaa7505d63b2718d5fb6683c6f4d35b60ffd5
Opcode Fuzzy Hash: 14d7f90c013ccff68eea0c07d478a94078035cb57458922a4468e9d474eb1004
Instruction Fuzzy Hash: AAB13CB1A4021AAFEB14DF78CD86FAE7BA9EB04710F008519FA15E7294D774E940DB90

Function 00FB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4AED
GetDriveTypeW.KERNEL32(?,00FDCB68,?,\\.\,00FDCC08), ref: 00FB4BCA
SetErrorMode.KERNEL32(00000000,00FDCB68,?,\\.\,00FDCC08), ref: 00FB4D36

Strings

USB, xrefs: 00FB4CB4
RAMDisk, xrefs: 00FB4BF4
SCSI, xrefs: 00FB4C8A
Removable, xrefs: 00FB4C10, 00FB4C15
Unknown, xrefs: 00FB4BED, 00FB4C83
RAID, xrefs: 00FB4CBB
FileBackedVirtual, xrefs: 00FB4CEC
1394, xrefs: 00FB4C9F
Virtual, xrefs: 00FB4CE5
SSD, xrefs: 00FB4C4A
\\.\, xrefs: 00FB4B3F
CDROM, xrefs: 00FB4BFB
SAS, xrefs: 00FB4CC9
Fibre, xrefs: 00FB4CAD
iSCSI, xrefs: 00FB4CC2
MMC, xrefs: 00FB4CDE
ATAPI, xrefs: 00FB4C91
ATA, xrefs: 00FB4C98
PhysicalDrive, xrefs: 00FB4B76
Fixed, xrefs: 00FB4C09
SATA, xrefs: 00FB4CD0
Network, xrefs: 00FB4C02
SSA, xrefs: 00FB4CA6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3abe33d9e9b92f2982234670c77c074cf619f888d3681671ed444bf9245b7e9f
Instruction ID: e3da23c4b208bec1be4111bf76dc7b1bc74c528f25111e131f65d927fb43609a
Opcode Fuzzy Hash: 3abe33d9e9b92f2982234670c77c074cf619f888d3681671ed444bf9245b7e9f
Instruction Fuzzy Hash: 1561E771A051069BDB05EF16CB81EF97BA2AB44700F24401AF8069B293CB36FD45FF41

Function 00FD73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FD7421
SetTextColor.GDI32(?,?), ref: 00FD7425
GetSysColorBrush.USER32(0000000F), ref: 00FD743B
GetSysColor.USER32(0000000F), ref: 00FD7446
CreateSolidBrush.GDI32(?), ref: 00FD744B
GetSysColor.USER32(00000011), ref: 00FD7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7471
SelectObject.GDI32(?,00000000), ref: 00FD7482
SetBkColor.GDI32(?,00000000), ref: 00FD748B
SelectObject.GDI32(?,?), ref: 00FD7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FD7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FD7572
DrawFocusRect.USER32(?,?), ref: 00FD757D
GetSysColor.USER32(00000011), ref: 00FD758E
SetTextColor.GDI32(?,00000000), ref: 00FD7596
DrawTextW.USER32(?,00FD70F5,000000FF,?,00000000), ref: 00FD75A8
SelectObject.GDI32(?,?), ref: 00FD75BF
DeleteObject.GDI32(?), ref: 00FD75CA
SelectObject.GDI32(?,?), ref: 00FD75D0
DeleteObject.GDI32(?), ref: 00FD75D5
SetTextColor.GDI32(?,?), ref: 00FD75DB
SetBkColor.GDI32(?,?), ref: 00FD75E5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 60d5ee416a9ff43d6f3e4448398497e51a817d54e8747a37c693943f83c71a83
Instruction ID: 09bbac6236aeee89d01a7701bcd78450e55d2afccb081bbedcaeb7116c9017ad
Opcode Fuzzy Hash: 60d5ee416a9ff43d6f3e4448398497e51a817d54e8747a37c693943f83c71a83
Instruction Fuzzy Hash: 50616F72D01219AFDF019FA4DC49FEEBFBAEB09320F144116F915AB2A1D7749940EB90

Function 00FD0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD1128
GetDesktopWindow.USER32 ref: 00FD113D
GetWindowRect.USER32(00000000), ref: 00FD1144
GetWindowLongW.USER32(?,000000F0), ref: 00FD1199
DestroyWindow.USER32(?), ref: 00FD11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FD1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FD1245
IsWindowVisible.USER32(00000000), ref: 00FD12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FD12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FD12D0
GetWindowRect.USER32(00000000,?), ref: 00FD12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FD130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FD1328
CopyRect.USER32(?,?), ref: 00FD133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FD13AA

Strings

tooltips_class32, xrefs: 00FD11E6
0, xrefs: 00FD10D3
(, xrefs: 00FD131B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7ab433fd3aec6f2495f1272033ec620e7fca34493bf51fc3a60fa030a5204f60
Instruction ID: 9cedeb8e07e55d920b438d3462ff0d6f22e4bb56a4e5e9a2e432dff96f3bc4ef
Opcode Fuzzy Hash: 7ab433fd3aec6f2495f1272033ec620e7fca34493bf51fc3a60fa030a5204f60
Instruction Fuzzy Hash: DBB17C71608341AFD714DF64C884B6BBBE6FF88350F04891AF9999B2A1C771E844EB91

Function 00F58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F58968
GetSystemMetrics.USER32(00000007), ref: 00F58970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5899B
GetSystemMetrics.USER32(00000008), ref: 00F589A3
GetSystemMetrics.USER32(00000004), ref: 00F589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F58A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F58A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F58A5A
GetStockObject.GDI32(00000011), ref: 00F58A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F58A81

Part of subcall function 00F5912D: GetCursorPos.USER32(?), ref: 00F59141
Part of subcall function 00F5912D: ScreenToClient.USER32(00000000,?), ref: 00F5915E
Part of subcall function 00F5912D: GetAsyncKeyState.USER32(00000001), ref: 00F59183
Part of subcall function 00F5912D: GetAsyncKeyState.USER32(00000002), ref: 00F5919D

SetTimer.USER32(00000000,00000000,00000028,00F590FC), ref: 00F58AA8

Strings

AutoIt v3 GUI, xrefs: 00F58A20

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7f218bf6922c2efa86d8667743ee204c4f640acbcdc30d5448c529186786c103
Instruction ID: 6d992ddc2036f885d63f163ff7ae53edf5e9e9def37b7ca54e366c935329964c
Opcode Fuzzy Hash: 7f218bf6922c2efa86d8667743ee204c4f640acbcdc30d5448c529186786c103
Instruction Fuzzy Hash: FCB17D31A0020AAFDF14DFA8DC45BAE3BB5FB48325F14421AFA15E7290DB78E841DB51

Function 00FA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
Part of subcall function 00FA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
Part of subcall function 00FA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
Part of subcall function 00FA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
Part of subcall function 00FA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0E29
GetLengthSid.ADVAPI32(?), ref: 00FA0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0E96
GetLengthSid.ADVAPI32(?), ref: 00FA0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FA0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0EDD
CopySid.ADVAPI32(00000000), ref: 00FA0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F6E
HeapFree.KERNEL32(00000000), ref: 00FA0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F7E
HeapFree.KERNEL32(00000000), ref: 00FA0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0F8E
HeapFree.KERNEL32(00000000), ref: 00FA0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0FA1
HeapFree.KERNEL32(00000000), ref: 00FA0FA8

Part of subcall function 00FA1193: GetProcessHeap.KERNEL32(00000008,00FA0BB1,?,00000000,?,00FA0BB1,?), ref: 00FA11A1
Part of subcall function 00FA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0BB1,?), ref: 00FA11A8
Part of subcall function 00FA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0BB1,?), ref: 00FA11B7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction ID: 8c3aeffc624a90c54507eb04978e38b986cebee6cee5e7e9605c06c9b872d15b
Opcode Fuzzy Hash: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction Fuzzy Hash: 9D714EB190121AEFDF209FA5EC48BAEBBB9FF05311F044116F919F6191DB319905EBA0

Function 00FCC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FDCC08,00000000,?,00000000,?,?), ref: 00FCC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FCC5A4
_wcslen.LIBCMT ref: 00FCC5F4
_wcslen.LIBCMT ref: 00FCC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FCC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FCC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FCC84D
RegCloseKey.ADVAPI32(?), ref: 00FCC881
RegCloseKey.ADVAPI32(00000000), ref: 00FCC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FCC960

Strings

REG_MULTI_SZ, xrefs: 00FCC6F5
REG_BINARY, xrefs: 00FCC913
REG_EXPAND_SZ, xrefs: 00FCC5CD
REG_SZ, xrefs: 00FCC644
REG_DWORD, xrefs: 00FCC804
REG_QWORD, xrefs: 00FCC8C3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 7541e6b2683d74db3f9df576277464f15c3195ca3e9b062f3e8a93aaca62453b
Instruction ID: 6c346a2ed7c92c6efd575a08bbe7815941f911a0750b50e6c1067f30b7380bce
Opcode Fuzzy Hash: 7541e6b2683d74db3f9df576277464f15c3195ca3e9b062f3e8a93aaca62453b
Instruction Fuzzy Hash: 911249356042019FD714DF14C991F2ABBE5EF88724F08885DF88A9B3A2DB35ED41EB81

Function 00FD091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FD09C6
_wcslen.LIBCMT ref: 00FD0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD0A54
_wcslen.LIBCMT ref: 00FD0A8A
_wcslen.LIBCMT ref: 00FD0B06
_wcslen.LIBCMT ref: 00FD0B81

Part of subcall function 00F5F9F2: _wcslen.LIBCMT ref: 00F5F9FD

Part of subcall function 00FA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA2BFA

Strings

CHECK, xrefs: 00FD0A85, 00FD0AA0
ISCHECKED, xrefs: 00FD0CE1
COLLAPSE, xrefs: 00FD0B01, 00FD0B1C
EXPAND, xrefs: 00FD0BF8
EXISTS, xrefs: 00FD0B7C, 00FD0B97
GETTEXT, xrefs: 00FD0C97
GETSELECTED, xrefs: 00FD0C4E
UNCHECK, xrefs: 00FD0D3E
SELECT, xrefs: 00FD0D11
GETTOTALCOUNT, xrefs: 00FD09F2, 00FD0A17
GETITEMCOUNT, xrefs: 00FD0C1E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: cb166bdb62258821f4bcd3ac91ff28a753a9b500f880bd67905f8560b0cc6527
Instruction ID: 5befd6e3c2f292770cb198d4d5bc01066bfb8cde3692ef1f763c418e8ddb8fc8
Opcode Fuzzy Hash: cb166bdb62258821f4bcd3ac91ff28a753a9b500f880bd67905f8560b0cc6527
Instruction Fuzzy Hash: 02E193316087019FC714EF24C850A2AB7E2FF99324F18495EF8959B3A2DB35ED45EB81

Function 00FCC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
_wcslen.LIBCMT ref: 00FCC9F1
_wcslen.LIBCMT ref: 00FCCA68
_wcslen.LIBCMT ref: 00FCCA9E
_wcslen.LIBCMT ref: 00FCCAF9
_wcslen.LIBCMT ref: 00FCCB2F
_wcslen.LIBCMT ref: 00FCCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00FCCB79, 00FCCB7E
HKCC, xrefs: 00FCCBAC
HKEY_LOCAL_MACHINE, xrefs: 00FCCA62, 00FCCA67
HKCU, xrefs: 00FCCBCE
HKLM, xrefs: 00FCCA98, 00FCCA9D
HKEY_CURRENT_USER, xrefs: 00FCCBBD
HKEY_USERS, xrefs: 00FCCBDF
HKEY_CLASSES_ROOT, xrefs: 00FCCAF3, 00FCCAF8
HKCR, xrefs: 00FCCB29, 00FCCB2E
HKU, xrefs: 00FCCBF0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 48427b2af887e5f02e007cab9233f651281e4ae0a026c789989f160d52b5ba40
Instruction ID: 1f66dde7f2529e975288837b675d2e0d5b08b2aa4350fa2edea6234ef294293d
Opcode Fuzzy Hash: 48427b2af887e5f02e007cab9233f651281e4ae0a026c789989f160d52b5ba40
Instruction Fuzzy Hash: 7471C632E0056B8BCB10DE78CE52BBA3391ABA5764F15051CEC9E97284E639DD45B3D0

Function 00FD833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD835A
_wcslen.LIBCMT ref: 00FD836E
_wcslen.LIBCMT ref: 00FD8391
_wcslen.LIBCMT ref: 00FD83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FD83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00FD361A,?), ref: 00FD844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FD84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8501
FreeLibrary.KERNEL32(?), ref: 00FD850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FD851D
DestroyIcon.USER32(?), ref: 00FD852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FD8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FD8555

Strings

.icl, xrefs: 00FD8368
.dll, xrefs: 00FD83AB
.exe, xrefs: 00FD8388

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e81f8148d733bc902d8668e06a2e0ef96138ce00e5e100a96d49c7072e172ed0
Instruction ID: fba0583b906ac45ca437f516907d67bc6548e1bcedb5b77f6fde34561ea0cc9f
Opcode Fuzzy Hash: e81f8148d733bc902d8668e06a2e0ef96138ce00e5e100a96d49c7072e172ed0
Instruction Fuzzy Hash: 93610171900209BAEB14DF74DC41BBF77A9BF08B60F14460AF815DA2D0DF78A941E7A0

Function 00F47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00F478D9
Unterminated group of comments, xrefs: 00F8528C
', xrefs: 00F85169
Cannot parse #include, xrefs: 00F85279
#include-once, xrefs: 00F4782F
#cs, xrefs: 00F47873, 00F478C5
#comments-start, xrefs: 00F4785F, 00F478B1
#OnAutoItStartRegister, xrefs: 00F47817
Bad directive syntax error, xrefs: 00F8519A
#ce, xrefs: 00F478ED
#pragma compile, xrefs: 00F477D3
#include, xrefs: 00F47847
#notrayicon, xrefs: 00F477E7
", xrefs: 00F85153
#requireadmin, xrefs: 00F477FF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 98606442fbbc3dd73fe342a9623ec5abb1492cc14ef69a8ba21a18d6dfc3c4a1
Instruction ID: 6eb5259698f44a189adf168861aa1492555eef2662d34136e695b43b9b939d79
Opcode Fuzzy Hash: 98606442fbbc3dd73fe342a9623ec5abb1492cc14ef69a8ba21a18d6dfc3c4a1
Instruction Fuzzy Hash: F2812471A04705BBDB21BF60CC42FAE3BA9AF14740F044025FD05AA292EB79DA15F7A1

Function 00FA5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FA5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA5A40
SetWindowTextW.USER32(?,?), ref: 00FA5A57
GetDlgItem.USER32(?,000003EA), ref: 00FA5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FA5A72
GetDlgItem.USER32(?,000003E9), ref: 00FA5A82
SetWindowTextW.USER32(00000000,?), ref: 00FA5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FA5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FA5AC3
GetWindowRect.USER32(?,?), ref: 00FA5ACC
_wcslen.LIBCMT ref: 00FA5B33
SetWindowTextW.USER32(?,?), ref: 00FA5B6F
GetDesktopWindow.USER32 ref: 00FA5B75
GetWindowRect.USER32(00000000), ref: 00FA5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FA5BD3
GetClientRect.USER32(?,?), ref: 00FA5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FA5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FA5C2F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 21554c8d18c759f7b2c1d258b0f73e8db1cec94ea44a25871a6f32ac63067743
Instruction ID: b32e47837e3f818821ba95af37d4034a9e6dd270a3d5ed98887b61829639bced
Opcode Fuzzy Hash: 21554c8d18c759f7b2c1d258b0f73e8db1cec94ea44a25871a6f32ac63067743
Instruction Fuzzy Hash: 00718F71A00B09AFDB20DFB8CD45B6EBBF5FF48B15F104519E146A25A0D774E904EB60

Function 00F600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F600C6

Part of subcall function 00F600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0101070C,00000FA0,ABEEE26C,?,?,?,?,00F823B3,000000FF), ref: 00F6011C
Part of subcall function 00F600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F823B3,000000FF), ref: 00F60127
Part of subcall function 00F600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F823B3,000000FF), ref: 00F60138
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F6014E
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F6015C
Part of subcall function 00F600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F6016A
Part of subcall function 00F600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F60195
Part of subcall function 00F600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F601A0

___scrt_fastfail.LIBCMT ref: 00F600E7

Part of subcall function 00F600A3: __onexit.LIBCMT ref: 00F600A9

Strings

InitializeConditionVariable, xrefs: 00F60148
kernel32.dll, xrefs: 00F60133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F60122
WakeAllConditionVariable, xrefs: 00F60162
SleepConditionVariableCS, xrefs: 00F60154

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a12073891e48b81d96722e64c869ea055b586c248234f96e450b5f9de90233f1
Instruction ID: 71a6752bbac90d8deb5cf712e95aa8642cd8ada91b54fb72b9f3cd62097560d8
Opcode Fuzzy Hash: a12073891e48b81d96722e64c869ea055b586c248234f96e450b5f9de90233f1
Instruction Fuzzy Hash: B921FC32E457156BD7115B74AC06F5B3396EB06B61F24013BF942D7285DF688804FA91

Function 00FA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA318D
_wcslen.LIBCMT ref: 00FA31F8

Strings

INSTANCE, xrefs: 00FA3453
NAME, xrefs: 00FA3335, 00FA3346
REGEXPCLASS, xrefs: 00FA3255, 00FA3266
CLASS, xrefs: 00FA3188, 00FA31A5
TEXT, xrefs: 00FA347C
CLASSNN, xrefs: 00FA31F3, 00FA3204

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5cec1022c602a3caf82a6735461b3d8fb8d3cb9a80cd0fdb28dea68aa1cd14dd
Instruction ID: 96809d440d243925da93c75c5e601ffd9f69e74059aa29fefbed36e4c3f64fff
Opcode Fuzzy Hash: 5cec1022c602a3caf82a6735461b3d8fb8d3cb9a80cd0fdb28dea68aa1cd14dd
Instruction Fuzzy Hash: 76E1E472E006169FCB15DFA8C8517EDFBB4BF16720F548119F856A7240DB30AE85BBA0

Function 00FB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FDCC08), ref: 00FB4527
_wcslen.LIBCMT ref: 00FB453B
_wcslen.LIBCMT ref: 00FB4599
_wcslen.LIBCMT ref: 00FB45F4
_wcslen.LIBCMT ref: 00FB463F
_wcslen.LIBCMT ref: 00FB46A7

Part of subcall function 00F5F9F2: _wcslen.LIBCMT ref: 00F5F9FD

GetDriveTypeW.KERNEL32(?,01006BF0,00000061), ref: 00FB4743

Strings

all, xrefs: 00FB4531, 00FB4536
cdrom, xrefs: 00FB458F, 00FB4594
unknown, xrefs: 00FB4708
ramdisk, xrefs: 00FB46F1
removable, xrefs: 00FB45EA, 00FB45EF
network, xrefs: 00FB469D, 00FB46A2
fixed, xrefs: 00FB4635, 00FB463A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e0b1bb48bb58ae02f36c567b0c9888878cfc925ca1aece5c786cb68efd699a0d
Instruction ID: adafb6bb8cb0e6315e6605ed1f2a624659cdf4d120f8d708d19b6e2ef1c5e4a8
Opcode Fuzzy Hash: e0b1bb48bb58ae02f36c567b0c9888878cfc925ca1aece5c786cb68efd699a0d
Instruction Fuzzy Hash: 53B1E571A083029FC710EF29C990AAAF7E5BF95720F54491DF496C7292DB34E844EF92

Function 00FCAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FCB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB1D4
_wcslen.LIBCMT ref: 00FCB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB236
_wcslen.LIBCMT ref: 00FCB332

Part of subcall function 00FB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FB05C6

_wcslen.LIBCMT ref: 00FCB34B
_wcslen.LIBCMT ref: 00FCB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FCB3B6
GetLastError.KERNEL32(00000000), ref: 00FCB407
CloseHandle.KERNEL32(?), ref: 00FCB439
CloseHandle.KERNEL32(00000000), ref: 00FCB44A
CloseHandle.KERNEL32(00000000), ref: 00FCB45C
CloseHandle.KERNEL32(00000000), ref: 00FCB46E
CloseHandle.KERNEL32(?), ref: 00FCB4E3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b722b0ff17d3fa9afddb053529d1faf044f0590039f402d15623c5ede5260736
Instruction ID: 8521bc5cf5a27eb16b0fb9c49dc621bc04a83736aac731c7563d369096a525b9
Opcode Fuzzy Hash: b722b0ff17d3fa9afddb053529d1faf044f0590039f402d15623c5ede5260736
Instruction Fuzzy Hash: 4EF1A0359083419FC715EF24C982F6EBBE5AF85320F18855DF8959B2A2CB35EC04EB52

Function 00F4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01011990), ref: 00F82F8D
GetMenuItemCount.USER32(01011990), ref: 00F8303D
GetCursorPos.USER32(?), ref: 00F83081
SetForegroundWindow.USER32(00000000), ref: 00F8308A
TrackPopupMenuEx.USER32(01011990,00000000,?,00000000,00000000,00000000), ref: 00F8309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F830A9

Strings

0, xrefs: 00F4327D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0012a1927b6609ac0afa7e9cb5c496087cdc791a7ad6e2de14c86589ffe94493
Instruction ID: 07d1c90320579f49d987a6053c76fdeb1d9600ccf3def719793e2b7ae85e5d11
Opcode Fuzzy Hash: 0012a1927b6609ac0afa7e9cb5c496087cdc791a7ad6e2de14c86589ffe94493
Instruction Fuzzy Hash: 74712A71A44206BEEB219F24DC49FDABF69FF05334F244216FA146A1E1C7B1A910FB91

Function 00FD6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FD6DEB

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FD6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FD6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6E94
DestroyWindow.USER32(?), ref: 00FD6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F40000,00000000), ref: 00FD6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6EFD
GetDesktopWindow.USER32 ref: 00FD6F16
GetWindowRect.USER32(00000000), ref: 00FD6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FD6F4D

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

Strings

tooltips_class32, xrefs: 00FD6E58, 00FD6EDD
0, xrefs: 00FD6D98

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c654104eedd13fafaf85d1849858103b0a6390f309cece86f8c5426f87f3af85
Instruction ID: 76bc65590c9c058f8ecc38fedce5cfa7ed40d6505b937daea32714bb3d1d347e
Opcode Fuzzy Hash: c654104eedd13fafaf85d1849858103b0a6390f309cece86f8c5426f87f3af85
Instruction Fuzzy Hash: 37719770504245AFDB22CF28D844BAABBFAFB88314F08041EF999C7361D775E905EB16

Function 00FD911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

DragQueryPoint.SHELL32(?,?), ref: 00FD9147

Part of subcall function 00FD7674: ClientToScreen.USER32(?,?), ref: 00FD769A
Part of subcall function 00FD7674: GetWindowRect.USER32(?,?), ref: 00FD7710
Part of subcall function 00FD7674: PtInRect.USER32(?,?,00FD8B89), ref: 00FD7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FD91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FD91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FD91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FD9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FD923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9277
DragFinish.SHELL32(?), ref: 00FD927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FD9371

Strings

@GUI_DRAGFILE, xrefs: 00FD9320
@GUI_DRAGID, xrefs: 00FD92E9
@GUI_DROPID, xrefs: 00FD929E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4757a17162f35582a0d256113d93f40000806670733b45e6c969a959a13daee8
Instruction ID: c7856a11a156cd5863b5da03ff85173bd471f7d65abdda2444fb1b4d2b15a76d
Opcode Fuzzy Hash: 4757a17162f35582a0d256113d93f40000806670733b45e6c969a959a13daee8
Instruction Fuzzy Hash: C0618C71108301AFD701DFA4DC85DAFBBE9EF89350F00091EF995932A1DB749A49DBA2

Function 00FBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FBC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FBC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FBC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC5F0
InternetCloseHandle.WININET(00000000), ref: 00FBC5FB

Strings

, xrefs: 00FBC575

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99c7bbc9efe30581fdc2d4322803739d541a3c6bf90c8c0853a264500d7e0b97
Instruction ID: 12b706efbad24b07bab771a4654c62465992556f85c1a18c4404c4313b52c878
Opcode Fuzzy Hash: 99c7bbc9efe30581fdc2d4322803739d541a3c6bf90c8c0853a264500d7e0b97
Instruction Fuzzy Hash: 575138B1601209BFDB219F62C988AAB7BBDEF08754F04441AF945D6210DB34EA44EFE0

Function 00FD856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FD8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00FD85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FD85AD
CloseHandle.KERNEL32(00000000), ref: 00FD85BA
GlobalLock.KERNEL32(00000000), ref: 00FD85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FD85D7
GlobalUnlock.KERNEL32(00000000), ref: 00FD85E0
CloseHandle.KERNEL32(00000000), ref: 00FD85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FD85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC38,?), ref: 00FD8611
GlobalFree.KERNEL32(00000000), ref: 00FD8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FD8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FD8671
DeleteObject.GDI32(00000000), ref: 00FD8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FD86AF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cf7ac05f8424684f9e98c72a6f884e107ca685eeccdbcc5d83505f9bc6216578
Instruction ID: b65c06954a56347cf51187eed0fb5b820b13a9282c5472cab8fa4492e5d7aba5
Opcode Fuzzy Hash: cf7ac05f8424684f9e98c72a6f884e107ca685eeccdbcc5d83505f9bc6216578
Instruction Fuzzy Hash: 7A415971601209AFDB108FA5DC48EAE7BBEEF89761F04415AF909E7260DB309D01EB60

Function 00FB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FB1502
VariantCopy.OLEAUT32(?,?), ref: 00FB150B
VariantClear.OLEAUT32(?), ref: 00FB1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FB15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FB1657
VariantInit.OLEAUT32(?), ref: 00FB1708
SysFreeString.OLEAUT32(?), ref: 00FB178C
VariantClear.OLEAUT32(?), ref: 00FB17D8
VariantClear.OLEAUT32(?), ref: 00FB17E7
VariantInit.OLEAUT32(00000000), ref: 00FB1823

Strings

Default, xrefs: 00FB16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00FB1625

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 643477a729e9e4e513803ffbd2498580783d5f1a151eabaf680846287d8c3248
Instruction ID: 65457f39e183b7d587f8673c25f00617a40f11b646195114005c7d3a2f9148f3
Opcode Fuzzy Hash: 643477a729e9e4e513803ffbd2498580783d5f1a151eabaf680846287d8c3248
Instruction Fuzzy Hash: AED1F132A00115DBDB209F66E8A5BB9B7B5BF45700FA88156F906AB180DB34DC44FFA1

Function 00FCB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FCB80A
RegCloseKey.ADVAPI32(?), ref: 00FCB87E
RegCloseKey.ADVAPI32(?), ref: 00FCB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FCB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCB922
FreeLibrary.KERNEL32(00000000), ref: 00FCB983
RegCloseKey.ADVAPI32(00000000), ref: 00FCB994

Strings

advapi32.dll, xrefs: 00FCB8ED
RegDeleteKeyExW, xrefs: 00FCB8FE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d58d80eed68eed0fca0be01d415f771b65e8d7322e9f8864702e67bc46e00e62
Instruction ID: 0aefd3b14ae4bd308ad13dc9cfe2d6285718f5d0788676cd9e39af6e6ea27bc4
Opcode Fuzzy Hash: d58d80eed68eed0fca0be01d415f771b65e8d7322e9f8864702e67bc46e00e62
Instruction Fuzzy Hash: D7C1A035605202AFD710DF24C996F2ABBE5BF84314F14845CF8998B6A2CB35EC45EB91

Function 00FC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FC25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FC25E8
CreateCompatibleDC.GDI32(?), ref: 00FC25F4
SelectObject.GDI32(00000000,?), ref: 00FC2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FC266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FC26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FC26D0
SelectObject.GDI32(?,?), ref: 00FC26D8
DeleteObject.GDI32(?), ref: 00FC26E1
DeleteDC.GDI32(?), ref: 00FC26E8
ReleaseDC.USER32(00000000,?), ref: 00FC26F3

Strings

(, xrefs: 00FC268D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 76df01e016c3b3849231200add21d9ea035b267c383052dc945953a89981c69e
Instruction ID: 80ce327b93d8e8cbd51ba08d53daacf8b949c29cdd366e2cb54d913d986b8285
Opcode Fuzzy Hash: 76df01e016c3b3849231200add21d9ea035b267c383052dc945953a89981c69e
Instruction Fuzzy Hash: F0610475D0021AEFCF04CFA4C985EAEBBB6FF48310F20851AE955A7250D334A941EFA0

Function 00F7DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F7DAA1

Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D659
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D66B
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D67D
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D68F
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6A1
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6B3
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6C5
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6D7
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6E9
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D6FB
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D70D
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D71F
Part of subcall function 00F7D63C: _free.LIBCMT ref: 00F7D731

_free.LIBCMT ref: 00F7DA96

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7DAB8
_free.LIBCMT ref: 00F7DACD
_free.LIBCMT ref: 00F7DAD8
_free.LIBCMT ref: 00F7DAFA
_free.LIBCMT ref: 00F7DB0D
_free.LIBCMT ref: 00F7DB1B
_free.LIBCMT ref: 00F7DB26
_free.LIBCMT ref: 00F7DB5E
_free.LIBCMT ref: 00F7DB65
_free.LIBCMT ref: 00F7DB82
_free.LIBCMT ref: 00F7DB9A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3ccde16ba2bb976d2d0f4f7653f788d97775e7dd5081300635832c449d4071c8
Instruction ID: 6178c4d310323fb467f1f4cca5dddacdafb70a59f35b110da6dbeade2cdb4867
Opcode Fuzzy Hash: 3ccde16ba2bb976d2d0f4f7653f788d97775e7dd5081300635832c449d4071c8
Instruction Fuzzy Hash: 2A313B31A042059FEB61AA39EC45B56B7F9FF40320F95842BE54DD7192DB39AC80A722

Function 00FA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FA369C
_wcslen.LIBCMT ref: 00FA36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FA3797
GetClassNameW.USER32(?,?,00000400), ref: 00FA380C
GetDlgCtrlID.USER32(?), ref: 00FA385D
GetWindowRect.USER32(?,?), ref: 00FA3882
GetParent.USER32(?), ref: 00FA38A0
ScreenToClient.USER32(00000000), ref: 00FA38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FA3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FA395D

Strings

%s%u, xrefs: 00FA3734

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a5f3882e25bfd04c81087b4922266012a3158f648edf0c8010a4878f15b08985
Instruction ID: 2c966ad87ede04e493829fc4b977737697e9fcb9fb0ccdf7db3a3535a322edc3
Opcode Fuzzy Hash: a5f3882e25bfd04c81087b4922266012a3158f648edf0c8010a4878f15b08985
Instruction Fuzzy Hash: 0491F4B1604706AFD708DF24C885FAAF7A9FF49350F008629F999C2190DB34EA45EBD1

Function 00FA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FA4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FA49DA
_wcslen.LIBCMT ref: 00FA49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FA49F7
_wcsstr.LIBVCRUNTIME ref: 00FA4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FA4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FA4B20
GetWindowRect.USER32(?,?), ref: 00FA4B8B

Strings

ThumbnailClass, xrefs: 00FA4A6F, 00FA4AF1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9464746b81ab85030c61b1cde7a6c05cd9ad3e22a1c790ffd9145a7c1d37b12a
Instruction ID: 49a2ec8ff215726ed70dbd938ac401f03801cead4bb5d227f28f39104653c984
Opcode Fuzzy Hash: 9464746b81ab85030c61b1cde7a6c05cd9ad3e22a1c790ffd9145a7c1d37b12a
Instruction Fuzzy Hash: E991D2B15082059FDB04CF14C881BAA77E8FFC5364F04446AFD899A096DBB4FD45EBA1

Function 00FCCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FCCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCD48

Part of subcall function 00FCCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FCCCAA
Part of subcall function 00FCCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FCCCBD
Part of subcall function 00FCCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCCCCF
Part of subcall function 00FCCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCD05
Part of subcall function 00FCCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCCCF3

Strings

advapi32.dll, xrefs: 00FCCCB8
RegDeleteKeyExW, xrefs: 00FCCCC9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 034f0540123a26545bc38101bf905a7b096663434fee818bee2df283a705ea0c
Instruction ID: fb0fda088a37540a26ce6b2fa3d10331e384584ffb919195375cfad21358fa1e
Opcode Fuzzy Hash: 034f0540123a26545bc38101bf905a7b096663434fee818bee2df283a705ea0c
Instruction Fuzzy Hash: F2319272D0112EBBDB20CB61DD89EFFBB7CEF41750F000169E91AE2140DA345A45EAE0

Function 00FB3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB3D40
_wcslen.LIBCMT ref: 00FB3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FB3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FB3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FB3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FB3E55
CloseHandle.KERNEL32(00000000), ref: 00FB3E60
CloseHandle.KERNEL32(00000000), ref: 00FB3E6B

Strings

:, xrefs: 00FB3D82
\, xrefs: 00FB3D77
\??\%s, xrefs: 00FB3D5B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1147d4e1f85c38dfe271e1f144ceee6d0a0d87adb328384173c9ca393ea0a4fe
Instruction ID: 97a7960c4ac2b5f392043b8af9426a127fb08bb1e448fae3403a16605c952238
Opcode Fuzzy Hash: 1147d4e1f85c38dfe271e1f144ceee6d0a0d87adb328384173c9ca393ea0a4fe
Instruction Fuzzy Hash: B131C172A4021AABDB209BA1DC49FEF37BDEF88710F1041A6F605D6060EB749744EB64

Function 00FAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FAE6B4

Part of subcall function 00F5E551: timeGetTime.WINMM(?,?,00FAE6D4), ref: 00F5E555

Sleep.KERNEL32(0000000A), ref: 00FAE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FAE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FAE727
SetActiveWindow.USER32 ref: 00FAE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FAE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FAE773
Sleep.KERNEL32(000000FA), ref: 00FAE77E
IsWindow.USER32 ref: 00FAE78A
EndDialog.USER32(00000000), ref: 00FAE79B

Strings

BUTTON, xrefs: 00FAE719

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 98613e7954eb6fd40fce206064d4d25ad9a74d43fa621ec2f9c57d16939cfa9e
Instruction ID: 6c52ed84ccc7d937132501447612b5c4ff8f5b5c0358d1d0a0e8dbd5600ea730
Opcode Fuzzy Hash: 98613e7954eb6fd40fce206064d4d25ad9a74d43fa621ec2f9c57d16939cfa9e
Instruction Fuzzy Hash: 6721C6F0310209AFEB105F30EC89B253B6AF79A358F100826F555822D5DB7EAC10FB64

Function 00FAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FAEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FAEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FAEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FAEAA7

Strings

alias PlayMe, xrefs: 00FAEA36
status PlayMe mode, xrefs: 00FAEA58
play PlayMe, xrefs: 00FAEAA2
close PlayMe, xrefs: 00FAEA6E, 00FAEA9B
open , xrefs: 00FAEA0C
play PlayMe wait, xrefs: 00FAEA91

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 98e8f1f666fea4a2930710cd7dc7de0e3db377a1709599a51cacd66f4b9d2454
Instruction ID: bbdffde3eeaf4d07770c0dc640dd504597192f57d4f2bc603147877cbed451c4
Opcode Fuzzy Hash: 98e8f1f666fea4a2930710cd7dc7de0e3db377a1709599a51cacd66f4b9d2454
Instruction Fuzzy Hash: 3B11A371B9025979E721A7A2DC4AEFF7EBCEBD2B10F0004297801A70D1EEA51915D5B0

Function 00FA5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FA5CE2
GetWindowRect.USER32(00000000,?), ref: 00FA5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FA5D59
GetDlgItem.USER32(?,00000002), ref: 00FA5D69
GetWindowRect.USER32(00000000,?), ref: 00FA5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FA5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FA5DDD
GetWindowRect.USER32(00000000,?), ref: 00FA5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FA5E31
GetDlgItem.USER32(?,000003EA), ref: 00FA5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FA5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FA5E67

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e0475adbbb863d3b9968ae00c1bd95cf3c0bc32fb659d0c468488062a0f06b09
Instruction ID: 7029a860c8c8f3b7b1971f914b6db1b178e37330c95c466af8668818612766e1
Opcode Fuzzy Hash: e0475adbbb863d3b9968ae00c1bd95cf3c0bc32fb659d0c468488062a0f06b09
Instruction Fuzzy Hash: 8351FFB1E0060AAFDF18CF68DD89AAEBBB6FB49710F148129F515E7290D7709E04DB50

Function 00F58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58BE8,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58FC5

DestroyWindow.USER32(?), ref: 00F58C81
KillTimer.USER32(00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F58D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F96973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000,?), ref: 00F969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F58BBA,00000000), ref: 00F969D4
DeleteObject.GDI32(00000000), ref: 00F969E6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3ca60459d90a4214b87b1200e43e11d14d87ce00fd0061d2a8334bd245165966
Instruction ID: ed950e8a9dd0f1ce8939750712c5da587c59a9b192e1e7e84f0e3f7db8a3b37b
Opcode Fuzzy Hash: 3ca60459d90a4214b87b1200e43e11d14d87ce00fd0061d2a8334bd245165966
Instruction Fuzzy Hash: C761AF31902605DFDF359F24D948B2977F2FB403A2F144519EA82A7564CB3AAC86FF90

Function 00F59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F59944: GetWindowLongW.USER32(?,000000EB), ref: 00F59952

GetSysColor.USER32(0000000F), ref: 00F59862

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f971593333fc2944ed678a671fd82b2dfb9c2655394c887e0dff71968c4a415f
Instruction ID: db0ee78ed7d8b1611565bc40d28b1ba8ce180c90489e85400b8bbfdcddc77b33
Opcode Fuzzy Hash: f971593333fc2944ed678a671fd82b2dfb9c2655394c887e0dff71968c4a415f
Instruction Fuzzy Hash: F941B131509714EFDF245F389C84BB93B66AB06332F584606FAA28B1E1C7719845FB50

Function 00FA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FA9717
LoadStringW.USER32(00000000,?,00F8F7F8,00000001), ref: 00FA9720

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FA9742
LoadStringW.USER32(00000000,?,00F8F7F8,00000001), ref: 00FA9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FA9866

Strings

Line %d (File "%s"):, xrefs: 00FA978F
Error: , xrefs: 00FA981D
%s (%d) : ==> %s: %s %s, xrefs: 00FA984A
^ ERROR, xrefs: 00FA97FB
Line %d:, xrefs: 00FA97A0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b55972aef0b2584599593ababe3f23fee0526d5096c6339b3a9932d44e639d98
Instruction ID: db80b2cc22ffc411855af867402b9e4ea3e29aa08584e1a0a9c6bb98d37eb708
Opcode Fuzzy Hash: b55972aef0b2584599593ababe3f23fee0526d5096c6339b3a9932d44e639d98
Instruction Fuzzy Hash: 67416072904219AADF04EFE0DD86DEE7779AF55340F500025FA0172092EB796F48EBA1

Function 00FA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FA07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FA07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FA07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FA0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FA082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA083C

Strings

\CLSID, xrefs: 00FA0724
SOFTWARE\Classes\, xrefs: 00FA070E
\IPC$, xrefs: 00FA0784

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d38649ad17d14f0aba3790784580211d0dae176d56380b8796951f4865c67739
Instruction ID: 2712d7459fe3d7683e3f0348c61e3b42cbf6d2fbeb1b72af05dca2b20753211f
Opcode Fuzzy Hash: d38649ad17d14f0aba3790784580211d0dae176d56380b8796951f4865c67739
Instruction Fuzzy Hash: E5410672C10229ABDF11EFA4DC95CEEBB78FF05750F044129E901A7161EB749E04EBA0

Function 00FC3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC3C5C
CoInitialize.OLE32(00000000), ref: 00FC3C8A
CoUninitialize.OLE32 ref: 00FC3C94
_wcslen.LIBCMT ref: 00FC3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FC3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FC3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FC3F0E
CoGetObject.OLE32(?,00000000,00FDFB98,?), ref: 00FC3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FC3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FC3FC4
VariantClear.OLEAUT32(?), ref: 00FC3FD8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 2859f4797158329da08040b4d96ab0d8688fa383da8ff1db501144e6b0523873
Instruction ID: f86624a90e23be56416858f95840f18f854350364dd0bf61a17a487902a07716
Opcode Fuzzy Hash: 2859f4797158329da08040b4d96ab0d8688fa383da8ff1db501144e6b0523873
Instruction Fuzzy Hash: 49C135716082069FC700DF28C985E2BBBE9FF89794F04891DF98A9B251D730ED05DB92

Function 00FB7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FB7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FB7BA3
CoCreateInstance.OLE32(00FDFD08,00000000,00000001,01006E6C,?), ref: 00FB7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FB7C74
CoTaskMemFree.OLE32(?,?), ref: 00FB7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FB7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FB7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FB7D81
CoTaskMemFree.OLE32(00000000), ref: 00FB7DD6
CoUninitialize.OLE32 ref: 00FB7DDC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a9e813d361e84b1b3b478c3c53dab70dccf0bfc8f351856ce2a87b3bba50a940
Instruction ID: 1861dda0d98ddc2fce7fc5bf38a5ab2ced50e1922fe88504813fb56c2d19824f
Opcode Fuzzy Hash: a9e813d361e84b1b3b478c3c53dab70dccf0bfc8f351856ce2a87b3bba50a940
Instruction Fuzzy Hash: E7C12975A04209AFCB14DFA5C884DAEBBB9FF88314B148499E819DB361D730ED45DF90

Function 00FD541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FD5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD5515
CharNextW.USER32(00000158), ref: 00FD5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FD5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FD559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD55AC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7f1e85748d8dd203355b419bfc451c962d2b76049805c04a515f1ce0ee9c7443
Instruction ID: a3dcdfb2699e5795f0dda4685d4a510c0f3b3a6a0d43f90c457554298c679c06
Opcode Fuzzy Hash: 7f1e85748d8dd203355b419bfc451c962d2b76049805c04a515f1ce0ee9c7443
Instruction Fuzzy Hash: A861A031900609ABDF10DF64CC94EFE7B7AEB06B34F184146F925AB390D7748A80EB61

Function 00F9FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F9FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F9FB08
VariantInit.OLEAUT32(?), ref: 00F9FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F9FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F9FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F9FBA1
VariantClear.OLEAUT32(?), ref: 00F9FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F9FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FBCC
VariantClear.OLEAUT32(?), ref: 00F9FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FBE9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2169c1ba0051255a38fa48b5fe58284139bc83e4885fe0f1d54839fd834fbfcc
Instruction ID: 7065b93e826a34d450bbee8bbe61ccf74524b101d167ef0daf47aa4e2af6bb49
Opcode Fuzzy Hash: 2169c1ba0051255a38fa48b5fe58284139bc83e4885fe0f1d54839fd834fbfcc
Instruction Fuzzy Hash: 28415D35A0021A9FDF00DF68CC549AEBBB9EF48354F008069E956E7261CB34A949DBE0

Function 00FA9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FA9D22
GetKeyState.USER32(000000A0), ref: 00FA9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FA9D57
GetKeyState.USER32(000000A1), ref: 00FA9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FA9D84
GetKeyState.USER32(00000011), ref: 00FA9D96
GetAsyncKeyState.USER32(00000012), ref: 00FA9DAE
GetKeyState.USER32(00000012), ref: 00FA9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FA9DD8
GetKeyState.USER32(0000005B), ref: 00FA9DEA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction ID: 3f901dd73af814d6d8b714eda5d998f57997c90e5cb929f6857beaf979375f40
Opcode Fuzzy Hash: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction Fuzzy Hash: EC41D9B4D0CBCA69FF30877084443B5BEA16F13364F08807ADAC6565C2DBE499C4E7A2

Function 00FC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FC05BC
inet_addr.WSOCK32(?), ref: 00FC061C
gethostbyname.WSOCK32(?), ref: 00FC0628
IcmpCreateFile.IPHLPAPI ref: 00FC0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FC07B9
WSACleanup.WSOCK32 ref: 00FC07BF

Strings

Ping, xrefs: 00FC0676

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: eb086109d5c50d973ca56eef8300c8fded8c5cb447f850d662d1d2cbc3c33090
Instruction ID: 01c13f4a224b58f7a38f762965a693b3c04e9b1f846dc05ee392867ab21af876
Opcode Fuzzy Hash: eb086109d5c50d973ca56eef8300c8fded8c5cb447f850d662d1d2cbc3c33090
Instruction Fuzzy Hash: F9919035A04202DFD724CF15C98AF16BBE1AF44328F14859DF4698B6A2CB34ED46EF91

Function 00FC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FC8CF3

Part of subcall function 00FA8E54: _wcslen.LIBCMT ref: 00FA8E77

_wcslen.LIBCMT ref: 00FC8D4E
_wcslen.LIBCMT ref: 00FC8D9C
_wcslen.LIBCMT ref: 00FC8DDC
_wcslen.LIBCMT ref: 00FC8E6E

Strings

none, xrefs: 00FC8E65, 00FC8E6A
winapi, xrefs: 00FC8D96, 00FC8D9B
stdcall, xrefs: 00FC8DD6, 00FC8DDB
cdecl, xrefs: 00FC8D48, 00FC8D4D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 01a9a59d88a5803745025a0e6156cb738fb81931e131bdf3ba947feb0fe65e36
Instruction ID: c4b5774fc3f3af3be366fa58632b27dd1a7d4d691bd4a4d599ef4b18b1e41538
Opcode Fuzzy Hash: 01a9a59d88a5803745025a0e6156cb738fb81931e131bdf3ba947feb0fe65e36
Instruction Fuzzy Hash: 7E519331A001179BCB14DFACCA42ABEB7A5BF64360B20421DE856E72C5DF35DD41E790

Function 00FC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FC3774
CoUninitialize.OLE32 ref: 00FC377F
CoCreateInstance.OLE32(?,00000000,00000017,00FDFB78,?), ref: 00FC37D9
IIDFromString.OLE32(?,?), ref: 00FC384C
VariantInit.OLEAUT32(?), ref: 00FC38E4
VariantClear.OLEAUT32(?), ref: 00FC3936

Strings

NULL Pointer assignment, xrefs: 00FC381E
Failed to create object, xrefs: 00FC37E4, 00FC389A
Invalid parameter, xrefs: 00FC3865

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: fb83e756fb871b5750124fe0b0694bc408f82cd8eebe20b82609362d2fb6eab4
Instruction ID: fd7b268381b99dcaf1fb049b818be3fa66eb24c53e5c41fb27533ab566902b0a
Opcode Fuzzy Hash: fb83e756fb871b5750124fe0b0694bc408f82cd8eebe20b82609362d2fb6eab4
Instruction Fuzzy Hash: AA61C571608302AFD311DF64C94AF5ABBE4EF89754F00890DF9859B291C774EE48EB92

Function 00FB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FB33CF

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB33F0

Strings

Incorrect parameters to object property !, xrefs: 00FB34AB
^ ERROR , xrefs: 00FB349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3504
Line %d (File "%s"):, xrefs: 00FB3443, 00FB345C
Error: , xrefs: 00FB34D1
"%s" (%d) : ==> %s:, xrefs: 00FB3522

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3f02ef02dcb398e5c080f6837fd4029503b205f6a77fd107df1b7c2cfeba921a
Instruction ID: fba0fca98f2c89d290c95d717f2affb69a2f129e331c7e00da124ade1397f4ec
Opcode Fuzzy Hash: 3f02ef02dcb398e5c080f6837fd4029503b205f6a77fd107df1b7c2cfeba921a
Instruction Fuzzy Hash: A951C172D4020ABADF15EBA0CD46EEEB779AF04340F144165F90572052EB792F58EF61

Function 00FAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FAB5FC
_wcslen.LIBCMT ref: 00FAB608
_wcslen.LIBCMT ref: 00FAB64D
_wcslen.LIBCMT ref: 00FAB68C
_wcslen.LIBCMT ref: 00FAB6C7

Strings

REMOVE, xrefs: 00FAB602, 00FAB607
KEYS, xrefs: 00FAB647, 00FAB64C
EXISTS, xrefs: 00FAB686, 00FAB68B
APPEND, xrefs: 00FAB6C1, 00FAB6C6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: c528902041e0fe19fbe1c9dd6ae3277e862fa217aea901ddea07d6377428b28e
Instruction ID: 92d5fd329f30918e1a6f91c094d6665faf08fac7bce075c4c958ed7c3f013e79
Opcode Fuzzy Hash: c528902041e0fe19fbe1c9dd6ae3277e862fa217aea901ddea07d6377428b28e
Instruction Fuzzy Hash: E74106B2E000269ACB106F7DCC905BE77A5BF62764B244169E465DB382F735CD81E790

Function 00FB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FB5416
GetLastError.KERNEL32 ref: 00FB5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FB54A7

Strings

INVALID, xrefs: 00FB5459
READY, xrefs: 00FB5460, 00FB5468
NOTREADY, xrefs: 00FB544B
READONLY, xrefs: 00FB5452
UNKNOWN, xrefs: 00FB5444

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6e8ac279b959be84412a886f46685a46b463057196f808566b5fa38e3496f14f
Instruction ID: 2a3a944da9cac5a9ef76136af6b687e24de8115bc07b078925fcfcbf562e72b8
Opcode Fuzzy Hash: 6e8ac279b959be84412a886f46685a46b463057196f808566b5fa38e3496f14f
Instruction Fuzzy Hash: B631CE35E00205DFD701EF69C894BEA7BB5EB04715F148056E801CB292D77ADD86EB90

Function 00FD3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FD3C79
SetMenu.USER32(?,00000000), ref: 00FD3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3D10
IsMenu.USER32(?), ref: 00FD3D24
CreatePopupMenu.USER32 ref: 00FD3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3D5B
DrawMenuBar.USER32 ref: 00FD3D63

Strings

0, xrefs: 00FD3C54
F, xrefs: 00FD3D4E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 86ca901c5bee5ba7f8ee20eaa2730363fa292137ae30ece2c7699f841f21d25e
Instruction ID: cddee81817e129603ebd55d7505b4a031e13b5b200ab2e87b2cb0d151b23007a
Opcode Fuzzy Hash: 86ca901c5bee5ba7f8ee20eaa2730363fa292137ae30ece2c7699f841f21d25e
Instruction Fuzzy Hash: 3A416D75A0120AAFDB14CF64E844B9A7BB7FF49350F18002AFA4697350D735AA10EF91

Function 00FA1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FA1F64
GetDlgCtrlID.USER32 ref: 00FA1F6F
GetParent.USER32 ref: 00FA1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA1F8E
GetDlgCtrlID.USER32(?), ref: 00FA1F97
GetParent.USER32(?), ref: 00FA1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA1FAE

Strings

ListBox, xrefs: 00FA1F21
ComboBox, xrefs: 00FA1EEC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3d95edeabf77ebebdc70ca4d260c2b95445a546b028e90cd94550146e449d5ed
Instruction ID: 301a4d7013df43821915ac896dacced49a201adb877728219c384cc4ebd8bb78
Opcode Fuzzy Hash: 3d95edeabf77ebebdc70ca4d260c2b95445a546b028e90cd94550146e449d5ed
Instruction Fuzzy Hash: 0121B3B5E00118BFCF05AFA0DC859EEBBB9EF06310F000116B95567291CB789904EBA0

Function 00FD3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FD3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FD3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FD3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FD3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FD3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FD3C13

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c6f5973613c3c23fed6b379f446414f2a2014b7946994ae67cfa02d347c61c23
Instruction ID: be00bcd89114a7e731ee3d4b4e5df2bb75688e0a5393361745498bd149250248
Opcode Fuzzy Hash: c6f5973613c3c23fed6b379f446414f2a2014b7946994ae67cfa02d347c61c23
Instruction Fuzzy Hash: E2619C75900208AFDB20DFA8CC81EEE77F9EB49310F14019AFA15A7391D774AE41EB50

Function 00FAB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FAB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FAA1E1,?,00000001), ref: 00FAB21D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 70b09318c904df080a6879a4564115dc4d90f0862ec4b5fe2ad1b8c288184834
Instruction ID: b2fa9b8507604cec56ad3bcf94ef80bd76ab847bb953f5068136583539006789
Opcode Fuzzy Hash: 70b09318c904df080a6879a4564115dc4d90f0862ec4b5fe2ad1b8c288184834
Instruction Fuzzy Hash: CB319EB1940209BFDB269F24EC58B6D7BEABF52371F104006FA45DA181D7B99D40EFA0

Function 00F72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F72C94

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F72CA0
_free.LIBCMT ref: 00F72CAB
_free.LIBCMT ref: 00F72CB6
_free.LIBCMT ref: 00F72CC1
_free.LIBCMT ref: 00F72CCC
_free.LIBCMT ref: 00F72CD7
_free.LIBCMT ref: 00F72CE2
_free.LIBCMT ref: 00F72CED
_free.LIBCMT ref: 00F72CFB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 37a81f2724ed51c06a089691264be615224943ce5365d1907c9e6e2f23103b5d
Instruction ID: f47802a6327195482db39c72a1cba42749470821a8f1c96fb39353737b270793
Opcode Fuzzy Hash: 37a81f2724ed51c06a089691264be615224943ce5365d1907c9e6e2f23103b5d
Instruction Fuzzy Hash: 4D119676500108AFCB42EF68DC42CDD7BB5FF05350F4584A6FA4C5B222D635EA90BB91

Function 00F41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F41459
OleUninitialize.OLE32(?,00000000), ref: 00F414F8
UnregisterHotKey.USER32(?), ref: 00F416DD
DestroyWindow.USER32(?), ref: 00F824B9
FreeLibrary.KERNEL32(?), ref: 00F8251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F8254B

Strings

close all, xrefs: 00F41454

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: feb05289a5b86b52099342ebaed7af19b4d706f4d637a0fb91cf9c561b155f0e
Instruction ID: 68384b04a19701a20b3298f89d5c68e29825b492da2916fcf0677328c8a38e18
Opcode Fuzzy Hash: feb05289a5b86b52099342ebaed7af19b4d706f4d637a0fb91cf9c561b155f0e
Instruction Fuzzy Hash: 6DD1C231B01212CFCB19EF14C899B69FBA0BF05310F18429DE94A6B252DB30ED56EF91

Function 00FB7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FB7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FB8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB80B0

Strings

*.*, xrefs: 00FB8066

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 6840b59f62f75f144a44df675713ecb06299a9a1bcf07b703f7dacadb585e9ee
Instruction ID: d227bf309c0e26faf94eb2bdf1b7264b40bfba6a0641da3d26982daecb89f2d9
Opcode Fuzzy Hash: 6840b59f62f75f144a44df675713ecb06299a9a1bcf07b703f7dacadb585e9ee
Instruction Fuzzy Hash: FD819F729083419BCB20FF16C844AAAB7E9BFC4360F14485AF885D7250EB75DD49EF92

Function 00F45BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F45C7A

Part of subcall function 00F45D0A: GetClientRect.USER32(?,?), ref: 00F45D30
Part of subcall function 00F45D0A: GetWindowRect.USER32(?,?), ref: 00F45D71
Part of subcall function 00F45D0A: ScreenToClient.USER32(?,?), ref: 00F45D99

GetDC.USER32 ref: 00F846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F84708
SelectObject.GDI32(00000000,00000000), ref: 00F84716
SelectObject.GDI32(00000000,00000000), ref: 00F8472B
ReleaseDC.USER32(?,00000000), ref: 00F84733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F847C4

Strings

U, xrefs: 00F84693

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8f555e1171d5db462a1dec75113d1824289409e2f3980d91531db88cb240dc23
Instruction ID: dcb856e195d75bb48303e678938286e6aa1d2c234645acea317a13a4f0cd0bc8
Opcode Fuzzy Hash: 8f555e1171d5db462a1dec75113d1824289409e2f3980d91531db88cb240dc23
Instruction Fuzzy Hash: C371C231800206DFCF21AF64C984AFE7BB6FF46364F144266EE555A1A6D335A841FF50

Function 00FB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FB35E4

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

LoadStringW.USER32(01012390,?,00000FFF,?), ref: 00FB360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3724
Line %d (File "%s"):, xrefs: 00FB366B
Error: , xrefs: 00FB36EF
^ ERROR, xrefs: 00FB36C9
"%s" (%d) : ==> %s:, xrefs: 00FB3742

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7499b82421b4b6ccdb0e87379aeea27b594f03a7e83e9156acd5d65df8653dbc
Instruction ID: c4e6e6918e72fb9f02fe49d881639faf4c7c745603a5b8cea99e01f418a5a3f8
Opcode Fuzzy Hash: 7499b82421b4b6ccdb0e87379aeea27b594f03a7e83e9156acd5d65df8653dbc
Instruction Fuzzy Hash: 6D519F72D4420ABADF15EBA1CC42EEEBB39AF04300F144125F50572192DB791B98EFA1

Function 00FBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC2CA
GetLastError.KERNEL32 ref: 00FBC322
SetEvent.KERNEL32(?), ref: 00FBC336
InternetCloseHandle.WININET(00000000), ref: 00FBC341

Strings

, xrefs: 00FBC2BB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 982d85d6d502bbf7195a49a3638bb9a868144fbf5b7e8e5d3f843c260777a070
Instruction ID: f9694ad49e6db7425906a8f2c355a7ba02bda7f48843134a8f49f4baefb531a4
Opcode Fuzzy Hash: 982d85d6d502bbf7195a49a3638bb9a868144fbf5b7e8e5d3f843c260777a070
Instruction Fuzzy Hash: 6F317FB1601209AFD7219F668C88AEB7BFDEB49754B58851EF486D3200DB34DD04AFE1

Function 00FA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F83AAF,?,?,Bad directive syntax error,00FDCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FA98BC
LoadStringW.USER32(00000000,?,00F83AAF,?), ref: 00FA98C3

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FA9987

Strings

Error: , xrefs: 00FA9955
Line %d (File "%s"):, xrefs: 00FA992D
%s (%d) : ==> %s.: %s %s, xrefs: 00FA98F1
., xrefs: 00FA996D
Line %d:, xrefs: 00FA9912

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ddfeeb15005fbfd98e7e0006e1cdf9ca012f261129232249503d06294ca33e74
Instruction ID: 1005bf0a8c3b5ed5546cd1a4562f1ea3ff17185cbd8b665b846992c72963f488
Opcode Fuzzy Hash: ddfeeb15005fbfd98e7e0006e1cdf9ca012f261129232249503d06294ca33e74
Instruction Fuzzy Hash: 15218232D0421EFBDF15AF90CC0AEEE7B76BF19300F044469FA15650A2DB759668EB50

Function 00FA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FA20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FA20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FA214D

Strings

details, xrefs: 00FA20FB
list, xrefs: 00FA212F
largeicons, xrefs: 00FA20E1
smallicons, xrefs: 00FA2115
SHELLDLL_DefView, xrefs: 00FA20CC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 21efa69a87f14dbb58255dc6cef16a70f57cec54fc6e588a88d39e4be450f1a9
Instruction ID: 7e3659bbd42c1bc2b87eb75fc83506211265a96c8ca0f630e426f2e20ec1b0c3
Opcode Fuzzy Hash: 21efa69a87f14dbb58255dc6cef16a70f57cec54fc6e588a88d39e4be450f1a9
Instruction Fuzzy Hash: 9011A3B6788707B9FA0666299C06DA7379CDF06724F20011AFB44A90E1EA69B8427A54

Function 00F7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F7CEB7
_free.LIBCMT ref: 00F7CF22
_free.LIBCMT ref: 00F7CF48
_free.LIBCMT ref: 00F7CF71
_free.LIBCMT ref: 00F7CFA9
_free.LIBCMT ref: 00F7CFDA
_free.LIBCMT ref: 00F7D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F7D09C
_free.LIBCMT ref: 00F7D0B5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4659b1a8a99fabf81689355f67ab1960e02085f110c05085302f47cf314906a0
Instruction ID: 395c9dd917d2fa76aa6a80975b2edabc8eb88a7e9d7ad8c0b8ec383a4c3d4d25
Opcode Fuzzy Hash: 4659b1a8a99fabf81689355f67ab1960e02085f110c05085302f47cf314906a0
Instruction Fuzzy Hash: 81611971D04200AFDB21AF74AC41AAD7BA5AF05320F44C16FF98D97249D73A9D41B7A3

Function 00FD50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FD5186
ShowWindow.USER32(?,00000000), ref: 00FD51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FD51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FD51D1

Part of subcall function 00FD6FBA: DeleteObject.GDI32(00000000), ref: 00FD6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FD520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FD524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FD5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FD5296

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e00ebf0f51d5692324ab030a144e155b940f4fee12a8e3df8a7f4ff90ff2c2e9
Instruction ID: c69d9f1a2c6be513ab450f05a64ed8037e22529a4c12bfc836c0dcb7acadc0be
Opcode Fuzzy Hash: e00ebf0f51d5692324ab030a144e155b940f4fee12a8e3df8a7f4ff90ff2c2e9
Instruction Fuzzy Hash: 4251A031A41A09BEEF259F24CC45B983B73EB05B62F184113FA24963E0C7799988FB40

Function 00F58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F96890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58874,00000000,00000000,00000000,000000FF,00000000), ref: 00F96901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F9691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58874,00000000,00000000,00000000,000000FF,00000000), ref: 00F9692D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5c6ebcc027ee4493374db04cc9d9751c47c2a9195ea375aac5f6302659c06503
Instruction ID: a6b6ba27addf0d13a1cfb4f5ed1c5f31d059868fb695992d31d27a5723bee47f
Opcode Fuzzy Hash: 5c6ebcc027ee4493374db04cc9d9751c47c2a9195ea375aac5f6302659c06503
Instruction Fuzzy Hash: 26518D70A00209EFEB24CF24CC41FAA7BB6EF84361F104519FA56E7290DB75E955EB40

Function 00FBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC182
GetLastError.KERNEL32 ref: 00FBC195
SetEvent.KERNEL32(?), ref: 00FBC1A9

Part of subcall function 00FBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC272
Part of subcall function 00FBC253: GetLastError.KERNEL32 ref: 00FBC322
Part of subcall function 00FBC253: SetEvent.KERNEL32(?), ref: 00FBC336
Part of subcall function 00FBC253: InternetCloseHandle.WININET(00000000), ref: 00FBC341

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e4f6857a44688318056f5aeb69a32c42adca0dfc935f64f058f4effbc2d96c05
Instruction ID: c3f7a9638f41af100be5948cfec00766f291e19ec5bbfcd2bc2496f588435698
Opcode Fuzzy Hash: e4f6857a44688318056f5aeb69a32c42adca0dfc935f64f058f4effbc2d96c05
Instruction Fuzzy Hash: 64316971601606AFDB219FB69C44AA7BBEAFF58310B00441EF95A87610D730E814FFE0

Function 00FA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FA25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FA25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FA2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FA2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FA2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FA2627

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6504fd856b01d55ce5332bf5ce38ac845f76921defe41eedd446a2306ed28d6b
Instruction ID: 4f7b4f161346c4957d9c5852d8e5891fa8c33af770224c8694001e7637c00694
Opcode Fuzzy Hash: 6504fd856b01d55ce5332bf5ce38ac845f76921defe41eedd446a2306ed28d6b
Instruction Fuzzy Hash: 6301B171790224BBFB1067799C8AF593F5ADB4AB12F100002F318AE1D1C9F26444EAA9

Function 00FA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FA1449,?,?,00000000), ref: 00FA180C
HeapAlloc.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA1449,?,?,00000000), ref: 00FA1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FA1449,?,?,00000000), ref: 00FA1830
DuplicateHandle.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA1449,?,?,00000000), ref: 00FA1843
GetCurrentProcess.KERNEL32(00FA1449,00000000,?,00FA1449,?,?,00000000), ref: 00FA184B
DuplicateHandle.KERNEL32(00000000,?,00FA1449,?,?,00000000), ref: 00FA184E
CreateThread.KERNEL32(00000000,00000000,00FA1874,00000000,00000000,00000000), ref: 00FA1868

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 921d209ad1966795d7ecc8fd3af911493b92bed01e3e8f26a1fde3fac5f75264
Instruction ID: f7fd301f8c3b4451e10ff7ade3d911c34516b65e865e063ba0ad57e3e5b6cbdd
Opcode Fuzzy Hash: 921d209ad1966795d7ecc8fd3af911493b92bed01e3e8f26a1fde3fac5f75264
Instruction Fuzzy Hash: 9601BBB5281319BFE710ABB5DC4DF6B3BADEB89B11F014411FA05DB1A2CA749800DB60

Function 00FCA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD501
Part of subcall function 00FAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FAD50F
Part of subcall function 00FAD4DC: CloseHandle.KERNEL32(00000000), ref: 00FAD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA16D
GetLastError.KERNEL32 ref: 00FCA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FCA268
GetLastError.KERNEL32(00000000), ref: 00FCA273
CloseHandle.KERNEL32(00000000), ref: 00FCA2C4

Strings

SeDebugPrivilege, xrefs: 00FCA18F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f0f48550d1c07bce2087bb3b04adf53da29a1b2b95da1ea174c6fe800d2bde0f
Instruction ID: 60bcdd0bd67e92ee0cc73086ce9355392d6e99ce09e31e9d8868799fa87befdb
Opcode Fuzzy Hash: f0f48550d1c07bce2087bb3b04adf53da29a1b2b95da1ea174c6fe800d2bde0f
Instruction Fuzzy Hash: FD61BE716052429FD320DF14C995F65BBE1AF44328F18848CE8668B7A3C776FC49EB92

Function 00FD3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FD393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD3954
_wcslen.LIBCMT ref: 00FD3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD39F4

Strings

SysListView32, xrefs: 00FD38F7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d683f4f76b5398141a9c6f8bbb20b02f13cd67e5beae3cd9f39de3fea306be26
Instruction ID: 89a3d42714aaa00615ab60ed26cd59c808dc426cbd2dddc5347b7176e1c8ee19
Opcode Fuzzy Hash: d683f4f76b5398141a9c6f8bbb20b02f13cd67e5beae3cd9f39de3fea306be26
Instruction Fuzzy Hash: BC41C671E00219ABEF219F64CC45BEA77AAEF08360F140527FA48E7281D775DD80EB91

Function 00FABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FABCFD
IsMenu.USER32(00000000), ref: 00FABD1D
CreatePopupMenu.USER32 ref: 00FABD53
GetMenuItemCount.USER32(017C57A8), ref: 00FABDA4
InsertMenuItemW.USER32(017C57A8,?,00000001,00000030), ref: 00FABDCC

Strings

2, xrefs: 00FABD37
0, xrefs: 00FABCA8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction ID: ed936f71a45d1cfc9ae57ddcbad3637cb3d95faca15d0eb893157d6d24e843e3
Opcode Fuzzy Hash: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction Fuzzy Hash: EB51A1B1A002099BDF10CFB8D888BAEBBF5BF47324F144259E411DB292D774A941EB61

Function 00FAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FAC913

Strings

info, xrefs: 00FAC8B4
stop, xrefs: 00FAC8E4
blank, xrefs: 00FAC895
warning, xrefs: 00FAC8FC
question, xrefs: 00FAC8CC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b2a9e573724f5620ac8fcef19aa1cc92b5c8fff73192df5e261cfebbcf3aba41
Instruction ID: 28435d0aba7afd7fc47085c1f9303d167d14fee81e89386fcb5a96bcee18093b
Opcode Fuzzy Hash: b2a9e573724f5620ac8fcef19aa1cc92b5c8fff73192df5e261cfebbcf3aba41
Instruction Fuzzy Hash: 1411EE76A89306BAE7016B559D82D9F77DCEF1B760B10002FF504A6281E7796D0072E5

Function 00FAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FAED2A
_wcslen.LIBCMT ref: 00FAED3B
_wcslen.LIBCMT ref: 00FAED79
_wcslen.LIBCMT ref: 00FAEDAF
_wcslen.LIBCMT ref: 00FAEDDF
_wcslen.LIBCMT ref: 00FAEDEF
_wcslen.LIBCMT ref: 00FAEE2B
_wcslen.LIBCMT ref: 00FAEE5A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bc35139e0bfab8f8dff3e03d246787007bdeeaf9bca938b4bfb617c0e519a453
Instruction ID: 7b4cdb4f08a025dd51b9b0fb8a4ffb551886ec618a4c6f2809cf66a8c5ed257a
Opcode Fuzzy Hash: bc35139e0bfab8f8dff3e03d246787007bdeeaf9bca938b4bfb617c0e519a453
Instruction Fuzzy Hash: 5341C365D1021875DB11FBF4CC8A9CFB7A8AF46310F508566E518E3121FB38E245E3E5

Function 00F5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F5F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F9F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00F9F454

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 680f25ab9ab6bcc49282d2eb8204151cd440913fdba81d7ccb1384d49e04d3ed
Instruction ID: 3f6096d122f64f2d3b826fb4f16e823512948b8f6393d6c53eebd42fde4daae3
Opcode Fuzzy Hash: 680f25ab9ab6bcc49282d2eb8204151cd440913fdba81d7ccb1384d49e04d3ed
Instruction Fuzzy Hash: 2B415231904E40BBDB398B3CCC88B6A7B92AB46372F14417DEB8793560C676948CF751

Function 00FD2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD2D1B
GetDC.USER32(00000000), ref: 00FD2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FD2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FD2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FD5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD2DE1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f2c61da90c215998fa083a56351e8e48d902c448555ed38dc55aed96f9258262
Instruction ID: b19eda3b3fb63a798f8c22967cb26402a47affd7c345e24d4cf63f8aa4244d72
Opcode Fuzzy Hash: f2c61da90c215998fa083a56351e8e48d902c448555ed38dc55aed96f9258262
Instruction Fuzzy Hash: 75317F72202214BFEB114F64CC89FEB3BAAEF19725F084056FE08DA291D6759C51D7A4

Function 00FA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA5637
_memcmp.LIBVCRUNTIME ref: 00FA5659
_memcmp.LIBVCRUNTIME ref: 00FA5671
_memcmp.LIBVCRUNTIME ref: 00FA5684
_memcmp.LIBVCRUNTIME ref: 00FA569E
_memcmp.LIBVCRUNTIME ref: 00FA56B1
_memcmp.LIBVCRUNTIME ref: 00FA56C9
_memcmp.LIBVCRUNTIME ref: 00FA56E4

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ea5c9f3f471ee0c6e99d009d960284c799d834ef2f79d8a52e62c7dda150aef1
Instruction ID: 373a316c0ceba1385c3f0025a36a0a7a8f506270f6282f658eda4b4699216a1f
Opcode Fuzzy Hash: ea5c9f3f471ee0c6e99d009d960284c799d834ef2f79d8a52e62c7dda150aef1
Instruction Fuzzy Hash: E021CCE2A40A0977D61455108E83FFA335DBF22B94F484021FD169A742F725EE14B5A5

Function 00FC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FC5007
NULL Pointer assignment, xrefs: 00FC502E, 00FC5383

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1384a378b9c129f86996ede95970efa1d2ca23ec0fdb247906eefc9c1a253c84
Instruction ID: 1b23cefd391ddbaf2d783b79cd14d16356737c7bece80fe91f1dcf1813b00392
Opcode Fuzzy Hash: 1384a378b9c129f86996ede95970efa1d2ca23ec0fdb247906eefc9c1a253c84
Instruction Fuzzy Hash: 91D1AD71A0060B9FDF10CFA8C982FAEB7B5BF48754F14816DE915AB280D770E985DB90

Function 00F81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F81651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F816FB

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F81777
__freea.LIBCMT ref: 00F817A2
__freea.LIBCMT ref: 00F817AE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0a9acc44b47cb3ca0c3f21339a1cd6efe64ed6243a2f19c84afcd3af54b3705e
Instruction ID: 3107af70521e237b335199f2ebed0c8423196b65e68707e8e51931b2ddb22057
Opcode Fuzzy Hash: 0a9acc44b47cb3ca0c3f21339a1cd6efe64ed6243a2f19c84afcd3af54b3705e
Instruction Fuzzy Hash: 2591A572E002169ADF20AE74CC41AEE7BB9BF49760F184759E805EB141DB35DC46EBA0

Function 00FC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC4648
VariantInit.OLEAUT32(?), ref: 00FC4749
VariantClear.OLEAUT32(?), ref: 00FC4753
VariantClear.OLEAUT32(?), ref: 00FC47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FC472C
Null Object assignment in FOR..IN loop, xrefs: 00FC45D8, 00FC4706, 00FC47BE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 325ece29391c72b4d9b3e46aa33eae0f9bcbdce5d33b2917dea50d6c0078ce5c
Instruction ID: a42aaa9701301dc79bfe667c649a398c052cd6c555603a4a2e9e57a30d0e9386
Opcode Fuzzy Hash: 325ece29391c72b4d9b3e46aa33eae0f9bcbdce5d33b2917dea50d6c0078ce5c
Instruction Fuzzy Hash: 4991AE71E0021AABDF20CFA5C955FAEBBB8EF46720F10855DF505AB280D770A945DFA0

Function 00FB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FB125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FB1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FB12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB1430

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 592f2831732fe60753330bc6291833bf6c9f134de03aaa7c507dabb397641be2
Instruction ID: daa8cdf8070e1a7aa3b2e5490d13ce7914ccfc4a2e05af987842bd2d941fe6dd
Opcode Fuzzy Hash: 592f2831732fe60753330bc6291833bf6c9f134de03aaa7c507dabb397641be2
Instruction Fuzzy Hash: B191DF72A00209AFDB00DFA9C8A4BFE77B5FF46321F144129E900E7291D779A941EF90

Function 00F5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b89e3e7a9d1fbd311bb9bd37e93d4489294d14d5564edfe0549015fcae1c350
Instruction ID: c3b876a672df624c89169dfab4c7eac4f57dc1c1e142431c497e7b1d15e04d37
Opcode Fuzzy Hash: 2b89e3e7a9d1fbd311bb9bd37e93d4489294d14d5564edfe0549015fcae1c350
Instruction Fuzzy Hash: F2916871D04219EFCB14CFA9CC88AEEBBB9FF48320F148059E915B7251D378A955EB60

Function 00FC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC396B
CharUpperBuffW.USER32(?,?), ref: 00FC3A7A
_wcslen.LIBCMT ref: 00FC3A8A
VariantClear.OLEAUT32(?), ref: 00FC3C1F

Part of subcall function 00FB0CDF: VariantInit.OLEAUT32(00000000), ref: 00FB0D1F
Part of subcall function 00FB0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FB0D28
Part of subcall function 00FB0CDF: VariantClear.OLEAUT32(?), ref: 00FB0D34

Strings

AUTOIT.ERROR, xrefs: 00FC3A80, 00FC3A85
Incorrect Parameter format, xrefs: 00FC39A6, 00FC3BA1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: beacd2b3eb056a35f3eb3f39e5d00160ae3f95b77ab4ec2047d6593ce2276438
Instruction ID: 5b311c25e685be7a618e8d3b2885bbc2c191ee59ec88b48377d6c22b79538096
Opcode Fuzzy Hash: beacd2b3eb056a35f3eb3f39e5d00160ae3f95b77ab4ec2047d6593ce2276438
Instruction Fuzzy Hash: D6918D75A083029FC704DF24C981A6ABBE5FF88354F14891DF8899B351DB35EE05DB82

Function 00FC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FA000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?,?,00FA035E), ref: 00FA002B
Part of subcall function 00FA000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0046
Part of subcall function 00FA000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0054
Part of subcall function 00FA000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?), ref: 00FA0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FC4C51
_wcslen.LIBCMT ref: 00FC4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FC4DCF
CoTaskMemFree.OLE32(?), ref: 00FC4DDA

Strings

NULL Pointer assignment, xrefs: 00FC4E23, 00FC4E52

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: e97a76147563ef4d919b3b1786b8d566d86b67b713ddad72bfbdab378160a700
Instruction ID: c474e9b4cf8eb5e7b5e3d97333e234a7ecc4df9defa4b016bb00e35b3b988b58
Opcode Fuzzy Hash: e97a76147563ef4d919b3b1786b8d566d86b67b713ddad72bfbdab378160a700
Instruction Fuzzy Hash: 0F911871D0021A9FDF14DFA4DC91EEEBBB9BF08310F10816AE915A7251DB746A44DF60

Function 00FD20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FD2183
GetMenuItemCount.USER32(00000000), ref: 00FD21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD21DD
_wcslen.LIBCMT ref: 00FD2213
GetMenuItemID.USER32(?,?), ref: 00FD224D
GetSubMenu.USER32(?,?), ref: 00FD225B

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FD22E3

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ca4e2796b99b474e64645bdae741a8d4ffd9c0ad7e63e802351444e730778c80
Instruction ID: cc19a3fa19d17cf2121d4db97c968934b48142faddc76608935e728f0b91109e
Opcode Fuzzy Hash: ca4e2796b99b474e64645bdae741a8d4ffd9c0ad7e63e802351444e730778c80
Instruction Fuzzy Hash: 6A718175E00205AFCB50DF64C841AAEBBF2EF58320F18845AE916EB341D739ED41ABD0

Function 00FD7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(017C56B8), ref: 00FD7F37
IsWindowEnabled.USER32(017C56B8), ref: 00FD7F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FD801E
SendMessageW.USER32(017C56B8,000000B0,?,?), ref: 00FD8051
IsDlgButtonChecked.USER32(?,?), ref: 00FD8089
GetWindowLongW.USER32(017C56B8,000000EC), ref: 00FD80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FD80C3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1d644272cb3f7c42519c99e2c48496ac3fccc2c5fb570f5ae97d435de36fc2f1
Instruction ID: f75c56c89c545f68a8dd589bad3b049007f100bda3e9a3d638ac80433808fefc
Opcode Fuzzy Hash: 1d644272cb3f7c42519c99e2c48496ac3fccc2c5fb570f5ae97d435de36fc2f1
Instruction Fuzzy Hash: C871A434908344AFDB35AF64CC84FAABBB7EF09350F18405BE9555B351DB31A845EB90

Function 00FAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FAAEF9
GetKeyboardState.USER32(?), ref: 00FAAF0E
SetKeyboardState.USER32(?), ref: 00FAAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FAAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FAAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FAAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FAB020

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction ID: 4272ff369060d9aeb65f130cc845d532d594360a1840699fb34eb0077de7d081
Opcode Fuzzy Hash: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction Fuzzy Hash: 2A51A1E1A047D63DFB3642348C45BBABEE95B07314F08858AE1E9558C3D3D9A8C8F761

Function 00FAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FAAD19
GetKeyboardState.USER32(?), ref: 00FAAD2E
SetKeyboardState.USER32(?), ref: 00FAAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FAADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FAADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FAAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FAAE38

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction ID: f1df894204a2e403608ab42c2669701d12136e079d5e9c14887c4cc8737b2f30
Opcode Fuzzy Hash: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction Fuzzy Hash: AD51B0E19047D53DFB3782358C95B7ABEA96B47310F088489E1D9468C2D394EC9CF762

Function 00F7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F83CD6,?,?,?,?,?,?,?,?,00F75BA3,?,?,00F83CD6,?,?), ref: 00F75470
__fassign.LIBCMT ref: 00F754EB
__fassign.LIBCMT ref: 00F75506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F83CD6,00000005,00000000,00000000), ref: 00F7552C
WriteFile.KERNEL32(?,00F83CD6,00000000,00F75BA3,00000000,?,?,?,?,?,?,?,?,?,00F75BA3,?), ref: 00F7554B
WriteFile.KERNEL32(?,?,00000001,00F75BA3,00000000,?,?,?,?,?,?,?,?,?,00F75BA3,?), ref: 00F75584

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 92c5e35f77826b3b84d26a1998baff16d437bfda2ea76fbcc9d7cecc402799a3
Instruction ID: c4482a2b28b4ca6f3f5375a9067f4d66890d9e95303a8567a82011269d270756
Opcode Fuzzy Hash: 92c5e35f77826b3b84d26a1998baff16d437bfda2ea76fbcc9d7cecc402799a3
Instruction Fuzzy Hash: CA51C1B1A00649AFDB10CFA8D841AEEBBF9EF08710F18811BF559E7291D7709A41DB61

Function 00F5912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F59141
ScreenToClient.USER32(00000000,?), ref: 00F5915E
GetAsyncKeyState.USER32(00000001), ref: 00F59183
GetAsyncKeyState.USER32(00000002), ref: 00F5919D

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00F97152

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 4210589936-3308908821
Opcode ID: 68d51b8eb7d09b26412839543192ce9f51dccf853639f4277ddb1ace5cd1b1d3
Instruction ID: 8f557bbb5b430c73a3fb2dfd3617e947a21553b16f8cc34fc156cbe9227724ba
Opcode Fuzzy Hash: 68d51b8eb7d09b26412839543192ce9f51dccf853639f4277ddb1ace5cd1b1d3
Instruction Fuzzy Hash: 43417F3190861AEBDF09AF64C844BEEB775FB05331F204216E925A3290C7746D94EB91

Function 00F62D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F62D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F62D53
_ValidateLocalCookies.LIBCMT ref: 00F62DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F62E0C
_ValidateLocalCookies.LIBCMT ref: 00F62E61

Strings

csm, xrefs: 00F62DF6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cd1124c87c3d2bda4b52fd3cd26aa79e2b9198e791d36e615afa37599edcb829
Instruction ID: 075e4ecf7784bcfe5a89d63a2fab949e91a1632c59b6a97e2380797dbf6759d4
Opcode Fuzzy Hash: cd1124c87c3d2bda4b52fd3cd26aa79e2b9198e791d36e615afa37599edcb829
Instruction Fuzzy Hash: EF41D135E00609ABCF10DF68CC85ADEBBB5BF45324F148165E814AB392DB35EA05EBD1

Function 00FC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
Part of subcall function 00FC304E: _wcslen.LIBCMT ref: 00FC309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC1112
WSAGetLastError.WSOCK32 ref: 00FC1121
WSAGetLastError.WSOCK32 ref: 00FC11C9
closesocket.WSOCK32(00000000), ref: 00FC11F9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8bbd857b75eff679f7773f8e1d2fc53368215a2bbb4d9fb7d0c9826e0dd0fc11
Instruction ID: ea33790f24c1250c29aace521d17171a2c5d7fb2999462af5cfbc16afd536dd5
Opcode Fuzzy Hash: 8bbd857b75eff679f7773f8e1d2fc53368215a2bbb4d9fb7d0c9826e0dd0fc11
Instruction Fuzzy Hash: 9F41E431600206AFDB109F24CD45FA9BBAAFF46324F188059FD159B292C779ED41DBE0

Function 00FACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACF22,?), ref: 00FADDFD

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACF22,?), ref: 00FADE16

lstrcmpiW.KERNEL32(?,?), ref: 00FACF45
MoveFileW.KERNEL32(?,?), ref: 00FACF7F
_wcslen.LIBCMT ref: 00FAD005
_wcslen.LIBCMT ref: 00FAD01B
SHFileOperationW.SHELL32(?), ref: 00FAD061

Strings

\*.*, xrefs: 00FACFF3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ce8b7b015ba2ce6f5760ae4a7ad252b510b2ce63eb56a6e8977b34ef615c1ff7
Instruction ID: 501dd3b8c38f78ee03da4b4addd92fe07e606919efbce402f521e0b33ba187dc
Opcode Fuzzy Hash: ce8b7b015ba2ce6f5760ae4a7ad252b510b2ce63eb56a6e8977b34ef615c1ff7
Instruction Fuzzy Hash: 214136B1D452199FDF12EFA4DD81ADEB7B9AF09380F1000E6E505EB141EB74AB44EB50

Function 00FD2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FD2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FD2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FD2F0B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9daac750774c36afdfd1965f4f6061b26723e6deb60357d4b42440470717358f
Instruction ID: 47871149825b795eabfae01aa585e017a8a941909b04987835b46a1ae2dde876
Opcode Fuzzy Hash: 9daac750774c36afdfd1965f4f6061b26723e6deb60357d4b42440470717358f
Instruction Fuzzy Hash: 37311931A45145AFDB61CF28DC84F6537E2FBA9720F1901A6F6548B2A1CB75E840EB80

Function 00FA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA778F
SysAllocString.OLEAUT32(00000000), ref: 00FA7792
SysAllocString.OLEAUT32(?), ref: 00FA77B0
SysFreeString.OLEAUT32(?), ref: 00FA77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA77DE
SysAllocString.OLEAUT32(?), ref: 00FA77EC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cd4236aa06617959cadcc4b8b1b77cae68a714fb6fc47b00329acd15b1b19dbd
Instruction ID: 768ec550e3b1b66cdde8986e94a6998f084ab64c303d47569d007c02690bcbdb
Opcode Fuzzy Hash: cd4236aa06617959cadcc4b8b1b77cae68a714fb6fc47b00329acd15b1b19dbd
Instruction Fuzzy Hash: C621C4B6A05219AFDF10EFB8CC88DBB77ADEB0A3647008126FA04DB150D670DC45E7A0

Function 00FA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7868
SysAllocString.OLEAUT32(00000000), ref: 00FA786B
SysAllocString.OLEAUT32 ref: 00FA788C
SysFreeString.OLEAUT32 ref: 00FA7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA78AF
SysAllocString.OLEAUT32(?), ref: 00FA78BD

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d133f7db4fa6c21f2baf14d2ded4f157e58c0713d2b33b87e5004f12112400b7
Instruction ID: a3bd0e4b90a8d8d265a97c35c956b53b755cd04a3c317045ad9d79930775c4de
Opcode Fuzzy Hash: d133f7db4fa6c21f2baf14d2ded4f157e58c0713d2b33b87e5004f12112400b7
Instruction Fuzzy Hash: 4621A771A05209AFDB10AFB8DC88DAA77ECEF0A3607108125F915CB1A5D678DC41EB64

Function 00FB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FB04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB052E

Strings

nul, xrefs: 00FB0567

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c03d71286ed03ce42039a15c88b167f8d2fda5a868f8d6ed4e105c5094f7e80b
Instruction ID: 48baa9c34fe8bd2e69ac877f00f1dc36e7cfa7cf4a5c1aa83869196c2be9486a
Opcode Fuzzy Hash: c03d71286ed03ce42039a15c88b167f8d2fda5a868f8d6ed4e105c5094f7e80b
Instruction Fuzzy Hash: 44215CB590030AAFDB309F6ADC44A9B77A4AF45724F244A19E8A1D62E0DB709940EF60

Function 00FB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FB05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB0601

Strings

nul, xrefs: 00FB0639

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 67ea564772a9f22c58c1e61a5177e03d5bde2dcba5e16202001ef7df2852d849
Instruction ID: 4a69a2818b26b0d1e07b0838a826a6505470dbff2020a47e648435a0a44862a9
Opcode Fuzzy Hash: 67ea564772a9f22c58c1e61a5177e03d5bde2dcba5e16202001ef7df2852d849
Instruction Fuzzy Hash: 08213D759002169BDB209F6A9C04ADB77E5AF95730F200A19F8A1E72E0DA709960EF50

Function 00FD40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
Part of subcall function 00F4600E: GetStockObject.GDI32(00000011), ref: 00F46060
Part of subcall function 00F4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FD4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FD411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FD412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FD4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FD4145

Strings

Msctls_Progress32, xrefs: 00FD40E3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3387e54586edc52299f8dfb95a1ea3b9c9df766ed51edb38e5001fa53b8b6cf2
Instruction ID: d0d2e6d2f36494b9d45f76b28c8080571ab60c4761feb8627763686cf1afb60b
Opcode Fuzzy Hash: 3387e54586edc52299f8dfb95a1ea3b9c9df766ed51edb38e5001fa53b8b6cf2
Instruction Fuzzy Hash: CC1193B2150119BFEF118E64CC85EE77F6DEF08798F004111BB58A6190C676AC21DBA4

Function 00F7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F7D7A3: _free.LIBCMT ref: 00F7D7CC

_free.LIBCMT ref: 00F7D82D

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7D838
_free.LIBCMT ref: 00F7D843
_free.LIBCMT ref: 00F7D897
_free.LIBCMT ref: 00F7D8A2
_free.LIBCMT ref: 00F7D8AD
_free.LIBCMT ref: 00F7D8B8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b99d4196b9d28b9dbb1c0da8723bd64cf0c25afdf5a85fcb1f1f813dedecb082
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C8115171540B04AAD529BFB4CC47FCBBBFC6F40700F848826B29DA6092DA69B5467652

Function 00FADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FADA74
LoadStringW.USER32(00000000), ref: 00FADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FADA91
LoadStringW.USER32(00000000), ref: 00FADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FADAB9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5b6187763159aa399c2d43c655e4f067aff4b099cdad3649cb26edd0c3084a92
Instruction ID: 8988d1d22a54b9af3e4076566d44ff6f306ec0d6ea5738b9f6fe654de6cb7c25
Opcode Fuzzy Hash: 5b6187763159aa399c2d43c655e4f067aff4b099cdad3649cb26edd0c3084a92
Instruction Fuzzy Hash: 460186F290021D7FE711ABB0DD89EEB336DE709701F400596B746E2042EA749E84AFB4

Function 00FB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(017BE3A8,017BE3A8), ref: 00FB097B
EnterCriticalSection.KERNEL32(017BE388,00000000), ref: 00FB098D
TerminateThread.KERNEL32(00540050,000001F6), ref: 00FB099B
WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 00FB09A9
CloseHandle.KERNEL32(00540050), ref: 00FB09B8
InterlockedExchange.KERNEL32(017BE3A8,000001F6), ref: 00FB09C8
LeaveCriticalSection.KERNEL32(017BE388), ref: 00FB09CF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f86a9aa30be4d692d5c69afbdfa9de6b4df4d2b0aa072bd8c0378a697cc7987a
Instruction ID: d3c43d30a9eca053d49f6bbd95be4dc957d4f9430264272cfbea359f33a36cfb
Opcode Fuzzy Hash: f86a9aa30be4d692d5c69afbdfa9de6b4df4d2b0aa072bd8c0378a697cc7987a
Instruction Fuzzy Hash: 43F01D31583517BBD7515BA5EE88BD67B36BF01712F401116F141908A0CB749465EFD0

Function 00F45D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F45D30
GetWindowRect.USER32(?,?), ref: 00F45D71
ScreenToClient.USER32(?,?), ref: 00F45D99
GetClientRect.USER32(?,?), ref: 00F45ED7
GetWindowRect.USER32(?,?), ref: 00F45EF8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a073fac2e3279728813e2ded8e799360b5727ec0a7a137e0d2b4bdab9071ea84
Instruction ID: caf0b8dbf07e53cfebc7014d956eb10fe208fcb51a36f84d091edacc06198077
Opcode Fuzzy Hash: a073fac2e3279728813e2ded8e799360b5727ec0a7a137e0d2b4bdab9071ea84
Instruction Fuzzy Hash: C9B16B35A0074ADBDB10EFA9C4407EEBBF1FF48310F14841AE8A9D7250DB34AA51EB54

Function 00F701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F700D6
__allrem.LIBCMT ref: 00F700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F7010B
__allrem.LIBCMT ref: 00F70122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F70140

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 6ebba3bbe2debc2f84414e517953158fbc3fffbb11ed5080ed64c50b9d79132b
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 60811872A00706DBE724AF28DC41B6B73E9AF45334F24823BF555D7281EBB4D904AB51

Function 00FC1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00FC101C,00000000,?,?,00000000), ref: 00FC3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FC1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC1DE1
WSAGetLastError.WSOCK32 ref: 00FC1DF2
inet_ntoa.WSOCK32(?), ref: 00FC1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00FC1EDB
_strlen.LIBCMT ref: 00FC1F35

Part of subcall function 00FA39E8: _strlen.LIBCMT ref: 00FA39F2

Part of subcall function 00F46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F5CF58,?,?,?), ref: 00F46DBA
Part of subcall function 00F46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F5CF58,?,?,?), ref: 00F46DED

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: cb3fb6d0e26c12037e3bff429207806f6e155050514c7dada49cd0b68d841dab
Instruction ID: d4388e851a7029caa7e21254311ce277b33fc5e915ee2e1423602939930f456b
Opcode Fuzzy Hash: cb3fb6d0e26c12037e3bff429207806f6e155050514c7dada49cd0b68d841dab
Instruction Fuzzy Hash: 05A1C131504341AFC314DF24C886F2ABBA5BF86318F54894CF8565B2A3CB75ED46EB92

Function 00F761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F682D9,00F682D9,?,?,?,00F7644F,00000001,00000001,8BE85006), ref: 00F76258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F7644F,00000001,00000001,8BE85006,?,?,?), ref: 00F762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F763D8
__freea.LIBCMT ref: 00F763E5

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

__freea.LIBCMT ref: 00F763EE
__freea.LIBCMT ref: 00F76413

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 862821036aa2d34b6044cf38238b495ba8bac042b079027fc945b2098086329f
Instruction ID: 405ce1b275bae35f5a85371210ee6f26aa2d424b11e430500b2267a6c17726fa
Opcode Fuzzy Hash: 862821036aa2d34b6044cf38238b495ba8bac042b079027fc945b2098086329f
Instruction Fuzzy Hash: 4E51D772A00616ABDF258F64CC81EAF77A9EF44760F15862AFC09D7241DB34DC44E762

Function 00FCBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FCBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FCBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCBDF3
RegCloseKey.ADVAPI32(?), ref: 00FCBDFF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4b7955efd0f3209134bfcfc08fe4390a86e665519ab2143ede4d7f904d15c7ce
Instruction ID: dc6355bc57eb121432933a528e3e148a49c2cc0531aa53aa8e47309510cdefb8
Opcode Fuzzy Hash: 4b7955efd0f3209134bfcfc08fe4390a86e665519ab2143ede4d7f904d15c7ce
Instruction Fuzzy Hash: 2A81A135608242AFC714DF24C986F2ABBE5FF84318F14455CF55A8B2A2CB31ED05EB92

Function 00F9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F9F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F9F860
VariantCopy.OLEAUT32(00F9FA64,00000000), ref: 00F9F889
VariantClear.OLEAUT32(00F9FA64), ref: 00F9F8AD
VariantCopy.OLEAUT32(00F9FA64,00000000), ref: 00F9F8B1
VariantClear.OLEAUT32(?), ref: 00F9F8BB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d806a1c17e611b66adcec1de6d7cd8e4b7ec691cc0fe07b0f7eb688b9ce49154
Instruction ID: 009cebbb68c15aeb87e7e2a212e83c6a657390364449e0cbbdcc3330e5ae00f6
Opcode Fuzzy Hash: d806a1c17e611b66adcec1de6d7cd8e4b7ec691cc0fe07b0f7eb688b9ce49154
Instruction Fuzzy Hash: 9A510932A00310BAEF60AF65DC95769B3A5EF45320F248467ED05DF291DB74CC48EB96

Function 00FB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FB94E5
_wcslen.LIBCMT ref: 00FB9506
_wcslen.LIBCMT ref: 00FB952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FB9585

Strings

X, xrefs: 00FB9412

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2ef61b29c2b38c087ed15f6bcc83c3303b22ad6e0cee1668997f8d21c2e81201
Instruction ID: 424e0410f1619c61d7e9952620d8bf16eb2631970a74fa20a758ef6b7e678dd4
Opcode Fuzzy Hash: 2ef61b29c2b38c087ed15f6bcc83c3303b22ad6e0cee1668997f8d21c2e81201
Instruction Fuzzy Hash: AFE1B331908340CFD724DF25C881AAAB7E4BF85310F18896DF9899B3A2DB75DD05DB92

Function 00F5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

BeginPaint.USER32(?,?,?), ref: 00F59241
GetWindowRect.USER32(?,?), ref: 00F592A5
ScreenToClient.USER32(?,?), ref: 00F592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F592D3
EndPaint.USER32(?,?,?,?,?), ref: 00F59321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F971EA

Part of subcall function 00F59339: BeginPath.GDI32(00000000), ref: 00F59357

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d1da52f9fa07b22c0c2387973f8ad82f6dd714e30d1eccfd0bbc44911d9b96e1
Instruction ID: 91b8290b866a469db641cbbfc0651786e9a2177eabe681d1c6afdf63219c13d3
Opcode Fuzzy Hash: d1da52f9fa07b22c0c2387973f8ad82f6dd714e30d1eccfd0bbc44911d9b96e1
Instruction Fuzzy Hash: 6D41B031509301EFDB25DF24CC84FBA7BA9EB55321F140229FAA4872E1C7759849EB61

Function 00FB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FB0847
EnterCriticalSection.KERNEL32(?), ref: 00FB0863
LeaveCriticalSection.KERNEL32(?), ref: 00FB08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FB08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB0921

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 26ba6f33df5e09b41650b65818d8d30030d55c827e17b74fe29914cafdb29ba9
Instruction ID: 14e9d82fe7b0a95632f50413f406571035f8cc6c865b26b6cabe0ce76e016a53
Opcode Fuzzy Hash: 26ba6f33df5e09b41650b65818d8d30030d55c827e17b74fe29914cafdb29ba9
Instruction Fuzzy Hash: A8418B31900206EFDF14AF64DC85AAA77B9FF04310F1040A5ED009A297DB35DE64EBA0

Function 00FD81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F9F3AB,00000000,?,?,00000000,?,00F9682C,00000004,00000000,00000000), ref: 00FD824C
EnableWindow.USER32(00000000,00000000), ref: 00FD8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FD82D1
ShowWindow.USER32(00000000,00000004), ref: 00FD82E5
EnableWindow.USER32(00000000,00000001), ref: 00FD830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FD832F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3095034d696511d59329f4a38aa6c194ae4b313610f3fdf9e68e57a93f2c76c8
Instruction ID: 7d616440d14ac99cd3ee67abf14ebba8d43fe2c362ad43b01ae16e5f08c9efb8
Opcode Fuzzy Hash: 3095034d696511d59329f4a38aa6c194ae4b313610f3fdf9e68e57a93f2c76c8
Instruction Fuzzy Hash: DB419734A01644AFDB25CF25CC85BE47BF3FB06765F1C4266E6584B362CB369842DB50

Function 00FA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FA4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FA4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FA4CEA
_wcslen.LIBCMT ref: 00FA4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FA4D10
_wcsstr.LIBVCRUNTIME ref: 00FA4D1A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8b48ea45fbf26e1fb1550be2532a4b374fa8b7e6ff6ec193a476cdd41c86ee3f
Instruction ID: 1c550acc666cb47963c3be968324b1f1e5d488421dc109a73586f78580335bdc
Opcode Fuzzy Hash: 8b48ea45fbf26e1fb1550be2532a4b374fa8b7e6ff6ec193a476cdd41c86ee3f
Instruction Fuzzy Hash: AE216E726041057BEB155B35DC05E3B7B9DDF86720F10403AF809CA191DFA4EC00F2A0

Function 00FB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43A97,?,?,00F42E7F,?,?,?,00000000), ref: 00F43AC2

_wcslen.LIBCMT ref: 00FB587B
CoInitialize.OLE32(00000000), ref: 00FB5995
CoCreateInstance.OLE32(00FDFCF8,00000000,00000001,00FDFB68,?), ref: 00FB59AE
CoUninitialize.OLE32 ref: 00FB59CC

Strings

.lnk, xrefs: 00FB5876, 00FB58C1, 00FB5985

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e3a14945966cd1402d6eeb01150bd9f1a18478554bfca621ea187894ceb60fac
Instruction ID: e5cd3c7b9ccef7e314b0836d370f0306f8733f41eb3b6b0144637d4bdc0c27a5
Opcode Fuzzy Hash: e3a14945966cd1402d6eeb01150bd9f1a18478554bfca621ea187894ceb60fac
Instruction Fuzzy Hash: D7D16571A047019FC714DF25C880A6ABBE5EF89B20F14885DF8899B361DB39EC45DF92

Function 00FA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0FCA
Part of subcall function 00FA0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0FD6
Part of subcall function 00FA0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0FE5
Part of subcall function 00FA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0FEC
Part of subcall function 00FA0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA1002

GetLengthSid.ADVAPI32(?,00000000,00FA1335), ref: 00FA17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FA17BA
HeapAlloc.KERNEL32(00000000), ref: 00FA17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FA17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FA1335), ref: 00FA17EE
HeapFree.KERNEL32(00000000), ref: 00FA17F5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction ID: 2a25f914cd1343948ef17cbcea1912430e576209ab350e508ce6561b0c6f1865
Opcode Fuzzy Hash: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction Fuzzy Hash: BE11B1B191121AFFDB109FA4CC49FAF7BA9FB42365F114119F44197151C7359940EBA0

Function 00FA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FA14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FA1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FA1515
CloseHandle.KERNEL32(00000004), ref: 00FA1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FA154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FA1563

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1a907acb1fa98a66dd901838c9a078ea6343356667b135ab082930949d786538
Instruction ID: 769515af82b5d86e7d25286de3a929d135f28c5565b160bad94f4d35aaaa8802
Opcode Fuzzy Hash: 1a907acb1fa98a66dd901838c9a078ea6343356667b135ab082930949d786538
Instruction Fuzzy Hash: 41111AB290120EAFDF11CFA8DD49BDA7BAAFB49754F054115FA05A2060C3758E60EB60

Function 00F63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F63379,00F62FE5), ref: 00F63390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F6339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F633B7
SetLastError.KERNEL32(00000000,?,00F63379,00F62FE5), ref: 00F63409

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d0c276f23b44184933cd18f29dbad822b870cd38dc14a257357ae65d59f78996
Instruction ID: 72092f3311e2fd7dda37a4316069d6454316678b1d71c3572d26f844b1590476
Opcode Fuzzy Hash: d0c276f23b44184933cd18f29dbad822b870cd38dc14a257357ae65d59f78996
Instruction Fuzzy Hash: 0301F733A093117EFA267774BD8AA673BA4EB06379B20032AF510812E0EF174D11F684

Function 00F72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F75686,00F83CD6,?,00000000,?,00F75B6A,?,?,?,?,?,00F6E6D1,?,01008A48), ref: 00F72D78
_free.LIBCMT ref: 00F72DAB
_free.LIBCMT ref: 00F72DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F6E6D1,?,01008A48,00000010,00F44F4A,?,?,00000000,00F83CD6), ref: 00F72DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F6E6D1,?,01008A48,00000010,00F44F4A,?,?,00000000,00F83CD6), ref: 00F72DEC
_abort.LIBCMT ref: 00F72DF2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f066eb81cac56057eb4b9ee845b56d7f2ad4ebf99946cafc76e8566dc466139f
Instruction ID: c1e76b79eff0356c5243d7b26ec2f5737a95b3e4f6be92cef1ae766d45f9b235
Opcode Fuzzy Hash: f066eb81cac56057eb4b9ee845b56d7f2ad4ebf99946cafc76e8566dc466139f
Instruction Fuzzy Hash: 31F0F43290560137C6B23339AC06E5E366AABC27B0F24C11BF92C921D6EE288841B163

Function 00FD8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596A2
Part of subcall function 00F59639: BeginPath.GDI32(?), ref: 00F596B9
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FD8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FD8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FD8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FD8A80
EndPath.GDI32(?), ref: 00FD8A90
StrokePath.GDI32(?), ref: 00FD8AA0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ecf9f08ca72f5f243e5eccca6181027a56688aeb496131f691063091e120f913
Instruction ID: 2a894404c3f131c21e37ea4499b8e1acbeeb74388ffc69d69d4c07366766a188
Opcode Fuzzy Hash: ecf9f08ca72f5f243e5eccca6181027a56688aeb496131f691063091e120f913
Instruction Fuzzy Hash: 1A111E7640114DFFDF119FA0DC48E9A7F6EEF04350F048012BA1596161C7769D55EFA0

Function 00FA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FA5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FA5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA5230
ReleaseDC.USER32(00000000,00000000), ref: 00FA5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FA524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FA5261

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: aa8f9f2a5baa1c74b6c6f085163da4fc100faff84fef4e67e3788cada2323110
Instruction ID: 3c6337e9c221b59c6a9eca22a39d2a200e55686bddb5003eff033e9227699a7d
Opcode Fuzzy Hash: aa8f9f2a5baa1c74b6c6f085163da4fc100faff84fef4e67e3788cada2323110
Instruction Fuzzy Hash: 7C018FB5E01719BBEB10ABB59C49B4EBFB9EF48751F044066FA04E7280D6709800DBA0

Function 00F41BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F41BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F41BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F41C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F41C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F41C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F41C22

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction ID: 71e2f77f04591c19ede8edb9babd957f25ec4984bcf17efb6265c54cc84ef98f
Opcode Fuzzy Hash: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction Fuzzy Hash: 0E0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FAEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FAEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FAEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEB75

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3b61627246edccf8c42cb6b725a3cc83ad9ec30afcfa537f260f3adbb2120d3a
Instruction ID: 70de74f41f5609f01e546ff4690768b0be8ba1b0d0538c9dd98a5775af0c2a51
Opcode Fuzzy Hash: 3b61627246edccf8c42cb6b725a3cc83ad9ec30afcfa537f260f3adbb2120d3a
Instruction Fuzzy Hash: EDF0307254216DBBEB215B629C0DEEF7B7DEFCAB11F00015AF601D1091D7A05A01E6F5

Function 00F97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F97452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F97469
GetWindowDC.USER32(?), ref: 00F97475
GetPixel.GDI32(00000000,?,?), ref: 00F97484
ReleaseDC.USER32(?,00000000), ref: 00F97496
GetSysColor.USER32(00000005), ref: 00F974B0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 67159d5eb3f178ec61ce40d3b4616206de2a7a460131001d8f29e9589a51d57d
Instruction ID: 7b339be14878f4f436a3803566799c54c812e3eb02f0f6169836f99595af2a1f
Opcode Fuzzy Hash: 67159d5eb3f178ec61ce40d3b4616206de2a7a460131001d8f29e9589a51d57d
Instruction Fuzzy Hash: F701A23240521AEFEB50AF74DC08BAD7BB6FF04321F540161F915A21A1CB311D41FB90

Function 00FA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FA187F
UnloadUserProfile.USERENV(?,?), ref: 00FA188B
CloseHandle.KERNEL32(?), ref: 00FA1894
CloseHandle.KERNEL32(?), ref: 00FA189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA18A5
HeapFree.KERNEL32(00000000), ref: 00FA18AC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e47372024a67f6e1e21d25978ccf0d95d84a7c362f21ecce3f6bcf7564212a3e
Instruction ID: 4ffa26b8b2407c89698450a1bcba326cf5918127a1253f62e3027904171a1be3
Opcode Fuzzy Hash: e47372024a67f6e1e21d25978ccf0d95d84a7c362f21ecce3f6bcf7564212a3e
Instruction Fuzzy Hash: A0E0ED3604511AFBDB016FB2ED0C905BF3AFF497227108222F225810B1CB325420EF90

Function 00FAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC6EE
_wcslen.LIBCMT ref: 00FAC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FAC7CA

Strings

0, xrefs: 00FAC6AF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d014de2334de0309cb2fb970af0675cfc9eafd0e66542576ba04bbc3a84bbeb7
Instruction ID: 381a16b59f51ced2722106ad4e55b4fb1a7a8624bf2901c67c31ba5a41900a0c
Opcode Fuzzy Hash: d014de2334de0309cb2fb970af0675cfc9eafd0e66542576ba04bbc3a84bbeb7
Instruction Fuzzy Hash: B051AFB1A043019BD715DE28C885B6B7BE8AF4A324F040A2DF995D7291DB78D904EFD2

Function 00FCAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FCAEA3

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

GetProcessId.KERNEL32(00000000), ref: 00FCAF38
CloseHandle.KERNEL32(00000000), ref: 00FCAF67

Strings

@, xrefs: 00FCAE72
<, xrefs: 00FCAE6B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6bc85ff7f6ed31f30af09d19ad9a0d21214f2b207eb374848f63c91dfd83decc
Instruction ID: 6134ca24177baad75cb62e7e4f4e2c197268efe191b860994f9999bdd777b11e
Opcode Fuzzy Hash: 6bc85ff7f6ed31f30af09d19ad9a0d21214f2b207eb374848f63c91dfd83decc
Instruction Fuzzy Hash: 2A716771A0061ADFCB14EF64C986A9EBBF0EF08314F04849DE816AB352C779ED45DB91

Function 00FA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FA723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FA724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA72CF

Strings

DllGetClassObject, xrefs: 00FA7242

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 646c0736fb4ab03dbe98a3b49a6798ca77de4e444025a5f477fcf9cb673e6fb1
Instruction ID: 6632f206c0c98f1eb9e8572401aba0e593ddde3fb48f1433ea521a50c9e350a8
Opcode Fuzzy Hash: 646c0736fb4ab03dbe98a3b49a6798ca77de4e444025a5f477fcf9cb673e6fb1
Instruction Fuzzy Hash: 42418DB1A043049FDB15DF54CC84F9A7BE9EF45310F1480AABD059F24AD7B0D945EBA0

Function 00FD3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3E35
IsMenu.USER32(?), ref: 00FD3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3E92
DrawMenuBar.USER32 ref: 00FD3EA5

Strings

0, xrefs: 00FD3D89

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 09fc70d76bdacda55fe503c7470af9eea3fa142de70fd5e3a4b547fcc80f4483
Instruction ID: 9eaca0f4e5e2ae03ee0b1fdd92dc096fcd5d2c686d2229a96ee1601958c21487
Opcode Fuzzy Hash: 09fc70d76bdacda55fe503c7470af9eea3fa142de70fd5e3a4b547fcc80f4483
Instruction Fuzzy Hash: 45414D75A01209AFDB10DF60D884A9AB7B6FF45360F08411AEA1597390D734AE44EF91

Function 00FA1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FA1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FA1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FA1EA9

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Strings

ListBox, xrefs: 00FA1E25
ComboBox, xrefs: 00FA1DF0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 8c3dca928271f866377f8f0b6495751b620eba4836bf1dbf154e66ba0c8759cf
Instruction ID: 55943e4895654a4b881b98683822d52b5380836061beef14644cb8816ddf28fb
Opcode Fuzzy Hash: 8c3dca928271f866377f8f0b6495751b620eba4836bf1dbf154e66ba0c8759cf
Instruction Fuzzy Hash: A121E5B1A00108BADB14AB64DC86CFFBBB9EF46360F144119FD25A71E1DB785909BA60

Function 00FCC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FCC9F1
_wcslen.LIBCMT ref: 00FCCA68
_wcslen.LIBCMT ref: 00FCCA9E
_wcslen.LIBCMT ref: 00FCCAF9
_wcslen.LIBCMT ref: 00FCCB2F
_wcslen.LIBCMT ref: 00FCCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00FCCA62, 00FCCA67
HKLM, xrefs: 00FCCA98, 00FCCA9D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 8212b445a5f0bc2cb9213bf407d018c0cc8b93eac8d361f625d2c449fa0e0f82
Instruction ID: 065ebd9ecc07bce2234d266cc7ce676262f7b05d3a00cd4c5eedc458c49b4481
Opcode Fuzzy Hash: 8212b445a5f0bc2cb9213bf407d018c0cc8b93eac8d361f625d2c449fa0e0f82
Instruction Fuzzy Hash: 8E31F733E0016B4ADB20EE6DDE66ABE37915B61760F05401DE889AB245E67DDD40B3E0

Function 00FD2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD2F8D
LoadLibraryW.KERNEL32(?), ref: 00FD2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD2FA9
DestroyWindow.USER32(?), ref: 00FD2FB1

Strings

SysAnimate32, xrefs: 00FD2F68

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 678b2e2699e8b41449a2ffa0f92266197a43fff7c20191d777fb47fada44bd20
Instruction ID: 62724d6270d0cc40e8b526c0ffe6b309a32d53fc814bdea141ddbf8a3a9fce9c
Opcode Fuzzy Hash: 678b2e2699e8b41449a2ffa0f92266197a43fff7c20191d777fb47fada44bd20
Instruction Fuzzy Hash: 4D21DE71704209ABEB104F64DC80EBB37BAEF69334F140A1AF954D6290C771DC41B7A0

Function 00F64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F64D1E,00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002), ref: 00F64D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F64DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F64D1E,00F728E9,?,00F64CBE,00F728E9,010088B8,0000000C,00F64E15,00F728E9,00000002,00000000), ref: 00F64DC3

Strings

mscoree.dll, xrefs: 00F64D86
CorExitProcess, xrefs: 00F64D98

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b9a56c3dbde097d2a2ece74b20fdd88827678dab514fa1c6d70b06e23f732e93
Instruction ID: a2a781307a38e4181a53d5b7a9d57c11a5ff944e6803a091bedf2f3f447a9ec8
Opcode Fuzzy Hash: b9a56c3dbde097d2a2ece74b20fdd88827678dab514fa1c6d70b06e23f732e93
Instruction Fuzzy Hash: 08F04F34A4121DBBDB119FA1DC49BAEBBB9EF44752F0401A5F805A2250CF75A980EBD1

Function 00F44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F44EAE
FreeLibrary.KERNEL32(00000000,?,?,00F44EDD,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F44EA8
kernel32.dll, xrefs: 00F44E94

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f5eac970062153b9ddb06297d2c2ea7e342e7571e9806f109f7813454dc39ad9
Instruction ID: 11a3e6eef6915fdf737457b59a11c8c461f87d8c2558598317cc08a0f3256468
Opcode Fuzzy Hash: f5eac970062153b9ddb06297d2c2ea7e342e7571e9806f109f7813454dc39ad9
Instruction Fuzzy Hash: EDE08C36E026339BD2225B35AC1CB6BBA59AF81B72B090117FC00E2250DF60DD02E0E1

Function 00F44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F44E74
FreeLibrary.KERNEL32(00000000,?,?,00F83CDE,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F44E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F44E6E
kernel32.dll, xrefs: 00F44E5B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f1822f05e2c94e754ab1d4ec119dcd3ba9221d4733379df2779f103cb01aadc4
Instruction ID: 9c3df3e97a083602b56d5d30d36037001b52279ef1ed29fee2e101055b2a52a7
Opcode Fuzzy Hash: f1822f05e2c94e754ab1d4ec119dcd3ba9221d4733379df2779f103cb01aadc4
Instruction Fuzzy Hash: 18D01235903633575A221B356C18F8B7F19AF85B653050617BD05F7155CF61DD01E5D0

Function 00FCA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FCA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FCA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FCA468
CloseHandle.KERNEL32(?), ref: 00FCA63D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 199354433a197d7d2ab1ac0fc9f1456ff3abd4839360ac3ef5f99ab9dc00c995
Instruction ID: fe7622760cded2c9bcac9441af47c67ad778fe48906cb9297c7ae89cb4d3045d
Opcode Fuzzy Hash: 199354433a197d7d2ab1ac0fc9f1456ff3abd4839360ac3ef5f99ab9dc00c995
Instruction Fuzzy Hash: 67A1D0716043019FD720DF24C986F2AB7E1AF84724F14881DF99A9B392DBB5EC05DB92

Function 00FAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACF22,?), ref: 00FADDFD

Part of subcall function 00FADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACF22,?), ref: 00FADE16

Part of subcall function 00FAE199: GetFileAttributesW.KERNEL32(?,00FACF95), ref: 00FAE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FAE473
MoveFileW.KERNEL32(?,?), ref: 00FAE4AC
_wcslen.LIBCMT ref: 00FAE5EB
_wcslen.LIBCMT ref: 00FAE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FAE650

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e8f4693c4ed0fd2baccd06f2eaa5463d1bc59b6123c0de546333c3ac997f0886
Instruction ID: 529c6fd50ad3f3cee8d7e8e1124ed0a1837ece560361674bcb8518705080c00f
Opcode Fuzzy Hash: e8f4693c4ed0fd2baccd06f2eaa5463d1bc59b6123c0de546333c3ac997f0886
Instruction Fuzzy Hash: EE5182F25083459BC724EBA4DC819DFB3ECAF85350F00491EF689D3151EF78A6889766

Function 00FCB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB6AE,?,?), ref: 00FCC9B5
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCC9F1
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA68
Part of subcall function 00FCC998: _wcslen.LIBCMT ref: 00FCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FCBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FCBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FCBBB3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 23d298a815530643d51dfce31ebc1d14c3fdd8b8129b2c66421af5d064e5ba9b
Instruction ID: 2f4de27edb817e67572f6e955ad8aeef19ad952adb79e942d24b7a208254b20f
Opcode Fuzzy Hash: 23d298a815530643d51dfce31ebc1d14c3fdd8b8129b2c66421af5d064e5ba9b
Instruction Fuzzy Hash: 5561C535608242AFC314DF14C996F2ABBE5FF84314F14855CF4998B292CB35ED45DB92

Function 00FA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA8BCD
VariantClear.OLEAUT32 ref: 00FA8C3E
VariantClear.OLEAUT32 ref: 00FA8C9D
VariantClear.OLEAUT32(?), ref: 00FA8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FA8D3B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c69088b4cc08b3cfd3edecb41d7e70472c61e47dce50b87530259c77634bcd79
Instruction ID: aa5ab59f4cfc28a6e587215d87bf8beba0418230e3e4d6738dfcea3b54378763
Opcode Fuzzy Hash: c69088b4cc08b3cfd3edecb41d7e70472c61e47dce50b87530259c77634bcd79
Instruction Fuzzy Hash: 9B516CB5A0021AEFCB14CF68C894AAAB7F9FF89350B158559F905DB350E770E912CF90

Function 00FB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FB8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FB8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FB8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FB8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FB8C5F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8b53b753de0926aa5c8f32a253c4216d9a8e05b8f58b301075c0be90c845e40c
Instruction ID: c1c4a4d4af6312aaa2ee4a53dfce124d9ed3412f2ff8bb8c5ebf67906c74b060
Opcode Fuzzy Hash: 8b53b753de0926aa5c8f32a253c4216d9a8e05b8f58b301075c0be90c845e40c
Instruction Fuzzy Hash: 23515C75A002199FCB00EF65C881AADBBF5FF48314F088459E849AB362CB35ED41EF90

Function 00FC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FC8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FC8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FC8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FC9032
FreeLibrary.KERNEL32(00000000), ref: 00FC9052

Part of subcall function 00F5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FB1043,?,753CE610), ref: 00F5F6E6
Part of subcall function 00F5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F9FA64,00000000,00000000,?,?,00FB1043,?,753CE610,?,00F9FA64), ref: 00F5F70D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 99d52cd91843ed05ac799d9135ad4ec8d1e47f2325403a94a6d41efb10c5b503
Instruction ID: b2201e93d3325f503f411a4ac4ddcbe0293c909af218aad6c18fd77756e5caca
Opcode Fuzzy Hash: 99d52cd91843ed05ac799d9135ad4ec8d1e47f2325403a94a6d41efb10c5b503
Instruction Fuzzy Hash: 92515B35A05206DFC701DF68C585DADBBF1FF49324B088099E8099B362DB75ED86EB90

Function 00FD6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FD6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FD6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FD6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FBAB79,00000000,00000000), ref: 00FD6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FD6CC7

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cd028815462476e164ca5f9d0e6654764210926fedbd06ed30672d6294a0c2b7
Instruction ID: ba3215584f75b94eb0f2e43883d2621f603a932845ba93453bb678aad0a86a63
Opcode Fuzzy Hash: cd028815462476e164ca5f9d0e6654764210926fedbd06ed30672d6294a0c2b7
Instruction Fuzzy Hash: F841A235A14104AFD724CF38CC44FA97BA6EB49361F19026AF999E73E0C771AD41EA80

Function 00F72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F720C3
_free.LIBCMT ref: 00F720E3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4d61a5e81623e451b68cd008ab4f7466f0f91647e33c3f3819c5589d50a48124
Instruction ID: 6291b773314e40fc3ce93ed3238e3a8c63749346c20906a10b05698dab035144
Opcode Fuzzy Hash: 4d61a5e81623e451b68cd008ab4f7466f0f91647e33c3f3819c5589d50a48124
Instruction Fuzzy Hash: 2A41E632E002009FCB20DF78C881A5DB3F5EF89320F1585AAEA19EB351D731AD01EB91

Function 00FB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FB38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FB3922
TranslateMessage.USER32(?), ref: 00FB394B
DispatchMessageW.USER32(?), ref: 00FB3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3966

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 16636be3ae03864d780817b70ff568248bf203dcc2f0382909df702a914a97e5
Instruction ID: 0d29ca04c556c4696f7f7bd16b20ee7e5bff3052e323a99c437526007dcc1986
Opcode Fuzzy Hash: 16636be3ae03864d780817b70ff568248bf203dcc2f0382909df702a914a97e5
Instruction Fuzzy Hash: 1E312971D84346EEEB39CB36D848BF637A9AB01310F04415DE5A2C2094E7B9A684EF11

Function 00FBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00FBCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FBCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC21E,00000000), ref: 00FBCFF2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: cad41cd5a85e9b0eb13b35e20c8c170fd3a4a8eaa4def5808c0943f28b110f1f
Instruction ID: c0b6fc01cbe4487290a03453cfc6487a9eb51ae7848886044e94acdccd573d16
Opcode Fuzzy Hash: cad41cd5a85e9b0eb13b35e20c8c170fd3a4a8eaa4def5808c0943f28b110f1f
Instruction Fuzzy Hash: 11314D71A00206AFDB20DFA6C884ABBBBFAEB14351B1044AEF516D2140D730AD45EFB0

Function 00FA1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FA19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FA19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FA19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FA19E2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction ID: 93f1b515079dd89fde2d016f480583b28cd85b328f56152472c3baddf9407dde
Opcode Fuzzy Hash: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction Fuzzy Hash: AB31B3B190021DEFCB10CFA8CD59ADE3BB5FB09325F114225F925A72D1C7709954EB90

Function 00FD5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FD5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FD579D
_wcslen.LIBCMT ref: 00FD57AF
_wcslen.LIBCMT ref: 00FD57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD5816

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5763a3c3c1b7d731af9fbaff6aa4a945630af561166029a17d16c65944a9d398
Instruction ID: 3fd28d9a243d3c0d96dd1a737f9ce766a05a2cf8546f1b86bad9fe6c9e9967e9
Opcode Fuzzy Hash: 5763a3c3c1b7d731af9fbaff6aa4a945630af561166029a17d16c65944a9d398
Instruction Fuzzy Hash: A521A231D04618DADB20DFA4CC85AEE77BAFF05B20F148217E929EB280D7749985EF51

Function 00FC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC0951
GetForegroundWindow.USER32 ref: 00FC0968
GetDC.USER32(00000000), ref: 00FC09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FC09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FC09E8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9e00da558408cd139956ae5d0843fb5a6f2531c8cd860de95314cdae8b83635c
Instruction ID: 1f1e817b426fb840501c1f85ac07aa7ccada190bcb409ba7959f805222333b63
Opcode Fuzzy Hash: 9e00da558408cd139956ae5d0843fb5a6f2531c8cd860de95314cdae8b83635c
Instruction Fuzzy Hash: CF215E35600214AFD714EF65CD85AAEBBE5EF44700F048069F84A97752CA34EC04EB90

Function 00F7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F7CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7CDE9

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F7CE0F
_free.LIBCMT ref: 00F7CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7CE31

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e036c21a6cf6090beab55bb69204c797f9848e7c6939e17cd68b2f93948cb10a
Instruction ID: 09b8d7bbc49bc202a70c2fd87aff2acb9b3080c13f4be878111d3920939e37ba
Opcode Fuzzy Hash: e036c21a6cf6090beab55bb69204c797f9848e7c6939e17cd68b2f93948cb10a
Instruction Fuzzy Hash: 9C018472A026157F272116BA6C88D7B7A6DDFC6BB1315812FF909C7201EA658D02B1F2

Function 00F59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
SelectObject.GDI32(?,00000000), ref: 00F596A2
BeginPath.GDI32(?), ref: 00F596B9
SelectObject.GDI32(?,00000000), ref: 00F596E2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 90435018efa6e75880ddf3e0e300316dfe6f8a27d5c6c37479759729795a2f10
Instruction ID: 4cb788a48e0bf471adc7d0a6872aa79cd423513e60851324b6177fe23ce19784
Opcode Fuzzy Hash: 90435018efa6e75880ddf3e0e300316dfe6f8a27d5c6c37479759729795a2f10
Instruction Fuzzy Hash: 57219531C16306EFDB299F34DC097A97BA6BB00326F100216FA60961E4D3BD5859EF90

Function 00FA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA5726
_memcmp.LIBVCRUNTIME ref: 00FA5744
_memcmp.LIBVCRUNTIME ref: 00FA5757
_memcmp.LIBVCRUNTIME ref: 00FA576F
_memcmp.LIBVCRUNTIME ref: 00FA5787

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e53b1a7d86ea1316e803e1374eacd076308fbae5c00cde4a1760366fe40c3475
Instruction ID: 5919772c3d9165507e2c2e2275b3124691c6510d7a25313b8e6ade90ce18fda4
Opcode Fuzzy Hash: e53b1a7d86ea1316e803e1374eacd076308fbae5c00cde4a1760366fe40c3475
Instruction Fuzzy Hash: F401F9E2641A0DFBD21851109D42FBB734DAB62BB4F084021FD16BE341F720ED14B2A1

Function 00F72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F6F2DE,00F73863,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6), ref: 00F72DFD
_free.LIBCMT ref: 00F72E32
_free.LIBCMT ref: 00F72E59
SetLastError.KERNEL32(00000000,00F41129), ref: 00F72E66
SetLastError.KERNEL32(00000000,00F41129), ref: 00F72E6F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 836da9d47b7ba9959f3665e8e1f88c9a69b5da0af17c40c82f9610f116e4411e
Instruction ID: 64b70eb0c449ed306835022a56d8cfb862a6f2fbf63c52ba20f1d424b38e8822
Opcode Fuzzy Hash: 836da9d47b7ba9959f3665e8e1f88c9a69b5da0af17c40c82f9610f116e4411e
Instruction Fuzzy Hash: 8F01F93250560177D65327396C45D2B366AABC5371B24C12BF96D921C6EF298C41B163

Function 00FA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?,?,00FA035E), ref: 00FA002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?), ref: 00FA0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F9FF41,80070057,?,?), ref: 00FA0070

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: bc2f5200010b38f4d2533d33de1bee8ba924ae760fc21e90134e300871ff6726
Instruction ID: 4df98cbcec28dc3f3fad4f03fde4d5ff15ce20b6a160444fc74614f86c7107aa
Opcode Fuzzy Hash: bc2f5200010b38f4d2533d33de1bee8ba924ae760fc21e90134e300871ff6726
Instruction Fuzzy Hash: 86018FB2601609BFDB104F68EC04FAA7BBEEB44761F148125F905D2210DB71DD40FBA0

Function 00FAE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FAE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FAE9A5
Sleep.KERNEL32(00000000), ref: 00FAE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FAE9B7
Sleep.KERNEL32 ref: 00FAE9F3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 87b5fdf6ad4a35f5c2b6896b5369782e0f3612194f046d03862e1a6b6289c41c
Instruction ID: 82f1e20f8d9bfe96c9a31615443832e1fe602270ae29a32534fe538ef8196caf
Opcode Fuzzy Hash: 87b5fdf6ad4a35f5c2b6896b5369782e0f3612194f046d03862e1a6b6289c41c
Instruction Fuzzy Hash: 09015771C0262EDBCF00ABF5DC49AEEBB79BF0E311F000546E502B2241CB309550EBA1

Function 00FA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0B9B,?,?,?), ref: 00FA1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA114D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ee762e25340f7fa357034d0a825f13517399269d263f04369be2c4d889bc1f92
Instruction ID: 75ac2c51fa3dadebf21084d601c20ba49552c04d13c9cbd77bce39410b903e14
Opcode Fuzzy Hash: ee762e25340f7fa357034d0a825f13517399269d263f04369be2c4d889bc1f92
Instruction Fuzzy Hash: 49016D7550121ABFDB114F65DC49A6A3B6EFF86374B110415FA45C3360DA31DC00EAA0

Function 00FA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA1002

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 65d6febbbd34acacd00147774d3e15f540c9c709e17a568b8ae0a684ea026a5e
Instruction ID: 459e2ef554686e596fa33ed941259face21b627db8f63868130dd36009441889
Opcode Fuzzy Hash: 65d6febbbd34acacd00147774d3e15f540c9c709e17a568b8ae0a684ea026a5e
Instruction Fuzzy Hash: 00F0A97520131AEBDB210FB59C4DF563BAEFF8A762F114416FA49C6291CA30DC40EAA0

Function 00FA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1062

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f51192bb858ee6f94c2a443c1b49afcadf8fb09e6dd3a3b704dfdf4f45a54db8
Instruction ID: 9398a725e4b21fac3b0c01b130f80502e52045b3548b95f27c770c0004a4110f
Opcode Fuzzy Hash: f51192bb858ee6f94c2a443c1b49afcadf8fb09e6dd3a3b704dfdf4f45a54db8
Instruction Fuzzy Hash: 0EF0CD7520131AEBDB211FB5EC4CF563BAEFF8A761F114416FA45C7290CA70D840EAA0

Function 00FB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0324
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0331
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB033E
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB034B
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0358
CloseHandle.KERNEL32(?,?,?,?,00FB017D,?,00FB32FC,?,00000001,00F82592,?), ref: 00FB0365

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 47556a8275a4acb740a206071221734f91a604b925333a9cc98e9e7cdda3ccca
Instruction ID: 3ffec99fe3ed25faec96e067f08414e3abe353d234e51e498245f55bff34eb19
Opcode Fuzzy Hash: 47556a8275a4acb740a206071221734f91a604b925333a9cc98e9e7cdda3ccca
Instruction Fuzzy Hash: CB01A272801B159FC730AF66D890457F7F5BF503253198A3FD19652931CB71A954EF80

Function 00F7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7D752

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F7D764
_free.LIBCMT ref: 00F7D776
_free.LIBCMT ref: 00F7D788
_free.LIBCMT ref: 00F7D79A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff97ceb1c79c382ed8f096ef67138512558bdaeaa1916e2fb907988ab13db04c
Instruction ID: 5193733973461c0909bb089f75f8368653853ec5a887681f201b73c133efe1c9
Opcode Fuzzy Hash: ff97ceb1c79c382ed8f096ef67138512558bdaeaa1916e2fb907988ab13db04c
Instruction Fuzzy Hash: 48F031329002046B8669EB68FAC5C1677FDBF44330FD8880AF14CE7505C729FC816766

Function 00FA5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FA5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FA5C6F
MessageBeep.USER32(00000000), ref: 00FA5C87
KillTimer.USER32(?,0000040A), ref: 00FA5CA3
EndDialog.USER32(?,00000001), ref: 00FA5CBD

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 225eab1076b9832c59756b889aecf8c8ae0ead7038198d0fd6c7d38db23da82a
Instruction ID: f39954bf7c3da5390212cc7d226914639bdb4bbb0f9e2e9a188dc130298f8030
Opcode Fuzzy Hash: 225eab1076b9832c59756b889aecf8c8ae0ead7038198d0fd6c7d38db23da82a
Instruction Fuzzy Hash: CE01DB715007049BEB205B30ED4EF9677B9FB01F15F00025AA543A10E1D7F4A944EA90

Function 00F722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F722BE

Part of subcall function 00F729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000), ref: 00F729DE
Part of subcall function 00F729C8: GetLastError.KERNEL32(00000000,?,00F7D7D1,00000000,00000000,00000000,00000000,?,00F7D7F8,00000000,00000007,00000000,?,00F7DBF5,00000000,00000000), ref: 00F729F0

_free.LIBCMT ref: 00F722D0
_free.LIBCMT ref: 00F722E3
_free.LIBCMT ref: 00F722F4
_free.LIBCMT ref: 00F72305

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1b7b9b0939683de59835d79ef961ab54cb7c7e47c3b8a0cf1b27b6c3183b84d
Instruction ID: 997299f20f20c1bd7dc5e79f5d142ca15cfc6e31c0105941a539251c34515b6b
Opcode Fuzzy Hash: b1b7b9b0939683de59835d79ef961ab54cb7c7e47c3b8a0cf1b27b6c3183b84d
Instruction Fuzzy Hash: B6F030B08011108B9667AF78F8028487B74B718760F05464BF5D8D22ADC73E0591BBA6

Function 00F595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F595D4
StrokeAndFillPath.GDI32(?,?,00F971F7,00000000,?,?,?), ref: 00F595F0
SelectObject.GDI32(?,00000000), ref: 00F59603
DeleteObject.GDI32 ref: 00F59616
StrokePath.GDI32(?), ref: 00F59631

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction ID: 1e44e754196e959efff1c6c6f71b33e92dadd93d441fb3562be9ebf3171154b6
Opcode Fuzzy Hash: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction Fuzzy Hash: B1F0313140A209DBDB2A5F75ED0C7643B63AB00332F048215FAA5550F4C7798559EF60

Function 00F70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F710F9
__freea.LIBCMT ref: 00F71117

Part of subcall function 00F71537: _free.LIBCMT ref: 00F7154F

Strings

am/pm, xrefs: 00F7117A
a/p, xrefs: 00F711DE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 427719f160c2c41d996b0810c0bb368a49d2747d9bbc240cd2a844dc901ae92b
Instruction ID: 7ed07ae6fd2a515472748e7176682fa97e122b745938d7c3cc3fd723e8f1af13
Opcode Fuzzy Hash: 427719f160c2c41d996b0810c0bb368a49d2747d9bbc240cd2a844dc901ae92b
Instruction Fuzzy Hash: D6D1F232D00205DADB649F6CC895BFAB7B5FF05320F28811BE509AB641D3759D88EB53

Function 00FC7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F60242: EnterCriticalSection.KERNEL32(0101070C,01011884,?,?,00F5198B,01012518,?,?,?,00F412F9,00000000), ref: 00F6024D
Part of subcall function 00F60242: LeaveCriticalSection.KERNEL32(0101070C,?,00F5198B,01012518,?,?,?,00F412F9,00000000), ref: 00F6028A

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00F600A3: __onexit.LIBCMT ref: 00F600A9

__Init_thread_footer.LIBCMT ref: 00FC7BFB

Part of subcall function 00F601F8: EnterCriticalSection.KERNEL32(0101070C,?,?,00F58747,01012514), ref: 00F60202
Part of subcall function 00F601F8: LeaveCriticalSection.KERNEL32(0101070C,?,00F58747,01012514), ref: 00F60235

Strings

5, xrefs: 00FC7C78
G, xrefs: 00FC7C7F
Variable must be of type 'Object'., xrefs: 00FC7C3A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ac29377070b9d23445bea3db81f993ea651aca70fb74de969a8fcf497481d0f5
Instruction ID: a03d63ffdd35aad9a1e2ada7563b59a27d7095cb3b7620a59483c50e0a82b5fa
Opcode Fuzzy Hash: ac29377070b9d23445bea3db81f993ea651aca70fb74de969a8fcf497481d0f5
Instruction Fuzzy Hash: 20918E71A0420AAFCB14EF54DA92EADB7B1FF44310F14805DF8469B292DB35AE41EF51

Function 00FA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA21D0,?,?,00000034,00000800,?,00000034), ref: 00FAB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FA2760

Part of subcall function 00FAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FAB3F8

Part of subcall function 00FAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FAB355
Part of subcall function 00FAB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FA2194,00000034,?,?,00001004,00000000,00000000), ref: 00FAB365
Part of subcall function 00FAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FA2194,00000034,?,?,00001004,00000000,00000000), ref: 00FAB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA281A

Strings

@, xrefs: 00FA2832

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 249559e9f6f1d77ca0abb0e4f95d0381bbaf215dff18aa43caa8a86ac6fe059f
Instruction ID: f296e138ce1a00c910168fa03c3a422b2d1cc06c5d5a78a993f4adc4c97e8843
Opcode Fuzzy Hash: 249559e9f6f1d77ca0abb0e4f95d0381bbaf215dff18aa43caa8a86ac6fe059f
Instruction Fuzzy Hash: 2F411CB2A00218AFDB10DFA4CD45AEEBBB8EF0A710F104055FA55B7181DB746F45DBA1

Function 00F7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe,00000104), ref: 00F71769
_free.LIBCMT ref: 00F71834
_free.LIBCMT ref: 00F7183E

Strings

C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe, xrefs: 00F71760, 00F71767, 00F71796, 00F717CE

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\eFatura_HSY2024000004086_Ekleri.exe
API String ID: 2506810119-3464423408
Opcode ID: 5d5e99db6c78e83ce05d0dbfcc7a03f4dfa904258819ecb3eea6a2342864a8a3
Instruction ID: f57e8d70cf5711c1fec551a5378ec932665dfd0e5b107c38a58ee75bb52c2dcc
Opcode Fuzzy Hash: 5d5e99db6c78e83ce05d0dbfcc7a03f4dfa904258819ecb3eea6a2342864a8a3
Instruction Fuzzy Hash: B7318171E00218ABDB25DFADDC81D9EBBBCFB85320B148167F90897201D6748A45EB92

Function 00FAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FAC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FAC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01011990,017C57A8), ref: 00FAC395

Strings

0, xrefs: 00FAC2DF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b9c270536c2a72776f606b1f6d3edaa7da9798903ae87935067ccfbdac3300d4
Instruction ID: b0ce36ca7edb05870b2dfe8ada5c1ba69093c232d3e2261d53581953ba3f9946
Opcode Fuzzy Hash: b9c270536c2a72776f606b1f6d3edaa7da9798903ae87935067ccfbdac3300d4
Instruction Fuzzy Hash: AA41C3B16083019FDB20DF25DC44B1ABBE8AF86320F04861DF9A5972D1D774E904EBA2

Function 00FD4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FDCC08,00000000,?,?,?,?), ref: 00FD44AA
GetWindowLongW.USER32 ref: 00FD44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD44D7

Strings

SysTreeView32, xrefs: 00FD447C

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 59f82aa011bcb18e23ea14bfabf670f54dea035c67d99bf02e6ef11b8cdbf749
Instruction ID: bee2b1e564c7711daa338eeaaa1a227043615186030747b0d1f8296cd17f385a
Opcode Fuzzy Hash: 59f82aa011bcb18e23ea14bfabf670f54dea035c67d99bf02e6ef11b8cdbf749
Instruction Fuzzy Hash: E5319E31610205AFDF259E38DC45BEA7BAAEB09334F284716FD79922D0D774EC90AB50

Function 00FC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FC3077,?,?), ref: 00FC3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC307A
_wcslen.LIBCMT ref: 00FC309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FC3106

Strings

255.255.255.255, xrefs: 00FC3095, 00FC309A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8728de1b6e000609b0f101be897e03adff597788f26d61a8d153030319a59d03
Instruction ID: 8d32cf167f352eb274460f5798e2a00e20847e6e6a0a7e06335f4d38cebdaef3
Opcode Fuzzy Hash: 8728de1b6e000609b0f101be897e03adff597788f26d61a8d153030319a59d03
Instruction Fuzzy Hash: 1931E936A042069FC710CF28CA86F6A77E1EF54368F18C05DE9168B392D776DE41E761

Function 00FD3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FD3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FD3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD3F78

Strings

SysMonthCal32, xrefs: 00FD3F0B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7e31ae669a8cec873b3e481a5db914ac8e9549e769758e312d2b8cf6989210db
Instruction ID: ac96a588fe2b39502332312a48fbe2250e76cf952d25b7b38998ce2f6f3899d9
Opcode Fuzzy Hash: 7e31ae669a8cec873b3e481a5db914ac8e9549e769758e312d2b8cf6989210db
Instruction Fuzzy Hash: AA21AD32A00219BBDF258F60CC46FEA3B76EB48724F150215FA55AB2C0D6B5AC50EB90

Function 00FD4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FD4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FD4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD471A

Strings

msctls_updown32, xrefs: 00FD4684

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6235d77e0b218cd231aa298fee5c92d856fe214fb675bda7d4527114fc9ec3d0
Instruction ID: df61df5fc433ea10179ecf722eb67c02a12bd34acf324414ed47bbac4c79ba3a
Opcode Fuzzy Hash: 6235d77e0b218cd231aa298fee5c92d856fe214fb675bda7d4527114fc9ec3d0
Instruction Fuzzy Hash: 21214CB5600209AFDB10DF64DCC1DA637AEEB4A3A4B04005AFA109B351CB35FC11EB60

Function 00FA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA961D

Strings

#notrayicon, xrefs: 00FA95B7
#OnAutoItStartRegister, xrefs: 00FA95F3
#requireadmin, xrefs: 00FA95D9

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ff3eaccda840356ecee1788492aacd938f51e1785cd91dfc47188d67228c793b
Instruction ID: d911c297265cc2ba3c05ff555b260228b89914431d9eee6b4399bf1ac62ab601
Opcode Fuzzy Hash: ff3eaccda840356ecee1788492aacd938f51e1785cd91dfc47188d67228c793b
Instruction Fuzzy Hash: EF216BB29082116AD331BA24DC02FB773DC9F92310F04443AF94997241EBD59D45F291

Function 00FD37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FD3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FD3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FD3876

Strings

Listbox, xrefs: 00FD380F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ba37e6b368ab8bc2207181d3cb8c8b209c5705a52ea74fcbfe1e523dedbf80c5
Instruction ID: 22621c4fcdd0230efab087a774b77a83ceeeb8ceb7e49646b9757b9ea2c1c55b
Opcode Fuzzy Hash: ba37e6b368ab8bc2207181d3cb8c8b209c5705a52ea74fcbfe1e523dedbf80c5
Instruction Fuzzy Hash: 7621C272A10119BBEF218F64CC45FBB376FEF89760F148115FA449B290C676DC52A7A0

Function 00FB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FB4A5C
SetErrorMode.KERNEL32(00000000,?,?,00FDCC08), ref: 00FB4AD0

Strings

%lu, xrefs: 00FB4A6F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4b497a0f76fed4978a7ea4faa658f0ffca953484182e5603b702cfd1d66ed35f
Instruction ID: 1cae62c546629df4175582d690366c09f9dfcbbfc966c9bf2030feb88dcbc9f0
Opcode Fuzzy Hash: 4b497a0f76fed4978a7ea4faa658f0ffca953484182e5603b702cfd1d66ed35f
Instruction Fuzzy Hash: EF318071A00109AFD710DF64C985EAE7BF8EF04308F144095E905DB252D775ED46DBA1

Function 00FD41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FD424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FD4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FD4271

Strings

msctls_trackbar32, xrefs: 00FD4226

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c76ef6b7d323d5a2f7210f1d62a581f4d8b671c65aa3025440b184e64525f496
Instruction ID: ef6fec3100511124960a034aa7c74051b76e87872ad1332da76dacd7f3d1981e
Opcode Fuzzy Hash: c76ef6b7d323d5a2f7210f1d62a581f4d8b671c65aa3025440b184e64525f496
Instruction Fuzzy Hash: 58110232640248BFEF215F39CC06FAB3BADEF95B64F150125FA95E6190D671EC11AB20

Function 00FA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

Part of subcall function 00FA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2DC5
Part of subcall function 00FA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2DD6
Part of subcall function 00FA2DA7: GetCurrentThreadId.KERNEL32 ref: 00FA2DDD
Part of subcall function 00FA2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2DE4

GetFocus.USER32 ref: 00FA2F78

Part of subcall function 00FA2DEE: GetParent.USER32(00000000), ref: 00FA2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FA2FC3
EnumChildWindows.USER32(?,00FA303B), ref: 00FA2FEB

Strings

%s%d, xrefs: 00FA2FFF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: b913a80a503a6d8e022a6938abca24e613f85a9d31b74bab4e437423f681fe2a
Instruction ID: 44bf4f2a382c6f6c322208bc9353be49da053d55e3bf7bd7a319cb7ade1fd1a4
Opcode Fuzzy Hash: b913a80a503a6d8e022a6938abca24e613f85a9d31b74bab4e437423f681fe2a
Instruction Fuzzy Hash: ED1190B17002096BDF546F748C85EEE376AAF85308F048075BD099B292DE349949EB61

Function 00FD5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD58EE
DrawMenuBar.USER32(?), ref: 00FD58FD

Strings

0, xrefs: 00FD588F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 495c81cdebdc1fbd4cbe87f7b6b41cfc26b9c54e5b63b9fd42b1d2ef871d5088
Instruction ID: c11fd843100888cbef5bfb586770b8a9ab846c1376d4f7ad55a8c33969976cf0
Opcode Fuzzy Hash: 495c81cdebdc1fbd4cbe87f7b6b41cfc26b9c54e5b63b9fd42b1d2ef871d5088
Instruction Fuzzy Hash: 2D01C431900208EFDB109F11DC45BAEBBB6FF45761F08809AE848D6251DB308A89FF21

Function 00F9D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F9D3BF
FreeLibrary.KERNEL32 ref: 00F9D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F9D3B9
X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b5f54e65d4e2c7495cb6411dd5bf1c696e6d3711f2112cbd97268cce5816d568
Instruction ID: beef8661986d27180d476ee30d7a8afcc0f5bc1d14ce568a9671bfc6934589a4
Opcode Fuzzy Hash: b5f54e65d4e2c7495cb6411dd5bf1c696e6d3711f2112cbd97268cce5816d568
Instruction Fuzzy Hash: 48F0E573C026229BFF7917308C58E693315AF10746BB9815AFA42E6149DB60CD44F6D2

Function 00FA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47938c7854f96ace8e3396e5ba9d8834a9884665305cbee0cf6662ab04e48b26
Instruction ID: a202a09bb43b336e083d3c71f6a92eacf96c99cf663ce63073f3fb23e61d831f
Opcode Fuzzy Hash: 47938c7854f96ace8e3396e5ba9d8834a9884665305cbee0cf6662ab04e48b26
Instruction Fuzzy Hash: 18C15BB5A0020AEFDB14CFA4D894BAEB7B5FF49314F208598E505EB251DB31ED41EB90

Function 00FC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FC3459
CoUninitialize.OLE32 ref: 00FC3463
VariantInit.OLEAUT32(?), ref: 00FC346E
VariantClear.OLEAUT32(?), ref: 00FC371B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8ecdbcae4980d92d0bfcb8e8b3b4ae95da6829a7273d580bcb55adf1723abb6a
Instruction ID: 84ab8b0b83401bf2cef9be895a299dc0c15852f71ac9970e7a2c5512dab280bb
Opcode Fuzzy Hash: 8ecdbcae4980d92d0bfcb8e8b3b4ae95da6829a7273d580bcb55adf1723abb6a
Instruction Fuzzy Hash: 81A12B756043119FC700EF24C985E1ABBE5EF88764F08885DF9899B362DB34ED05EB91

Function 00FA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA0608
CLSIDFromProgID.OLE32(?,?,00000000,00FDCC40,000000FF,?,00000000,00000800,00000000,?,00FDFC08,?), ref: 00FA062D
_memcmp.LIBVCRUNTIME ref: 00FA064E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5654eca9994ad00b68148e8aeacdc525c5121eacb4bb419ca6d7db893351cc7c
Instruction ID: b71e00f49d4c400d148bfaa1068a7ea1c8644e61c17399a6f502e3d8b2a6de25
Opcode Fuzzy Hash: 5654eca9994ad00b68148e8aeacdc525c5121eacb4bb419ca6d7db893351cc7c
Instruction Fuzzy Hash: 968129B5E00109EFCB04DF94C988EEEB7B9FF89315F244558E506AB250DB71AE06DB60

Function 00F81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F814C0

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bdb30b141710393227c4b4899fdfdfe6d7cec5720bb68833dd69dd259818cc59
Instruction ID: 297f5b3f6228d8a86e9e4c38ebe2187410dd3a6ff12de89b801c42d596960848
Opcode Fuzzy Hash: bdb30b141710393227c4b4899fdfdfe6d7cec5720bb68833dd69dd259818cc59
Instruction Fuzzy Hash: A9411931E00100ABDB21FBB99C45AFE3BADFF46370F144326F419D6192E67848527762

Function 00FD6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(017CE980,?), ref: 00FD62E2
ScreenToClient.USER32(?,?), ref: 00FD6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FD6382

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: dbcd4fc136b91e58c5df5c4a72d06345f6339cb1041b367169eb1f449f60edee
Instruction ID: ddf506078ec7f52f921e65d73f10535f5640902a484621034d0f897e5484df8c
Opcode Fuzzy Hash: dbcd4fc136b91e58c5df5c4a72d06345f6339cb1041b367169eb1f449f60edee
Instruction Fuzzy Hash: 56514A74A00209AFCF24DF68D8809AE7BB6FB55360F14825AF925DB390D731ED41EB90

Function 00FC1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FC1AFD
WSAGetLastError.WSOCK32 ref: 00FC1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FC1B8A
WSAGetLastError.WSOCK32 ref: 00FC1B94

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d4226d67b9722bbea110c218ddd8c2d4a2518ab423406d28965c23d96cecfc87
Instruction ID: 1d2251ec97830d12e5ac6103507b940f222a5487a3b10308209338e23dd2f035
Opcode Fuzzy Hash: d4226d67b9722bbea110c218ddd8c2d4a2518ab423406d28965c23d96cecfc87
Instruction Fuzzy Hash: DA419034A00201AFE720AF24C886F257BE5AB85718F54844CFA1A9F3D3D776DD41DB90

Function 00F7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e3894e18d69eeb7677d02635c25d8be07af6da16ed91648038983d8df1badd
Instruction ID: 3c716350610cbe1aafe40e1718c687bddce826e28dd484a802a322eef6ede8a6
Opcode Fuzzy Hash: 05e3894e18d69eeb7677d02635c25d8be07af6da16ed91648038983d8df1badd
Instruction Fuzzy Hash: 44411B71A00304BFD724DF38CC41BAA7BF9EB85720F10862BF549DB282D775A9019791

Function 00FB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FB5783
GetLastError.KERNEL32(?,00000000), ref: 00FB57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FB57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FB57FA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1c7e254af290cf3477677eabb3f90b02830915db1ec8d570f358a13c9fb0702d
Instruction ID: 088761c57d9ee95af85e47cc651e56ed4e5c2eeb00797e648d37de79a0941463
Opcode Fuzzy Hash: 1c7e254af290cf3477677eabb3f90b02830915db1ec8d570f358a13c9fb0702d
Instruction Fuzzy Hash: 7A41FA35600615DFCB11EF15C944A59BBE2EF49720B198888EC4A9F366CB39FD40EB91

Function 00F7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F66D71,00000000,00000000,00F682D9,?,00F682D9,?,00000001,00F66D71,8BE85006,00000001,00F682D9,00F682D9), ref: 00F7D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F7D9AB
__freea.LIBCMT ref: 00F7D9B4

Part of subcall function 00F73820: RtlAllocateHeap.NTDLL(00000000,?,01011444,?,00F5FDF5,?,?,00F4A976,00000010,01011440,00F413FC,?,00F413C6,?,00F41129), ref: 00F73852

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5c9f55c684b1fcad8cd88aa5579d257a35577363228d75ce20d024de04a8a64d
Instruction ID: 38fdbd8f1de8329efde17dfc2df7663d51e5898dba0853ab56e513d2a7201f58
Opcode Fuzzy Hash: 5c9f55c684b1fcad8cd88aa5579d257a35577363228d75ce20d024de04a8a64d
Instruction Fuzzy Hash: 1C31C072A0021AABDB259F64DC41EAE7BB5EF40320F15826AFD08D6150EB39DD50EB91

Function 00FD52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FD5352
GetWindowLongW.USER32(?,000000F0), ref: 00FD5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD53A8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 32bd63780c70773293d01cb28122231cb028ced1a600f6870c6a7af470556189
Instruction ID: 672b26d23204f95c4a1227bdd1896c05f3516f17851197de81b3b52c1ab4a23d
Opcode Fuzzy Hash: 32bd63780c70773293d01cb28122231cb028ced1a600f6870c6a7af470556189
Instruction Fuzzy Hash: 0B31C035E55A0CEFEB349A64CC06BE87767AB04BA0F5C4103FA50963E1C7B59990FB81

Function 00FAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FAABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FAAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FAAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FAACC6

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction ID: 63333c286218b2c178c1c551cf15a5cec6751d38e2094a310d7262bf9222abff
Opcode Fuzzy Hash: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction Fuzzy Hash: F931F8B0E446186FFF258B658C047FA7BA6AB46330F04431AE485921D1D379C989F792

Function 00FD7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FD769A
GetWindowRect.USER32(?,?), ref: 00FD7710
PtInRect.USER32(?,?,00FD8B89), ref: 00FD7720
MessageBeep.USER32(00000000), ref: 00FD778C

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 03f8ecb84f53bea525ef1ecef8d12c151cd44ca137a380dcec00f746b1e7dab1
Instruction ID: c52eb56497e3b77ee32c57fa9e6df1fbb8e53d875b5ed16e25c141fb1f229f73
Opcode Fuzzy Hash: 03f8ecb84f53bea525ef1ecef8d12c151cd44ca137a380dcec00f746b1e7dab1
Instruction Fuzzy Hash: 6641B134A093159FCB11EF68C884EA9BBF2BB48310F1844AAE5648F350E335E941EB90

Function 00FD16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FD16EB

Part of subcall function 00FA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA3A57
Part of subcall function 00FA3A3D: GetCurrentThreadId.KERNEL32 ref: 00FA3A5E
Part of subcall function 00FA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA25B3), ref: 00FA3A65

GetCaretPos.USER32(?), ref: 00FD16FF
ClientToScreen.USER32(00000000,?), ref: 00FD174C
GetForegroundWindow.USER32 ref: 00FD1752

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a6db3f6cef213972a696f5d85d626b4b8c14d5110b39bea00c372dc8f9e64bb7
Instruction ID: 394b424a02523cb1767b17967ec7da8edec6885450c0af85b41e902bf55e00b9
Opcode Fuzzy Hash: a6db3f6cef213972a696f5d85d626b4b8c14d5110b39bea00c372dc8f9e64bb7
Instruction Fuzzy Hash: 3F316F75D01249AFC700EFA9C881CAEBBF9EF49304B5480AAE815E7211D735DE45DBA0

Function 00FAD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD501
Process32FirstW.KERNEL32(00000000,?), ref: 00FAD50F
Process32NextW.KERNEL32(00000000,?), ref: 00FAD52F
CloseHandle.KERNEL32(00000000), ref: 00FAD5DC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8de7854e38719646c838f03af911faa3b6648524d8745abb3e9c20541ee14be0
Instruction ID: 86dbe5d7dffcf6ca3a39c837b911d9ab6062e2c53c4fe6632e02137b5aef909c
Opcode Fuzzy Hash: 8de7854e38719646c838f03af911faa3b6648524d8745abb3e9c20541ee14be0
Instruction Fuzzy Hash: 4931A4725083019FD301EF64CC85AAFBFF8EF99354F54052DF582861A2EB719944EB92

Function 00FD8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

GetCursorPos.USER32(?), ref: 00FD9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F97711,?,?,?,?,?), ref: 00FD9016
GetCursorPos.USER32(?), ref: 00FD905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F97711,?,?,?), ref: 00FD9094

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5d5caefb78e39c8b7710c898a322c4d73e0b9de5ea61debf0ab42d553ba8602b
Instruction ID: a3247601bafc98e3283cb717fed0028c504e39e2b8b7030e1ba302b7fd754afd
Opcode Fuzzy Hash: 5d5caefb78e39c8b7710c898a322c4d73e0b9de5ea61debf0ab42d553ba8602b
Instruction Fuzzy Hash: F321B131604018FFCB259FB4D848EEA3BBAEF49360F088156FA0587261C3759950EB60

Function 00FAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FDCB68), ref: 00FAD2FB
GetLastError.KERNEL32 ref: 00FAD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FDCB68), ref: 00FAD376

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d1afe9434461d4a39fc03314483b8c11cbc87db72f42ebdf773d530dfec56241
Instruction ID: 08d1478f509f86d0cecfe0646bd2dd6ab8e87de3230724c472e640860c713ef6
Opcode Fuzzy Hash: d1afe9434461d4a39fc03314483b8c11cbc87db72f42ebdf773d530dfec56241
Instruction Fuzzy Hash: 3321A3B49093029F8B00DF28C88146EBBE4EF57364F504A1EF49AC72A1D731D945EB93

Function 00FA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA102A
Part of subcall function 00FA1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1036
Part of subcall function 00FA1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1045
Part of subcall function 00FA1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA104C
Part of subcall function 00FA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FA15BE
_memcmp.LIBVCRUNTIME ref: 00FA15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1617
HeapFree.KERNEL32(00000000), ref: 00FA161E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3251927d878f16885badb14843d4a5e96a8612b8a91b087eadaa1cc219bea98d
Instruction ID: 46854b8fba13507ac5c1c9cd4871cadf573d1dd157b478f49311680218dd1d09
Opcode Fuzzy Hash: 3251927d878f16885badb14843d4a5e96a8612b8a91b087eadaa1cc219bea98d
Instruction Fuzzy Hash: A7218CB1E41109EFDF10DFA4C945BEEB7B9FF45354F0A4459E441AB241E730AA05EBA0

Function 00FD2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FD280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FD2840

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7dfc94f680de50d4eee98bccd614a662dd97a4ec97effe35c6768ed63924cb1b
Instruction ID: 2fb946dfc0bfd8ca4c4e67832736ea9d39e828629beac4c71466dfb616729b4c
Opcode Fuzzy Hash: 7dfc94f680de50d4eee98bccd614a662dd97a4ec97effe35c6768ed63924cb1b
Instruction Fuzzy Hash: 3721F131605111AFD7549B24CC44FAA7B96EF55324F18825AF8268B3E2CB79FC42EBD0

Function 00FA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FA790A,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?), ref: 00FA8D8C
Part of subcall function 00FA8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00FA8DB2
Part of subcall function 00FA8D7D: lstrcmpiW.KERNEL32(00000000,?,00FA790A,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?), ref: 00FA8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA7923
lstrcpyW.KERNEL32(00000000,?), ref: 00FA7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FA8754,00000000,?,0000001C,?,?,00000000), ref: 00FA7984

Strings

cdecl, xrefs: 00FA797B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0067ce7312d220c8b106436023be98fc0354591e568cbf8cd31b51bdb84b85bc
Instruction ID: 4838c5cf434de1afa39ee4c30b6f126faff4ebcf305f86262e658b11fe092118
Opcode Fuzzy Hash: 0067ce7312d220c8b106436023be98fc0354591e568cbf8cd31b51bdb84b85bc
Instruction Fuzzy Hash: CF11067A201302ABDB15AF34CC45E7B77AAFF4A390B00402BF942C7264EB319812E791

Function 00FD7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FD7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FD7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FD7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FBB7AD,00000000), ref: 00FD7D6B

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0e794c59d924480bc0e340c76f7557cf521dc094cc54d43590411721ae2c4e9a
Instruction ID: 963442dc14e614095becd1271c34d566b90aa38ce21f156861e2e2fc1777cf46
Opcode Fuzzy Hash: 0e794c59d924480bc0e340c76f7557cf521dc094cc54d43590411721ae2c4e9a
Instruction Fuzzy Hash: B211D232605715AFCB10AF38CC04A663BA7AF45370B194326F93ADB2E0E7358910EB80

Function 00FD5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FD56BB
_wcslen.LIBCMT ref: 00FD56CD
_wcslen.LIBCMT ref: 00FD56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD5816

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: de823a2d4a07865f00401333b51eb7493eae8980a4eaff5e9403402942615ba0
Instruction ID: d3376e18a5b2d6d43e5fbf99643563121049c50388b6e457c67f16bee21a3fd2
Opcode Fuzzy Hash: de823a2d4a07865f00401333b51eb7493eae8980a4eaff5e9403402942615ba0
Instruction Fuzzy Hash: 95110672A0060896DF20DF75CC81AEE376DEF11B70B18402BF915D6281EB74C980EF61

Function 00F71D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077f6773413f569c5d4d91f19f419bec57af4262d5f44e47df00b87974ca3f9a
Instruction ID: 892dc209b460ec2241f6fcae6c2f0b0863d1c673442d3631ec919c3f6d697721
Opcode Fuzzy Hash: 077f6773413f569c5d4d91f19f419bec57af4262d5f44e47df00b87974ca3f9a
Instruction Fuzzy Hash: 9501DFB260561A3EFA21267C6CC1F27772DEF453B8F348327F528A21C2DB648C487562

Function 00FA1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA1A8A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction ID: f9621ef2c6d05a8931c646427c3e5c2ae99d42da08f7330b3672e3c0ea8f8f60
Opcode Fuzzy Hash: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction Fuzzy Hash: F3113C7AD01219FFEB10DBA4CD85FADBB78FB04750F210091E604B7290D6716E50EB94

Function 00FAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FAE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FAE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FAE24D

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9c08cc3c70ebdc4a747aa73dce2a79bce8d2a256a4f740266ae551438d89f986
Instruction ID: d22446dcd13b10727a1652b8cb7087b68e86a18d3f78a7ee850eab70110642a0
Opcode Fuzzy Hash: 9c08cc3c70ebdc4a747aa73dce2a79bce8d2a256a4f740266ae551438d89f986
Instruction Fuzzy Hash: 1E1108B2D0425DBBC7159FB8DC09B9E7FADDB46324F008216F914D3284D2B9C90097A0

Function 00F6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F6CFF9,00000000,00000004,00000000), ref: 00F6D218
GetLastError.KERNEL32 ref: 00F6D224
__dosmaperr.LIBCMT ref: 00F6D22B
ResumeThread.KERNEL32(00000000), ref: 00F6D249

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 851286881f1166c188f154c37f39f0ba7c4f57fd6d718c89a0a739b50af300ed
Instruction ID: 535e1a9763deb82eec6d37dbe9ffd9b0bcf65aed50b809f5a20289a2a9e06872
Opcode Fuzzy Hash: 851286881f1166c188f154c37f39f0ba7c4f57fd6d718c89a0a739b50af300ed
Instruction Fuzzy Hash: 8A01D236E05208BBDB116BA5DC09BAA7B69EF82330F104219F925921D0CB71C941E7A1

Function 00FD9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59BB2

GetClientRect.USER32(?,?), ref: 00FD9F31
GetCursorPos.USER32(?), ref: 00FD9F3B
ScreenToClient.USER32(?,?), ref: 00FD9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FD9F7A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7483894a7fdae465efb8d639f01da33153d17b4f4951cc5dbc931e9d1a72eef9
Instruction ID: d8c88dd38667004137be9136add2b87416190e78e50ed22179c550d8012973ba
Opcode Fuzzy Hash: 7483894a7fdae465efb8d639f01da33153d17b4f4951cc5dbc931e9d1a72eef9
Instruction Fuzzy Hash: E5115A3290411ABBDB14DFA8D8499EE77BEFF45311F440552F911E3240D374BA81EBA1

Function 00F4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
GetStockObject.GDI32(00000011), ref: 00F46060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f37ef73f829010dcaa859c826cd2834b915f9838691cfd12d4f83d330fe9d26b
Instruction ID: 2bee0e9f37d5d1c353083a27f04fdf1f41b6e837a5610023e067b3a744b2f5c0
Opcode Fuzzy Hash: f37ef73f829010dcaa859c826cd2834b915f9838691cfd12d4f83d330fe9d26b
Instruction Fuzzy Hash: D4115E72502509BFEF125FA89C44AEABF6AEF09365F040216FE1492110D736DC60EB91

Function 00F63B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F63B56

Part of subcall function 00F63AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F63AD2
Part of subcall function 00F63AA3: ___AdjustPointer.LIBCMT ref: 00F63AED

_UnwindNestedFrames.LIBCMT ref: 00F63B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F63B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F63BA4

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d014ef5fffb95e99a1d5588d228506e7e46806061907e2a4f472a161a901ff4e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C401E932500149BBDF126E95CC46EEB7B69EF99764F044014FE4896121C736E961FBA0

Function 00F73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F413C6,00000000,00000000,?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue), ref: 00F730A5
GetLastError.KERNEL32(?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue,00FE2290,FlsSetValue,00000000,00000364,?,00F72E46), ref: 00F730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F7301A,00F413C6,00000000,00000000,00000000,?,00F7328B,00000006,FlsSetValue,00FE2290,FlsSetValue,00000000), ref: 00F730BF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b2e8c2744e116047ba2b73965a6040a9e8b1a46fe890f2754b4a83c400ca61ff
Instruction ID: 0c4ed3b621cd8eaf6521bfa76ecfff03bf1f15ab2585501bbf74ae4c2c2ef3d6
Opcode Fuzzy Hash: b2e8c2744e116047ba2b73965a6040a9e8b1a46fe890f2754b4a83c400ca61ff
Instruction Fuzzy Hash: 1F012B32752237BBCB314B799C44A577B99AF05B75B208722F90DE7180D721D901F6E1

Function 00FA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FA747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FA7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FA74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FA74CA

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction ID: 518067caab4f43f6e9b181224ed1a54689ce0db79be864f4e75a808014b085fa
Opcode Fuzzy Hash: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction Fuzzy Hash: 7F1161F520A315DFE720EF24DD09F927BFCEB05B04F10856AAA56D6191D770E904EBA0

Function 00FAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAACD3,?,00008000), ref: 00FAB126

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 784b9cdb666ca9c1be629a178a59e6262f05a0c66624a023fc677edc46f8eed6
Instruction ID: 2420747e6e2f042dc4e82dc0a6e547a18a25aab2d2ea2c18da03479c1f1e3d19
Opcode Fuzzy Hash: 784b9cdb666ca9c1be629a178a59e6262f05a0c66624a023fc677edc46f8eed6
Instruction Fuzzy Hash: 5B115B71C0152DE7CF00AFE5E9586EEBF78FF0A711F108096D941B2182CB305650EB91

Function 00FA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2DD6
GetCurrentThreadId.KERNEL32 ref: 00FA2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2DE4

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction ID: 554677d33bef9acd5fb445cfd6919ecf5dc549f4088b96b842475b6a01a585c2
Opcode Fuzzy Hash: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction Fuzzy Hash: 76E06DB26022297ADB201B779C0DFEB3F6DEF43BA1F000016B509D10819AA4C840E6F0

Function 00FD8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F59693
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596A2
Part of subcall function 00F59639: BeginPath.GDI32(?), ref: 00F596B9
Part of subcall function 00F59639: SelectObject.GDI32(?,00000000), ref: 00F596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FD8887
LineTo.GDI32(?,?,?), ref: 00FD8894
EndPath.GDI32(?), ref: 00FD88A4
StrokePath.GDI32(?), ref: 00FD88B2

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e705bcc34697778792c5f5e917170c148fac1b5f27908201e50282dcc4c8cae1
Instruction ID: 2d0daca3b0d857225bd9d666d4816ba819d7b318afef7c315d28bbedbbee5cd1
Opcode Fuzzy Hash: e705bcc34697778792c5f5e917170c148fac1b5f27908201e50282dcc4c8cae1
Instruction Fuzzy Hash: F9F03A36046259FADB125FA4AC0DFCE3B5AAF06311F048002FB11A51E1C7BA5511EBE5

Function 00F598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F598CC
SetTextColor.GDI32(?,?), ref: 00F598D6
SetBkMode.GDI32(?,00000001), ref: 00F598E9
GetStockObject.GDI32(00000005), ref: 00F598F1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f520ed3297fe70097f9e091b5c2f7aee33b965c61431270d31814b4d2f08025e
Instruction ID: 52e3b317d40af3a297694235ee8c7ca6aae593c6e4a0e3498a7d0be693acd6b1
Opcode Fuzzy Hash: f520ed3297fe70097f9e091b5c2f7aee33b965c61431270d31814b4d2f08025e
Instruction Fuzzy Hash: B2E06532645395AAEF215B74BC09BD83F11AB11736F08821AF6F5540E1C3714640EB10

Function 00FA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FA1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FA11D9), ref: 00FA163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FA11D9), ref: 00FA1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FA11D9), ref: 00FA164F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 59b41143f236e93c6fa6b54494f86106faeb434a5525df2633535b851b3f81dc
Instruction ID: 2fb1ae6736fe54361a3f60c57abe01d3d273836a48178a033dfcc75759fbda48
Opcode Fuzzy Hash: 59b41143f236e93c6fa6b54494f86106faeb434a5525df2633535b851b3f81dc
Instruction Fuzzy Hash: 60E08671A03216DBD7202FF09E0DB463B7DBF457A2F154809F245C9080D6344440E790

Function 00F9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F9D858
GetDC.USER32(00000000), ref: 00F9D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9D882
ReleaseDC.USER32(?), ref: 00F9D8A3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 24d8339d4c388b3c375de99e5963c875ee0929fc348bef045ce66aa6514261c8
Instruction ID: a4163ecf06345ebdb0d5d7cba521854b528d2c0587361f5aada2b23f749cdbe3
Opcode Fuzzy Hash: 24d8339d4c388b3c375de99e5963c875ee0929fc348bef045ce66aa6514261c8
Instruction Fuzzy Hash: 35E01AB180220ADFCF41AFB0D80C66DBBB6FB08311F24800AE80AE7250C7388905FF90

Function 00F9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F9D86C
GetDC.USER32(00000000), ref: 00F9D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9D882
ReleaseDC.USER32(?), ref: 00F9D8A3

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7930260c5db0ea359d55ab11376c8c0ae5a6cae586ed1a5594b23ad82078e56
Instruction ID: 210ba5cd1230dceab46044e11cccb2675adbfb1c5a3fdc6aabc31500971eccc5
Opcode Fuzzy Hash: a7930260c5db0ea359d55ab11376c8c0ae5a6cae586ed1a5594b23ad82078e56
Instruction Fuzzy Hash: 9EE09A75802209DFCB51AFB0D80C66DBBB6FB08311B14944AE94AE7254C7399905FF90

Function 00FB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47620: _wcslen.LIBCMT ref: 00F47625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FB4ED4

Strings

*, xrefs: 00FB4E10
LPT, xrefs: 00FB4DFB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8c3b98b4ee1fd4cb74e61bd5151e7265336b66987453b1a8907272639adf4809
Instruction ID: 8c0fe2f76ff9b6c02aac727f085f2913fcbdd448aa18211c24c0dff7df8f7925
Opcode Fuzzy Hash: 8c3b98b4ee1fd4cb74e61bd5151e7265336b66987453b1a8907272639adf4809
Instruction Fuzzy Hash: D3914B75A002149FCB14DF59C984EAABBF1AF48314F198099E80A9F3A2C735ED85DF91

Function 00F6E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F6E30D

Strings

pow, xrefs: 00F6E2E5, 00F6E302

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d28bcab09331b24efd3eb1db761a769766b9d4b2c0b2185fc4dc6cb3ce18b313
Instruction ID: 20c9d4b9e8e64b59101d28ef0e7a68ea34ecff6dfbf987c43918806a1ca08609
Opcode Fuzzy Hash: d28bcab09331b24efd3eb1db761a769766b9d4b2c0b2185fc4dc6cb3ce18b313
Instruction Fuzzy Hash: E7515E67E1C30196CB157714CD4237A3B99AB40760F30C96AE0D9873E9EF354C95BA87

Function 00FC7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00F9569E,00000000,?,00FDCC08,?,00000000,00000000), ref: 00FC78DD

Part of subcall function 00F46B57: _wcslen.LIBCMT ref: 00F46B6A

CharUpperBuffW.USER32(00F9569E,00000000,?,00FDCC08,00000000,?,00000000,00000000), ref: 00FC783B

Strings

<s, xrefs: 00FC77C8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-4213590918
Opcode ID: 77388abe75ac3fc4726edd2018a4597823494671eb46c9a82b15d1ec00be18e3
Instruction ID: 96a5229eadfff3f18581976384787301201a173096072d1e63aebf4108de93f6
Opcode Fuzzy Hash: 77388abe75ac3fc4726edd2018a4597823494671eb46c9a82b15d1ec00be18e3
Instruction Fuzzy Hash: 5261317291421AAACF04FFA4CD92EFDB774BF14300B545129E942B7191EB386A05EBA1

Function 00F5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F5E1B1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6efae8885e766e3c47cc49810651e510dfdcf5fd24a3a359b4458b446c0c1601
Instruction ID: f6c279d41cb35a52c52a885ed9028c2bb1e17e8121d0e56815fd9bbf0292b2c3
Opcode Fuzzy Hash: 6efae8885e766e3c47cc49810651e510dfdcf5fd24a3a359b4458b446c0c1601
Instruction Fuzzy Hash: CB513535D04346DFEF19DFA8C4816FA7BA8EF16320F244055ED619B2C0D6349E46EBA2

Function 00F5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F5F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F5F2BB

Strings

@, xrefs: 00F5F2AF

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c67dcbeef0f789ad0ba845c4d45917a09ebe2226575768d3e68c403773878766
Instruction ID: d36f6a8659e82a4a379c35074c25bd9e4f602b61683757f4307f04a59384748b
Opcode Fuzzy Hash: c67dcbeef0f789ad0ba845c4d45917a09ebe2226575768d3e68c403773878766
Instruction Fuzzy Hash: 615166714097489BD320AF54DC86BABBBF8FF84310F81884DF5D941195EB358528DB67

Function 00FC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FC57E0
_wcslen.LIBCMT ref: 00FC57EC

Strings

CALLARGARRAY, xrefs: 00FC57E6, 00FC57EB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8dd4b0ab9ae6762aef8364b2ebdf62253fc26f84e061861bf6d9e818a572f665
Instruction ID: 3fca790127421973587c2d933986b46cb07efd6187136ebd734311f5a326bc3a
Opcode Fuzzy Hash: 8dd4b0ab9ae6762aef8364b2ebdf62253fc26f84e061861bf6d9e818a572f665
Instruction Fuzzy Hash: 3241A371E0010A9FCB14DFA8C982EBEBBB5EF59760F14405DF505A7291D734AD81EBA0

Function 00FBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FBD13A

Strings

|, xrefs: 00FBD10B

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6c624d0f020d877ca9e8a3c5e0c5959bc0bc3e0d48022e9265991feb7770f459
Instruction ID: 7844fed17e9c79ee1b82ca2eab6b1403bdad48b49896b38e814b4775b78546b8
Opcode Fuzzy Hash: 6c624d0f020d877ca9e8a3c5e0c5959bc0bc3e0d48022e9265991feb7770f459
Instruction Fuzzy Hash: 30315C71D00209ABDF15EFA5CC85AEEBFB9FF05310F000019F815A6162EB35AA06EF65

Function 00FD356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FD3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FD365C

Strings

static, xrefs: 00FD35BC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d1ca289f7715d3d39137dcea50ff204b9e576b04e9d58d1110216300194c55db
Instruction ID: cfe5a7b52abd5f6bb5b3e7ebdc5b3d8b5d58e3dc1700f17b02b9161fc681e2d5
Opcode Fuzzy Hash: d1ca289f7715d3d39137dcea50ff204b9e576b04e9d58d1110216300194c55db
Instruction Fuzzy Hash: 0D318D71510604AEDB109F38DC81FFB73AAFF88760F04961AF9A597280DA35ED81E761

Function 00FD4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FD461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD4634

Strings

', xrefs: 00FD458E

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ffdc0e40038bdc682c8815f290e7f67eb2c2481a19bd011eda7390d91bfc6632
Instruction ID: 67e698e758890f890fba7e31aae9aa833399596a985d57542cc404d8803fd1b1
Opcode Fuzzy Hash: ffdc0e40038bdc682c8815f290e7f67eb2c2481a19bd011eda7390d91bfc6632
Instruction Fuzzy Hash: 50314974A0020A9FDF14CF69D980BDABBB6FF09300F18406AE905AB381D730E901DF90

Function 00FD31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD3287

Strings

Combobox, xrefs: 00FD3249

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c090b47fcb8dd6cf9325ea9c30874194ee86a4e03fd82f9a99d6981cfaf21fd3
Instruction ID: dc8525519bc31dcfdcb216709ffa181f2b8d2b6d7bc0d07a68243f73b9aa98d3
Opcode Fuzzy Hash: c090b47fcb8dd6cf9325ea9c30874194ee86a4e03fd82f9a99d6981cfaf21fd3
Instruction Fuzzy Hash: 7711E272B002087FFF219F54DC80EBB3B6BEB983A5F14412AFA1897390D6359D51A760

Function 00FD3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F4604C
Part of subcall function 00F4600E: GetStockObject.GDI32(00000011), ref: 00F46060
Part of subcall function 00F4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F4606A

GetWindowRect.USER32(00000000,?), ref: 00FD377A
GetSysColor.USER32(00000012), ref: 00FD3794

Strings

static, xrefs: 00FD3757

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 73e4a22ffaa92d1176df983dc5cfaa246755bdd816483c9d1ee1461ea165dde6
Instruction ID: 48f4113ad9ebff633ec2720c3d03e955949e9c0acd7872a4dfac6d9d20d2d231
Opcode Fuzzy Hash: 73e4a22ffaa92d1176df983dc5cfaa246755bdd816483c9d1ee1461ea165dde6
Instruction Fuzzy Hash: 661129B261060AAFDF00DFB8CC46AEA7BB9EB08354F044516FE55E2250D735E851EB61

Function 00FBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FBCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FBCDA6

Strings

<local>, xrefs: 00FBCD66

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a7468711d98d928b33e0ee459af8595e21f00b5fac97d94e8abee5b419e6ee2b
Instruction ID: f0e9d710e17a0b26d306bc66b64ad98a2a3abc49da39f77ab9115ff64c95a71c
Opcode Fuzzy Hash: a7468711d98d928b33e0ee459af8595e21f00b5fac97d94e8abee5b419e6ee2b
Instruction Fuzzy Hash: 6A1106766016367AD7344B678C44FE7BE6DEF167B4F40422AB16983080D7709840EAF0

Function 00FD3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FD34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD34BA

Strings

edit, xrefs: 00FD348F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9eb2547906e39445bbb84b1a7d1b3ff1c0276a2430fa5086b7b5fe6bf77ce575
Instruction ID: 07000f095f3f13c896c4f9655ed4100bb46ad2a00beb57e6f76ea9895ca8bcc4
Opcode Fuzzy Hash: 9eb2547906e39445bbb84b1a7d1b3ff1c0276a2430fa5086b7b5fe6bf77ce575
Instruction Fuzzy Hash: C511BF71500108AFEB118E64EC40AEB3B6BEB06374F544326FA60932D4C779DC51A752

Function 00FA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FA6CB6
_wcslen.LIBCMT ref: 00FA6CC2

Strings

STOP, xrefs: 00FA6CBC, 00FA6CC1

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: cc202633acb14ff4d08e817a975b7b32080a39d4b15144e781eb1f2fdaf10369
Instruction ID: 983bc9fae856d0a0f79cbfb9d5e09e2746932594367d8db9012ca773b80554e7
Opcode Fuzzy Hash: cc202633acb14ff4d08e817a975b7b32080a39d4b15144e781eb1f2fdaf10369
Instruction Fuzzy Hash: 43012272A0452B8BCB20AFBDDC809BF37B5EF62770B090528E962D3195EB35D900E650

Function 00FA1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FA1D4C

Strings

ListBox, xrefs: 00FA1D16
ComboBox, xrefs: 00FA1CEB

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 617fca191d7dd11a69a110c2557a5fea1264c430d370e83afa0486ac498693df
Instruction ID: cc9a2320bda846a6d493d5529d595992b96e1e4f50129c63a3b67db230c2b1ad
Opcode Fuzzy Hash: 617fca191d7dd11a69a110c2557a5fea1264c430d370e83afa0486ac498693df
Instruction Fuzzy Hash: 8E0128B5B11229ABCB04EBA4CC51DFF77A8FF03360F000609F872572C1EA745908AA60

Function 00FA1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FA1C46

Strings

ListBox, xrefs: 00FA1C10
ComboBox, xrefs: 00FA1BE5

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 09506c317ebbad6138e42e08b54ad345b2874dc64f5072b15ba7923d7501ce4a
Instruction ID: 88ab8276f092aec8d371cfa0c5352bb8dfd31f811e9b8396271edcce3b779856
Opcode Fuzzy Hash: 09506c317ebbad6138e42e08b54ad345b2874dc64f5072b15ba7923d7501ce4a
Instruction Fuzzy Hash: 5C01A7B5BC111966DB04EBA0DD51EFF77ACAF12360F140019B906672C2EA649E08E6B1

Function 00FA1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FA1CC8

Strings

ListBox, xrefs: 00FA1C94
ComboBox, xrefs: 00FA1C69

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 52a05a1cc86b03f60d96108e0523d00414f24dd1e240464c2ae51b835d8d5b46
Instruction ID: 7f26de14975ad76f7cb391e1f104bad50552ab36879eab2db5934e8ba299df99
Opcode Fuzzy Hash: 52a05a1cc86b03f60d96108e0523d00414f24dd1e240464c2ae51b835d8d5b46
Instruction Fuzzy Hash: A701DBF5B8111967DF04E7A4DE41AFF77E8AB12350F540015BC0177281EA649F08E6B1

Function 00FA1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49CB3: _wcslen.LIBCMT ref: 00F49CBD

Part of subcall function 00FA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FA1DD3

Strings

ListBox, xrefs: 00FA1DA0
ComboBox, xrefs: 00FA1D75

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6e5098ee53fa133dc067f4dfaebed667e363460f7e763cb6a38e0742d75a920
Instruction ID: 8a717fe9351c1af4afed735af008173e90f9f68a30bfe0655969acf207fc17bd
Opcode Fuzzy Hash: f6e5098ee53fa133dc067f4dfaebed667e363460f7e763cb6a38e0742d75a920
Instruction Fuzzy Hash: 3CF02DB1F5122966D704F7A4DC51FFF77B8BB03350F040919B822672C1DA645908A6A0

Function 00FC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC7493
_wcslen.LIBCMT ref: 00FC74B9

Strings

3, 3, 16, 1, xrefs: 00FC7483

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a36e930afb44a3518ccc8af864ff0eb7e0e3b78f3381e04ce3bf4273ab61d3ec
Instruction ID: 4139662d3c10d582cd10358620ed8d6820aec23864311858b6ddddd679364ffa
Opcode Fuzzy Hash: a36e930afb44a3518ccc8af864ff0eb7e0e3b78f3381e04ce3bf4273ab61d3ec
Instruction Fuzzy Hash: 9CE02B0264472150A235327A9DC3F7F668ADFC5760710182FF981C2266EA989D91B3A0

Function 00FA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FA0B23

Strings

Error allocating memory., xrefs: 00FA0B1C
AutoIt, xrefs: 00FA0B17

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 44752049b8de40bf37123a9eea489e0c8062a8085311eefa62141a1be1cddff9
Instruction ID: dc859632ecd3e1546785410070eeda7d911d82f87584a590524abb3a66d73a3d
Opcode Fuzzy Hash: 44752049b8de40bf37123a9eea489e0c8062a8085311eefa62141a1be1cddff9
Instruction Fuzzy Hash: F7E0D83124430926D2143754BC03F897B958F06B61F10046BFB98955C38ED66454B6EA

Function 00F60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F60D71,?,?,?,00F4100A), ref: 00F5F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F4100A), ref: 00F60D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F4100A), ref: 00F60D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F60D7F

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ac3529a3d0686d770be90c81d12c04f095082f11fd8bfde80f0f362f9b77950e
Instruction ID: 797f72d78692eba4c7fcd944ff673ef840dcc576e3c4bba87ec3f66abf5200ab
Opcode Fuzzy Hash: ac3529a3d0686d770be90c81d12c04f095082f11fd8bfde80f0f362f9b77950e
Instruction Fuzzy Hash: CBE06D702003018BD3309FB8E8047427BE5AB04746F048A2EE882C6756DFB9E448EB91

Function 00F9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F9D220

Strings

%.3d, xrefs: 00F9D22B
X64, xrefs: 00F9D2A8

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dfb9e0e09aec5f9e2aa4a38fcc5a8b4cb2710fc71dd152aa5e3a41254ca40768
Instruction ID: 39217a97fbfb504fbad1abeb6071fc9cecca4aadfc1a16f3cc6ef68f52376d41
Opcode Fuzzy Hash: dfb9e0e09aec5f9e2aa4a38fcc5a8b4cb2710fc71dd152aa5e3a41254ca40768
Instruction Fuzzy Hash: 96D01262805109E9EF9097E0CC45AB9B37CAB58302F708452FE46D1040D628D50CB761

Function 00FD2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD236C
PostMessageW.USER32(00000000), ref: 00FD2373

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Strings

Shell_TrayWnd, xrefs: 00FD2365

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c0c5ea0ab3711434364ac77209f02926ab26f589d25aa6ad3ae80743841ac0fb
Instruction ID: 84a2c71c895f61b7551ff2ca5d040f30c702a5b6dc4c17d44246cebd3a19697f
Opcode Fuzzy Hash: c0c5ea0ab3711434364ac77209f02926ab26f589d25aa6ad3ae80743841ac0fb
Instruction Fuzzy Hash: 57D0A9323823107AEA64A330AC0FFC6761AAB04B00F0009067249AA1D0C9A0A800DA84

Function 00FD2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD233F

Part of subcall function 00FAE97B: Sleep.KERNEL32 ref: 00FAE9F3

Strings

Shell_TrayWnd, xrefs: 00FD2325

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 375b38f779c1b4ab15819f9160a34b267b719f0294d13d34b5233b480af75a60
Instruction ID: fd9e402f0985b9e8a193fab477fec8fd305b7d7b2d166c1b540e9fa573e4fffd
Opcode Fuzzy Hash: 375b38f779c1b4ab15819f9160a34b267b719f0294d13d34b5233b480af75a60
Instruction Fuzzy Hash: AAD02232381310B7EA64B330EC0FFC77B1AAB00B00F0009077349AA1D0C9F0A800DA80

Function 00F7BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F7BE93
GetLastError.KERNEL32 ref: 00F7BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7BEFC

Memory Dump Source

Source File: 00000000.00000002.1648781471.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1648742357.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648907655.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649061428.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649104108.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_eFatura_HSY2024000004086_Ekleri.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 53624437620965050912355c715a139342a3f17ff5afa2e5b0d0265afe989967
Instruction ID: da1d9c4d5d6e29afcda7e028196763bd3f064e28420e45f65e2b2d48ec2503bd
Opcode Fuzzy Hash: 53624437620965050912355c715a139342a3f17ff5afa2e5b0d0265afe989967
Instruction Fuzzy Hash: F541E835A05216AFCF218FA4CC54BEA7BA59F43720F14816BF95D972A1DB308C00EB62

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eFatura_HSY2024000004086_Ekleri.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut91A7.tmp

C:\Users\user\AppData\Local\Temp\aut91F6.tmp

C:\Users\user\AppData\Local\Temp\aut96D7.tmp

C:\Users\user\AppData\Local\Temp\aut9801.tmp

C:\Users\user\AppData\Local\Temp\autCCAC.tmp

C:\Users\user\AppData\Local\Temp\autCD3A.tmp

C:\Users\user\AppData\Local\Temp\fricandeaux

C:\Users\user\AppData\Local\Temp\nonsubmerged

C:\Users\user\AppData\Local\directory\temp.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs

Static File Info

General

Windows Analysis Report
eFatura_HSY2024000004086_Ekleri.exe

Function 00F442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00F442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00F82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00F42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00F8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00F4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00F43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00F78D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 015D0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre